RealTime IT News

More Trouble for Flawed CVS

In a security advisory issued today, iDefense announced the discovery of yet another Concurrent Versions System (CVS) flaw.

According to the security research firm's advisory, the "Undocumented Flag Information Disclosure Vulnerability" allows for the remote exploitation of an information disclosure vulnerability in CVS that "allows attackers to glean information." In their analysis, the successful execution of the exploit would allow an attacker to gain credentials to the CVS server, which would permit them to determine, "whether or not arbitrary system files and directories exist and are accessible under the permissions of the user that the CVS daemon runs under."

The vulnerability was found in an undocumented switch that is implemented in src/history.c via the 'history' command. The vulnerability has already been patched in the most recent versions of CVS.

Security researchers discovered a number of critical CVS flaws in late May, which preceded the discovery of more flaws in June.

The vulnerabilities include some particularly worrisome issues like heap overflow and the ability to execute arbitrary code, among others. CVS was updated in June to protect against those flaws at which time all CVS users were urged to upgrade to the latest patched version.

All the major Linux distributions have already issued updated binaries for CVS, and the core project maintainers have posted the newest source on the CVS Web site.

CVS is a source code maintenance system that has become the defacto standard software configuration management system of the Free and Open Source development communities. It allows multiple disparate developers to contribute and collaborate on code without version conflicts. CVS also allows developers to record and track all committed changes, as well as store the current version of the source code.