Security researchers have found multiple potential security flaws in one of the main tools of modern open source code management, the Concurrent Version System. However, new versions of CVS have already been issued that correct the flaws.
CVS, a source code maintenance system, has become the standard software configuration management (SCM) system of the Free and Open Source development communities. CVS enables developers to contribute and collaborate on code without version conflicts. It also allows developers to store the current version of the source code as well as a record of all committed changes and who made them.
The latest flaw comes after security researchers warned of a flaw in the CVS that could be used to launch malicious code on the vulnerable system. Security researchers released a patch for that “critical” vulnerability late last month.
However, researchers have since found several additional vulnerabilities. One involves a flaw that could lead to a missing NULL terminator; others relate to an error_prog_name string, an argument integer overflow and an out of bounds issue in serv_notify code.
A malicious attacker could theoretically exploit that vulnerability to execute code, execute commands, read sensitive information, or cause a denial of service attack
CVS project maintainers at http://www.cvshome.org have released new versions of CVS, 1.12.9 and 1.11.7, as well as binaries
for most major Linux distributions.
The group also recommended that all CVS users upgrade to the latest version. In addition, they said the vulnerabilities relate almost entirely to the pserver method of accessing CVS.
Pserver is a daemon
CVS is the dominant code version management tool in use today by many open source projects, including the Apache Software Foundation, which, according to board member Ken Coar, plans to review its CVS usage.
“Of course time will be spent examining our repositories,” Coar told
internetnews.com. “I daresay the same will apply to any other group using distributed CVS.”
Though CVS dominates in usage with many major open source development projects, another system, known Subversion (SVN), is starting to make itself known. Some in the open source community even see SVN as a successor to CVS, both of which are sponsored by Brian Behlendorf’s CollabNet (also of Apache Software Foundation).
But Coar said he doesn’t see recent issues with CVS as enough for the Apache Software Foundation to drop CVS and move to SVN. “My personal opinion is that it’s unlikely, at least as a consequence of these vulnerabilities,” Coar said. “There’s a significant overlap of ASF developers with the SVN project, and there has been discussion about moving to SVN, partly because the technology is seen as more robust and current. Some of the ASF projects already use SVN rather than CVS,” he said.
“I think that over time new projects will choose their repository tool, and the older projects may or may not migrate. But again, that’s not because of any security issues in CVS. These discussions go back many months.”