Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Root Exploit in CVS

Posted by michael on from the checking-out dept.

RenHoek writes "Security expert Stefan Esser from E-matters discovered a bug in CVS version 1.11.4 and lower, that can give malignant users remote root access. The exploit was confirmed on BSD, but other OS's like Linux, Solaris and Windows are vulnerable too. A security advisory can be found here and there is also a patch available. CVS version 1.11.5 which is fixed can be downloaded as well."

5 of 209 comments (clear)

  1. Re:CVS, huh? by penguin_punk · · Score: 4, Insightful

    "Do you OSS folks actually read through every line of source before you build something big like Apache or Squid or SAMBA, just to make sure noone has altered the code?"

    No. But I do check the md5 checksums that I get from at least 2 or 3 different sources. Especially with server software like Apache, Squid or SAMBA.

    Do you Closed-Sourced folks trust whatever gets shoved down your throat?

    --
    HURD - Hurd's Under Research & Development
  2. Re:CVS, huh? by Monkeyman334 · · Score: 4, Insightful

    First, the bug being in CVS has nothing to do with changing the source code on a hacked machine. If you have root from ANY bug, you can change the source code. No, "OSS folks" do not waste time looking through every bit of source of Apache, Squid, or SAMBA, if they're just downloading and compiling it on a machine that's been compromised. They probably couldn't find malicious code anyway if they don't know the code well. They just run md5 hashes against the ones on the download site. As for developers checking code that they developed themselves or distribute, yes, you must check every line of code and look for vulnerabilites. That is, unless you have some backup to run a diff against that you can trust. As an example, Themes.org had to go through all their code when their server was compromised before they put the site back up.

  3. Re:CVS, huh? by guido1 · · Score: 4, Insightful

    [Rant]

    No. But I do check the md5 checksums that I get from at least 2 or 3 different sources.

    So here's the funny thing about doing it that way. You're not necessarily any safer by doing that than just getting the binaries.

    Why?

    Unless you personally diff all the code that has changed since the last release, you don't know what's in there. Sure, you could check, and others can (and likely do), but you don't know until/unless they/you do.

    So enjoy your security blanket, but realize that is is only that.

    [/Rant]

  4. Re:CVS, huh? by bokmann · · Score: 4, Insightful

    No, but plenty of open source projects 'sign' their work, which I can then verify with gpg and the public key of the developer(s).

    The question then becomes, "Do I trust that person", instead of, "Do I trust that person and every bloody person who just might be able to alter a file in the long chain of responsibility from him compiling it to me installing it."

    GPG. Know it. Live it. Love it.

  5. Re:Cripes, it's time to ban C by The+Bungi · · Score: 4, Insightful
    Since you can't cause a buffer overrun/overflow in something like Java or .NET, maybe that's a good choice to write stuff in.

    Or maybe not - someone will find a way to exploit those and anything alse that catches on.

    It's impossible to protect non-trivial software from *everything*. You might as well get on with your life, plan for exploits and how to deal with them. Anything else is just a pipe dream.