January 23, 2003 9:00 AM PST
Open-source defect reaches deep
CVS allows open-source developers to remotely update and modify the source code to projects while ensuring that collaborative efforts don?t overlap.
By using CVS, changes to source code made by one developer aren?t overwritten by another. It also tracks version control and provides the open-source community with a means by which to manage open projects that have multiple contributors.
The security hole allows attackers to take control of a CVS server and alarmingly, it may also allow anonymous attackers to fiddle with open-source code at the development level.
"There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors or other malicious code," a Computer Emergency Response Team Coordination Center (CERT) advisory said. CERT is responsible for much of the software-vulnerability information released on the Internet.
Stefan Esser of E-Matters, a European technology company, discovered the vulnerability in early January.
Recognizing the potential impact of the problem, Esser first disclosed the vulnerability to several key CVS repositories. This allowed them to work around the vulnerability, hence protecting their source code from would-be attackers.
Esser then contacted the group that maintains CVS, and waited until they had produced a fix for the vulnerability before he disclosed the flaw to the public.
The scope of the vulnerability is immeasurable. Sourceforge.net alone uses CVS to maintain over 55,000 open-source projects. Even CVS is maintained by CVS.
Unlike other incidents in which open-source software has been modified, which has been easily detected as in the case of the "Trojaning" of Sendmail.org and SSH distributions last year, this vulnerability is present at the very coal-face of open-source development.
An exploit for this potentially devastating security hole is not thought to be circulating, and E-Matters has stated that it would not be releasing one to the public.
Versions of CVS vulnerable to this attack include those shipped by Connectiva, Cray, Debian, IBM, MandrakeSoft and Red Hat, although many others may be vulnerable.
ZDNet Australia's Patrick Gray reported from Australia.