More Trouble for Flawed CVS

In a security advisory issued today, iDefense announced
the discovery of yet another Concurrent Versions System (CVS)

According to the security research firm’s advisory, the
“Undocumented Flag Information Disclosure Vulnerability”
allows for the remote exploitation of an information disclosure
vulnerability in CVS that “allows attackers to glean information.”
In their analysis, the successful execution of the exploit would allow an
attacker to gain credentials to the CVS server, which would permit them to
determine, “whether or not arbitrary system files and directories exist
and are accessible under the permissions of the user that the CVS daemon
runs under.”

The vulnerability was found in an undocumented switch that is implemented
in src/history.c via the ‘history’ command. The vulnerability has already
been patched in the most recent versions of CVS.

Security researchers
a number of critical CVS flaws in late May, which preceded the discovery of
more flaws in June.

The vulnerabilities include some particularly worrisome issues like heap
overflow and the ability to execute arbitrary code, among others. CVS was
updated in June to protect against those flaws at which time all CVS users
were urged to upgrade to the latest patched version.

All the major Linux distributions have already issued updated binaries for
CVS, and the core project maintainers have posted the newest source
on the CVS Web site.

CVS is a source code maintenance system that has become the defacto
standard software configuration management system of the Free and
Open Source development communities. It allows multiple disparate
developers to contribute and collaborate on code without version
conflicts. CVS also allows developers to record and track all committed
changes, as well as store the current version of the source code.

News Around the Web