Two Open-Source CVS Programs Spring Security Leaks

 
 
By Lisa Vaas  |  Posted 2004-05-20 Email Print this article Print
 
 
 
 
 
 
 

A researcher has found critical flaws in CVS and Subversion; updates have been posted.

Critical flaws have been found in two open-source applications: Concurrent Versions System (CVS), a popular open-source application within which many developers store code, and Subversion, which was built to be a compelling replacement for CVS in the open-source community. Stefan Esser, the security researcher who discovered the flaws, released advisories Wednesday recommending that the applications be updated immediately. Esser is the chief security and technology officer at e-Matters, a German technology company. The first flaw pertains to CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7. Both contain a flaw that occurs when deciding whether a CVS entry line should get a flag reading modified or unchanged.
When remote users send entry lines to the server, an additional byte is allocated so as to have ample space for later flagging of the entry. Users are then allowed to insert "M" or "=" characters into the middle of strings, which would result in whats called a heap overflow. The flaw could allow a remote attacker to execute arbitrary code on the CVS server.
According to Essers advisory, CVS developers were notified of the flaw earlier this month. Derek Robert Price replied that the flaw had already been fixed. The CVS Project posted two updates Wednesday, CVS Version 1.11.16 and CVS Feature Version 1.12.8. According to the disclosure timeline in Essers advisory, important code repositories were notified before the flaws were made public Wednesday.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. The second flaw, in Subversion—which is released under an Apache/BSD-style open-source license—is easy to exploit, according to Essers advisory. "Exploiting this vulnerability on not heavily protected servers is trivial even for beginners," Esser wrote. "Even ProPolice users arent safe because overwriting function arguments allows some fancy exploits." (ProPolice was developed by IBM and protects against "stack-smashing" attacks, a common way to break program security.) Subversion versions up to 1.0.2 are vulnerable to the flaw, which is a date-parsing vulnerability that can be exploited to allow remote code execution on Subversion servers and thereby compromise repositories. The flaw resides in an unsafe call to sscanf() in a Subversion date-parsing function. When Subversion attempts to convert a string into an apr_time_t, it falls back to sscanf() to decode old-styled date strings, according to Essers advisory. That function is exposed to external attack through a DAV2 REPORT query or a get-dated-rev svn-protocol command. The first way is "somewhat harder" to exploit, Esser wrote, whereas the second is a standard stack overflow with the exception that white space and the "\0" character are forbidden. Linux and BSD distributions have released advisories, as well as the Debian Project—the association that created the open-source Debian GNU/Linux operating system. Read Debians security alert here. Editors Note: This story was updated to correctly identify the nature of the two applications. Check out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page

 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel