The CVS vulnerability
[This article was contributed by LWN reader Tom Owen]
German web tools vendor e-matters somehow allows the time for PHP developer Stefan Esser to read source code. Earlier this week he reported serious vulnerabilities resulting from a programming error in the version control tool CVS. Since CVS is used by most free software development projects, this problem merits some attention.CVS can be configured to allow read-only access to anonymous users. Development projects use this capability to allow public access to the latest development versions without having to build a release every time a file changes. The e-matters advisory covers two levels of vulnerability based on read-only access:
-
Anonymous read-only users can obtain write access,
allowing the attacker to change code in the repository.
One obvious attack is to slip a trojan into the source.
If the change isn't spotted, it will be distributed as part of the next release.
- A poorly-documented feature allows CVS users with write access to execute arbitrary commands on the server.
The advisory does not make the holes seem easy to exploit. The (unpublished) proof of concept depends on features of BSD memory management; it might not work on other hosts. But the payoff for a successful attack is huge - it's conceivable that an attacker could get an undetected trojan in to a widely distributed package. So it is not surprising that the distributors are rushing out updates based on CVS version 1.11.5, which does not contain the fault.
The advisory also points out:
Esser offers a patch to control Update-prog and Checkin-prog from the CVS configuration.
There are numerous anonymous-CVS servers on the net, and all of them could,
conceivably, be vulnerable. It is important that they get patched up in a
hurry, or this vulnerability could be the source of no end of other
problems later on.