Slashdot Mirror
Security Holes in CVS and Subversion Found
joe_bruin writes "News.com.com is reporting a two separate vulnerabilities that affect current versions of CVS and Subversion source control systems. Apparently, major users of these products (Linux and BSD distros, Samba, etc.) have been notified and have patched their systems." Update: 05/20 02:01 GMT by S : Clarification that there are separate issues for both CVS and Subversion.
...had better get proactive :)
/. to help out its fellow OSDN member*
God knows it took them ages to get their CVS server problems resolved a few years back.
*points
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Man- I used CVS in a project just last year. Sure hope Olivetree has patched their server.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
If you compromise it, it's so broken you can't even use it to control source.
Developers and admins have to keep security aware constantly, which is one of the hardest problems in real production environments.
Why don't highly important OSS projects use second level protection, like only allowing X user to modify files N Y P at a file system level? If such measures where taken the worst that could happen is a DOS attack.
This also helps to sell managed code for mission critical systems.
Great, I'll grab it just as soon as the source for the patch goes into CVS! Oh wait...
Flaws drill holes in open-source databases
Geez, this is why open source needs a frickin' PR department. These flaws DRILL HOLES!!! Into Open source DATABASES!! OMGLOLWTF??!111
CVS and its pudgy cousin Subversion are not databases. They may use the *concept* of a database *internally*, but then again so do iTunes and Emacs and probably a bunch of other programs.
Does CNET not understand the concept of a version control system? Hint: only people who know what they are use them in the first place.
Regardless, I only use these things via SSH, and have never recommended running CVS with pserver or Subversion via Apache or its server, except on a well-firewalled LAN. I think that's the common practice anyway.
Pretty good rule of thumb: if you can run the service over an SSH tunnel, DO IT! Don't assume Yet Another Server Daemon is secure. Then you just have to keep an eye out for SSH exploits (which you should be doing anyway since SSH bugs are more serious than bugs in TEH OPEN-SORCE DATABASS anyway!).
Of course not. We're all looking to see if we need to update or patch something.
::jafomatic
"The Samba Project, which maintains file server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted."
- By Robert Lemos Staff Writer, CNET News.com
Creative Demolition
hopefully no evil hax0rs use this to steal the source code of linux! ( I know it in't in a cvs but it has a cvs gateway )
superman runs linux
From the FAQ:
""First Post" comments are one of those odd little memetic hiccups that come out of nowhere and run amok. Basically, people with altogether far too much spare time sit and reload Slashdot, hoping that they will get the "First Post" in a discussion. This is one of those things that the moderation system was designed to clean up, and for the most part, it works. "First Post" comments usually get moderated down as off-topic almost instantly."
Hmm, so does this mean that we need to go looking for backdoors in every piece of code out there that uses a publicly visible CVS tree? Better get started!
As mentioned in a previous comment, perhaps there DOES need to be some kind of PR department for open source.
Perhaps a group of dedicated OSS developers needs to form some kind of committee to produce non-biased articles re: open source, and pass those on to the media.
Think about it - it could work, and if it was committee-based, unbiased views could be maintained.
Factual (rather than MS-funded/manufactured) data could be used to generate anti-FUD articles which, if advertised/promoted correctly, could reveal to the public some of Microsoft's baseless attacks in the name of profit, and could sway the masses' views of OSS in general.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Just goes to show how open source leads to insecure software and the commercial software model is better.
Oh wait..thats not right...
Take 2
this just goes to show that with so many eyes viewing the software that bugs will be found and corrected, and we do not know how many undetected bugs are in commercial software.
If CVS was implemented in Java it couldn't suffer from this
... I just :-)
kind of problem. Sure, there are still plenty of other bugs
that can be coded up in Java, but not nearly the plethora of
agonizing painful excruciating unfindable bugs you can
subject yourself (and your users) to with applications written
in C & C++ and other archaic languages.
I'm sure there are good reasons to program in C, C++,
assembly language, FORTRAN, COBOL, BASIC,
can't think of any offhand.
I'm confused. I thought SVN was a rewrite of CVS...? Is the flaw based on a common library or something? Puzzled.
Note that this problem only exists in pserver code. Anyone using pserver on critical systems needs to reassess their security anyway.
Tarsnap: Online backups for the truly paranoid
Is this the third hole in cvs in a very short amount of time?
Laugh, it's a joke.
Linux development is very decentralized, so Bitkeeper is much better suited to it than CVS or Subversion. The CVS and Subversion models are by their nature oriented toward having a single central repository, though there is a project to provide a wrapper for Subversion to support a decentralized model.
Reportedly arch has a model more like Bitkeeper, but I haven't tried it. I use CVS at work, and Subversion for my personal projects.
YHBT. Look at his nick and posting history.
I wonder how many virus would be released that will take advantage of these security holes.
Is that a sign of how dificult the holes tend to be to exploint on *nix systems or is it more to microsoft being popular?
I don't doubt that a virus could take advantage of a security hole in *nix systems isn't the execution/spreading by default going to be alot harder?
just curious -- which distros have already released updates for these packages? i see debian released them promptly, but up2date on my redhat enterprise 3 does not yet show an update being available.
Okay, I'm familiar with stack overflows. What is a heap overflow?
Hasn't anyone LOOKED at the code?
Have you ever considered the possibility that they may have discovered the vulnerability by looking at the code?
They still have to make sure everyone knows about it, you know.
According to the alerts below, Fedora Core 2 has these vulnerabilities, and furthermore, they can lead to arbitrary code execution:
FC2 CVS alert
FC2 Subversion alert
I can understand that a buffer overflow can cause a DoS (e.g. crashing a daemon), but how can it lead to arbitrary code execution with FC2's kernel-level stack protection? Is this just a cut and paste typo from alerts of older distros?
all versions of CVS released before May 19th
This is the first time they looked at the code?
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Of course not. This is not the first vulnerability either.
Just because you found a bunch of problems a while ago doesn't mean you shouldn't look at the code again later.
Dr Hos'e may have indulged in the trollish arts in the past, but he does have a point:
how many otherwise great programmers and source control systems gurus cannot post bugfixes to CVS and Subversion codebases thanks to Bitkeeper's EULA
I've received patches from kernel developers for my open source programs. The BK licence makes them give up the right to file CVS or Subversion bug reports, in order to use BK for free.
I don't think CVS or Subversion would suit Linus's style, but maybe Arch or Darcs will in the future.
I run a CVS server on behalf of a client on a FreeBSD box. It is running in pserver mode, and is launched by cvsd , which is a chroot() jail for CVS.
It is not clear from the sensationalistic news story what an administrator should do, or whether my particular configuration is vulnerable. Could a more knowledgeable person please summarize the issues involved, or point to the original vulnerability report so I can evaluate my risk?
Thanks,
Schwab
Editor, A1-AAA AmeriCaptions
These vulnerabilities are a consequence of an architectural security flaw in both CVS and Subversion: they require an active server that talks a complex protocol to an unauthenticated client.
Whenever you allow an untrusted client to control code running on your server, there is a risk of a compromise.
The distributed version control systems Darcs and Arch show a better way. Read-only access requires only some read-only files published over HTTP. Since most projects already have a web site, this means there is no increase in the network services that need to be offered.
Once those files are downloaded, the anonymous user can get updates, make their own patches, branch -- all the facilities allowed by anonsvn/anoncvs and more.
Well, it's a damn good thing the *major users* are already safe. I can rest easy tonight knowing that just because I am a "Linux and BSD distro, Samba, etc.) user that I am safe.
Sorry, my sarcasm bit must be stuck.
"non-biased view" on /.? What galaxy do you hail from? Do you get reruns of Green Acres on your home planet/habitat? Is Arnold Ziffel a God there?
Er, how is your proposal different from seteuid? A tiny setuid root wrapper gets authentication information, checks it with PAM, and then forks & seteuid to that user.
i read this article. from the headline, one could have thought:
hehe, these stupid semi-smart "geeks", complaining all the time about these insecure microsoft products. and now? they got these nice security holes themselves!
but, you know what? i rtfa. and i read this particular line:
Apparently, major users of these products have been notified and have patched their systems.
i mean, is that cool or what? the message that the system is insecure arrives at the same time as the patch. and you dont't have to be a major user (translated: msce) to get the patch.
this is just one reason i trust my sources to cvs.
beer as in "free beer"
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Any ideas?
:pserver on the internet. Instead run cvs :ext over ssh. That won't necessarily stop authorized users from escalating their privs (although for this exploit it does), but should totally protect you from "cold calling" attacks.
The obvious suggestion, of course, is to get it pre-compiled from Fink. They apparently are on an older 1.11 version, but I'd imagine they'll try to backport security fixes quickly... maybe.
The 2nd obvious suggestions is to point out that even regardless of this particular vulnerability, you should never run cvs
As for those specific error messages- I don't have a Mac with me here, but I've noticed before that the OS X setup of standard libraries is different from what BSD (and Linux and other Unix) normally use. They don't have the same library files much source code assumes it can find, so the Apple-provided compiler makes some secret substitutions to allow software to build. But that's guesswork, and it can sometimes guess wrong, producing inscrutable situations until you sit down with "nm" and "ld" to work out exactly what's happening. (Probably more trouble than it's worth)
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
It is possible that there's a vulnerability in the patch command, or in the equivalent in darcs or arch that accepts changes from contributors. Such a vulnerability might allow a malicious submitter to take over a developer's machine when they try to read or apply the change.
This is conceptually no different to a vulnerability in a mail client or HTML viewer or any other program that views files read over the network. Those things happen, but they're not generally seen as such a big problem as an attack on a network server, for two reasons: the attack is harder to carry out, and easier to trace.
I'm only likely to even think about applying a changeset from a credible source, whereas anoncvs by definition accepts requests from any IP. If they do attempt an attack then I have a record of where it was sent from, etc.
One fix is that change requests should be easy for a human to read without a special tool. Darcs does this, and Arch and Bitkeeper do not. It's probably pretty unlikely there could be an exploit that would look harmless when viewed by a human. In this case basically the only way Darcs is going to be invoked is when the input has already been vetted by a person.
Not sure, but I think one issue is, in the Win32 world things need to be binary comp. where as in the OSS world, source comp. is enough.
If you have a vuln. in a Debian package, you do
apt-get update && apt-get -u install package
You'll see that (especially if it's a library) all kinds of other packages will automatically be upgraded
The same will not happen in the Win32-world.
New things are always on the horizon
11 May 2004 Sourceforge discovered that the patch breaks compatibility with some pserver protocol violating versions of WinCVS/TortoiseCVS
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Subversion is not pudgy! It's just... buxom! And anyway, it's in much better shape than that flabby Aegis thing. So there.
Whence? Hence. Whither? Thither.
The issue affects cvs +pserver. It's listed with references at Mitre.
The interior nodes are also contributors, so the tree can actually contain 2^0 + 2^1 + 2^2 + ... + 2^7 = 2^8 - 1 = 255 contributors with 7 levels. Still nowhere near millions, but the "tree" used in e.g. the Linux kernel has much higher fanout than 2 (at least near/at the top), so you end up with many more nodes.
When people here speak of a "database" they really mean a "database system".
Technically, you're correct, though. But I would content that the definition of "database" is so wide as to make it completely worthless to refer to a "database" and not "database system" in any technical context -- which is why people use "database" as shorthand for referring to a database system.
HAND.
I don't. Why did you think I did?
Because the bug affects only the pserver.
Quoting from the OpenBSD Erata Page this problem was remedied from May 5, 2004
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
...up on CougaarForge.
Just the source and the i386 binary RPMs, but perhaps they'll be useful to someone...
The Army reading list
You just made a double-fault.
Patently False
source: CVS-RCS-HOWTO
It's NOT! It's something else. irony misuseSCO wants their name changed to Sourceforgery.
That won't do much good because SCO will too easily become confused with alternative labels such as SoreForce or SoreFarce.
"Provided by the management for your protection."
Place your bets: How long will it take for Darl McBride to issue a press statement saying that this flaw proves that IBM have been able to covertly insert SCO Unix code into the Linux kernel?
How many programmers does it take to change a LED?
None. It's a hardware problem.
How many engineers does it take to change a LED?
5. One to find the manual, and 4 to try to follow the instructions.
How many people does it take to change a LED?
One, but he has to remember how. After all, it was so long ago...
Sure I'm paranoid, but am I paranoid enough?
I have worked on commercial software for three different commercial companies, including a very large one (three letters, starts with S), and also on a "smaller" open-source project (fltk).
Even this small open source project gets me far more "code review" than anything at any commercial place. Nobody looks at commercial code, they do not have the time. EVERY single fix and improvement is suggested, located, and coded by me. All I get are bug reports, almost all of those are "I ran it for 3 hours, I forget what I did, and it crashed!"
In fltk, certainly there are bugs reported, and just like the commercial stuff the same bug is reported dozens of times, by people too lazy to even check if the bug is already in the database. But I also get many patches where people actually found out about the bugs. The number of patches I have received for the commercial software (where many of the users have access to the source code)? ZERO!
The other comment about accepting blocks of unknown code is bogus. The submitted patches are all about 1 line long and I can easily tell if they really fix the problem. Same is true for the commercial software, incidentally. Any contributed code is always read over and analyzed.
I can catagorically state that my OSS software is higher quality than my commercial software. Now I spend about 10x or more time on the commercial software, and it is probably 20-30x more complicated than the OSS stuff. Therefore it is more valuable, but that does not mean it is better.
Unfortunately the real difference I am talking about is the difference between commercial development and a hobby. Unfortunately for your argument, it is obvious to me that "hobby" software is much higher quality than commercial. The difference is in the motivation of the authors, and the fact that they know their work is visible to the world.
Its already in portage and marked stable.should get you going.
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Very interesting moderation... Someone posts a comment and get moderated as Score:-1, Troll (50% Troll, 50% Offtopic) because some joker said he's a troll directing to his posting history as a proof (which I checked out and saw only one post moderated down, a Score:0, Redundant post) and then some guy says that in fact the original "Score:-1, Troll" has a point, for which he gets moderated as Score:4, Interesting (50% Interesting, 50% Insightful) while the original post is still -1, Troll... Meta-moderation, here I come!
How exactly is parent troll and off topic? In my opinion it's way Underrated. I'm not the only one. For example, boots@work (17305) also thinks that parent has a point. It's obviously not off topic and parent is not a troll (check out his posting history). It might be flamebait, but is IMHO also very Insightful.
.. and of the other thoughtful replies on the thread. This goes to help prove a point I've tried to make several times, but being a non coder I am at a loss how to present it without sounding overly churlish. The point is, software is usually presented with no warranty. The argument is, that it can't be done. I have always thought it could be done, that very good code could be released, but it wasn't, for the various reasons outlined in this thread, all of which CAN be addressed, but for the most part, are not.
I guess my point is, as a company/developer/project takes on quality and auditing as job 1,rather than just rush it out the door when it's "good enough", their market star will shine, because they have so little *true* competition then.
I hope it happens.