CERT Details Flaw in Concurrent Versions System

A flaw in a control and collaboration server widely used by open-source
software developers could allow an attacker with read-only access to run
arbitrary code, alter program operation, read information, or cause a denial
of service, according to the Computer
Emergency Response Team Coordination Center (CERT).

The CERT Coordination Center also reported a significant secondary impact of
this flaw for the Concurrent Versions
System (CVS) server, which is used to update and alter source code via
the Internet: an attacker who is able to compromise a CVS server could
modify source-code repositories to contain Trojan horses, backdoors, or
other malicious code.

The CVS server vulnerability can be triggered by a set of specially crafted
directory requests.

“While processing these requests, an error-checking routine may attempt to
free the same memory reference more than once. Deallocating the already
freed memory leads to heap corruption, which an attacker could leverage to
execute arbitrary code, alter the logical operation of the CVS server
program, or read sensitive information stored in memory,” Cert said.
However, in most cases heap corruption will result in a segmentation fault,
causing a denial of service.

But because the CVS server process is typically started by the Internet
services daemon and runs with root privileges, arbitrary code would also run
with root privileges.

Vendors whose systems running CVS Home project versions of CVS prior to 1.11.5, whose operating system distributions
provide CVS, or whose source code repositories are managed by CVSsupport, are
affected by the flaw. Those companies include Cray, IBM, and Sun Microsystems.

CERT, which said Stefan Esser of e-matters
reported the issue, recommends users apply the appropriate patch or upgrade
as specified by vendor.