Security flaws discovered in open-source databases
May 19, 2004
One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. The other flaw affects a newer, less widely used system known as Subversion, Stefan Esser, the researcher who discovered the security holes, said.
Flaws in two popular source-code database applications could allow attackers to access and corrupt open-source software projects, a security researcher said on Wednesday.
The CVS software, in particular, is run by many large open-source projects to create servers that maintain the versions of a program under development. Groups developing the Gnome and KDE Linux desktops, the Apache Web server and large Linux distributions, are among those that use servers with the source-code databases.
These groups were notified of the security issues earlier in May and have already installed patches, said Esser, who is the chief security and technology officer at e-Matters, a German software company.
"The really big projects usually use CVS...servers just as a distribution channel," Esser stated in an e-mail interview, noting that the servers used by developers to hold code are only accessible through a secured connection. "Lots of smaller open-source projects are, however, running their development on vulnerable servers," he added.
The flaw in CVS, which is more widespread than Subversion, affects all versions of the software released before May 19, according to an alert sent out by Esser. The vulnerability, technically known as a "heap overflow," occurs because data from the system's users is not vetted carefully enough. The CVS Project and major Linux and BSD distributions have posted advisories on the issue.
The hole in Subversion, a rewrite of the CVS application, is much easier to take advantage of, Esser said. That vulnerability is caused by an error in the way the code parses dates. It could be exploited to allow "remote code execution on Subversion servers and therefore could lead to a repository compromise," according to Esser's advisory.
"The CVS flaw is several levels harder to abuse," Esser said. The source-code database holes aren't the first to cause developers some worry. Last year, a vulnerability in CVS software opened up development servers to attacks by allowing an intruder to raise his or her level of privilege. The flaw led to some compromises.
Attackers have increasingly started to focus on software that runs on Linux, the operating system most often used with CVS. In March and April, Linux and Solaris servers at academic supercomputing centers were struck by unknown intruders.
The Samba project, which maintains file-server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted. (Subversion attempts to improve the usability and security of the CVS application.)
Derek Price, the CVS release manager, and Esser sent a vulnerability notification to the members of Vendor-Sec, a limited community of major open-source projects that share security information. Esser also contacted other big users of the application, including SourceForge, XFree86, the Free Software Foundation and PHP.net.
"For this particular issue, the release was synchronized with other vendors," Price said. "I'm sure there are other groups out there. That's what my announcement was for."
The Debian Project, a major Linux distribution, released a patch for the CVS software on Wednesday, in an advisory timed to publish simultaneously with e-Matter's alerts.
Martin Schulze, a developer and member of the Debian Project, said that he thought the threat of the CVS flaw should be limited.
"The impact should be little to other projects if they are applying the patch, which is pretty simple," said "If they don't, it is possible to exploit the CVS server and gain access to the machine with the (access level of the server)--that should only be a regular user, not root."
Source: C-Net News
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing