Security researchers have discovered a heap overflow vulnerability in Concurrent Versions System (CVS), the source code maintenance system used to power open-source software development projects.
An alert from the U.S. Computer Emergency Response Team (US-CERT) said the flaw could allow a remote attacker to launch malicious code on a vulnerable system. Secunia has tagged the vulnerability with a “highly critical” rating.
The heap memory problem was found in the way CVS handles the insertion of modified and unchanged flags within entry lines. When processing an entry line, an additional byte of memory is allocated to flag the entry as modified or unchanged but a failure to check if a byte has been previously allocated for the flag creates an off-by-one buffer overflow, US-CERT said.
“By calling a vulnerable function several times and inserting specific characters into the entry lines, a remote attacker could overwrite multiple blocks of memory. In some environments, the CVS server process is started by the Internet services daemon (inetd) and may run with root privileges,” the Center warned.
It effectively means an authenticated client could exploit this vulnerability to execute arbitrary code, execute commands, modify sensitive information, or cause a denial-of-service attack
US-CERT also warned than an anonymous user with read-only access could also exploit a vulnerable server as they are authenticated through the cvspserver process. “In addition to compromising the system running CVS, there is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors, or other malicious code.
The flaw has been fixed in upgraded CVS versions 1.12.8 and 1.11.16.