Linux vendors have rushed to distribute patches for a critical flaw in CVS, a widely used program for collaborating on software development, that could allow a malicious user unauthorized access to development code.
By last Friday FreeBSD all the major Linux distributors, including Red Hat, Debian, Suse Linux, MandrakeSoft, Slackware and Gentoo Software, had issued patches for the versions of CVS (Concurrent Versioning System) packaged to run on their distributions, following an advisory published earlier last week by German security firm E-Matters. The firm also warned of a similar, more easily exploitable flaw in Subversion, a newer and less popular revision of CVS.
CVS allows large numbers of contributors to collaborate on software development projects, letting them keep their own modifications up to date with those of other developers, stored on a server. The flaw found by E-Matters allows a user to exploit a "heap overflow" that could allow them to execute arbitrary code on the CVS server, according to Stefan Esser, chief security and technology officer at E-Matters. "This could allow a repository compromise," Esser wrote in the advisory.
"A successful exploit would give access to the system with the privileges of the user running CVS, who obviously has access to all the code," said Thomas Kristensen, CTO of security firm Secunia. "A developer would often connect to CVS before he starts working on a piece of code, and synchronize with what is held on the server. If that code has been (maliciously) modified he could end up working with modified code."
Kristensen said that the flaw appears to require the attacker to have a valid user account, so that the projects most at risk are those which allow anonymous access.
The flaw was discovered during an audit of the CVS source code, Esser said, and is caused by a bug in the way certain properties of incoming data are checked. E-Matters recommended users update to the patched version immediately.
E-Matters informed major users of CVS, including the major Linux distributions, Gnome and KDE desktop software projects and the Apache Web server, before disclosing the flaw publicly, giving them time to patch their systems. The CVS developers themselves were informed at the beginning of this month, and immediately came up with a fix, Esser said; later this patch was found to break compatibility with some versions of CVS, so a second patch was issued last week, followed by public disclosure this week.
Last year, in the space of four months, attackers successfully compromised the security around the Linux kernel and the Debian, Gentoo and GNU projects. In December, one of Gentoo's servers for making source code available to users was compromised. In November, an attacker compromised a legitimate Linux kernel contributor's machine and used it to submit compromised code. In the compromises of the GNU and Debian development servers, attackers discovered the username and password of a legitimate user, and then exploited a recently-discovered Linux flaw to gain the privileges of the system owner.
Despite such breaches, the open-source development method is not necessarily less secure than proprietary development within the confines of a single company, said Secunia's Kristensen. "It obviously does give you a different kind of exposure, but there are also probably more eyes looking critically at how the source code is modified," he said. "In a company, if an employee makes an accidental or deliberate mistake that affects the product's security, it's unlikely there will be methods in place to verify what that trusted employee does."