Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Holes in CVS and Subversion Found

Posted by simoniker on from the nee-naw dept.

joe_bruin writes "News.com.com is reporting a two separate vulnerabilities that affect current versions of CVS and Subversion source control systems. Apparently, major users of these products (Linux and BSD distros, Samba, etc.) have been notified and have patched their systems." Update: 05/20 02:01 GMT by S : Clarification that there are separate issues for both CVS and Subversion.

20 of 250 comments (clear)

  1. Who ever said only closed source was vunrable? by Marxist+Hacker+42 · · Score: 2, Informative

    Man- I used CVS in a project just last year. Sure hope Olivetree has patched their server.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  2. Good news for Samba... by NEOtaku17 · · Score: 2, Informative

    "The Samba Project, which maintains file server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted."

    - By Robert Lemos Staff Writer, CNET News.com

    --
    Creative Demolition
  3. Aren't all "First Post" posts Offtopic? by Anonymous Coward · · Score: 0, Informative

    From the FAQ:

    ""First Post" comments are one of those odd little memetic hiccups that come out of nowhere and run amok. Basically, people with altogether far too much spare time sit and reload Slashdot, hoping that they will get the "First Post" in a discussion. This is one of those things that the moderation system was designed to clean up, and for the most part, it works. "First Post" comments usually get moderated down as off-topic almost instantly."

  4. Re:Second Level security? by Delirium+21 · · Score: 5, Informative

    Why don't highly important OSS projects use second level protection, like only allowing X user to modify files N Y P at a file system level?

    The reason is simple. If a program is to allow any users (say, only those who are authorized to modify certain files), the program itself must have adequate permissions to modify those files. If they are system files, the program must be suid root.

    Heap and buffer overflow attacks--like the sort discovered in CVS--allow unprivileged users to execute arbitrary code with the permissions of the program. Since the program itself has been hijacked, it bypasses exactly the sort of second-level protection you suggest.

    Sandboxing techniques aim to counteract this by running the program in a "protected" environment, thus externalizing these kinds of checks you suggest. However, much research has shown that sandboxes themselves can be vulnerable, incomplete (think race conditions), and so on.

    Security is a hard problem, and even common attack techniques are, from an algorithmic perspective, highly subtle. Simple answers often do not work.
    --

    Friends come and go, but enemies accumulate.
  5. Re:open source databases?? by bruthasj · · Score: 2, Informative

    CVS and its pudgy cousin Subversion are not databases.

    CVS uses RCS as a back-end store. Subversion uses Berkley DB as a back-end store.

  6. Re:Just goes to show... by borgdows · · Score: 1, Informative

    hell..even C#

  7. Re:Is it the same flaw? by breser · · Score: 4, Informative
    No whoever submitted the article to Slashdot was confused. If you read the news.com article carefully it is clear that they're separate issues.

    But just to make things clearer here are the links to the advisories:
    Subversion
    CVS

    I also put up a more clear description of the Subversion problem up on subversion site.

  8. Re:open source databases?? by shird · · Score: 2, Informative

    that should have read:

    repository
    1. /database/ See data dictionary.
    2. /programming/ The core of a CASE tool, typically a DBMS where all development documents are stored.

    --
    I.O.U One Sig.
  9. Re:open source databases?? by Minna+Kirai · · Score: 2, Informative

    CVS uses RCS as a back-end store.

    Hasn't been true for a long time. Now CVS reads/writes directly, with no RCS process active. But even if that were still the case, saying "CVS is a database" is like "airplanes are wings".

  10. Re:Heap overflow? by boots@work · · Score: 5, Informative
    It's where a variable on the heap gets overwritten:
    char *a = malloc(4), *b = malloc(4);
    strcpy(a, "hello to all my fans in domestic surveillance");
    /* kablooey */
    The strcpy writes past the end of the allocated buffer. Several things might happen: first, and the best possible outcome is that it writes to an unmapped page and you die immediately with segv. Or it writes over a malloc control structure and a later call to malloc() or free() causes an indirect crash. (Sometimes called a "heap scribble".) Or it might write over some other heap variable, like b in this example.

    Which one happens depends on the libc and the allocation pattern, but for any app on any particular system it may be predictable.

    The one that is easiest to exploit is writing over another variable, like b. This gives the attack a way to write into a variable they weren't meant to access, which leads in short order to the computer being stretched wide open.
  11. An argument for distributed version control by boots@work · · Score: 3, Informative

    These vulnerabilities are a consequence of an architectural security flaw in both CVS and Subversion: they require an active server that talks a complex protocol to an unauthenticated client.

    Whenever you allow an untrusted client to control code running on your server, there is a risk of a compromise.

    The distributed version control systems Darcs and Arch show a better way. Read-only access requires only some read-only files published over HTTP. Since most projects already have a web site, this means there is no increase in the network services that need to be offered.

    Once those files are downloaded, the anonymous user can get updates, make their own patches, branch -- all the facilities allowed by anonsvn/anoncvs and more.

  12. Re:open source databases?? by Dahan · · Score: 3, Informative
    You can't provide anonymous cvs ... access through ssh.

    Demonstrably false.

  13. Re:What Do I Do? by endx7 · · Score: 3, Informative

    Just update CVS from FreeBSD whenever they apply the fix. If FreeBSD haven't made a new release yet, then you might want to turn off public access until it's fixed.

    The issue has been announced via the normal announcement channels for FreeBSD and an advisory which explains what to is available. I actually got the FreeBSD advisory before I heard about it on slashdot.

  14. good thing only major users are safe... by Frennzy · · Score: 3, Informative
    Quote:

    Apparently, major users of these products (Linux and BSD distros, Samba, etc.)


    Well, it's a damn good thing the *major users* are already safe. I can rest easy tonight knowing that just because I am a "Linux and BSD distro, Samba, etc.) user that I am safe.

    Sorry, my sarcasm bit must be stuck.
  15. Re:Just goes to show... by Anthony+Boyd · · Score: 2, Informative
    I also understand the "millions of eyeballs" argument, but doesn't that really apply again to the "big guys." Does anyone really believe that literally millions of people have done detailed reviews of the myriad small programs and libraries present on a typical open source operating system?

    I have two software products, very small, that I've put out into the wild. I licensed them under BSD, so it's open source. My program PHPortfolio had a weakness in version 1.0. It only worked if installed at the top-level of a Web server. The first few people who installed my software coded up patches for themselves, and sent bug reports to me. In a later version, the thumbnailing feature was poorly done, and someone "donated" a few lines of code to improve it. So yes, the "eyeballs" argument seems to work even for small projects. Although they didn't give me their patches in every case (which is OK by the BSD license), they did give me bug reports.

    I also have a program called phpBB Blog which, if you look in my forums, has a 1.0 beta out. A handful of people have downloaded it, but I've had no bug reports & no patches so far. In this case, it looks like the extra eyeballs (and there are a few) are not doing me much good. Or else the code is solid, which I doubt. :)

    In any case, I think the open source model does work on a small level for small projects and it works on a big level for big projects. I suspect the only place it would fall apart is trying to tackle a big project with only a small base of support/fans. Having only a very few eyeballs scanning over a huge codebase doesn't sound like it can ensure high quality in the majority of such cases. That might need some cathedral-style development.

    --
    My Greasemonkey scripts for Digg &
  16. Re:Second Level security? by mec · · Score: 2, Informative

    That's right. In November 2003, there was an unsuccessful Trojan-CVS attack on the Linux kernel.

    Linux kernel development process thwarts subversion attempt

    The attack failed because, basically, the CVS repositories for the linux kernel are not the real source trees -- they are just mirrors of people's bitkeeper trees.

    And here is a Trojan FTP attack. Of course CVS and FTP are different protocols, but the idea is similar -- inject malware into the OSS development stream.

  17. Neither of the bugs were bounds-checking related.. by Ayanami+Rei · · Score: 2, Informative
    --
    THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
  18. Re:Heap overflow? by kasperd · · Score: 2, Informative

    I'm familiar with stack overflows.

    Maybe you are thinking about stack based buffer overflows. Stack based buffer overflows are often easy to exploit, and I think more than 50% of the worms on the internet use such exploits. It just means that you can overflow a buffer, which is allocated on the stack. When such an overflow happens, the return address is usually just a few bytes away, so you can change the return address to point into the buffer you just filled with code.

    A stack overflow OTOH rarely happens, unless you trigger an infinite recursion in the code. Normally a stack overflow will just result in a DoS attack, because the OS will kill any process that overflows its stack. There should always be an unmapped page between the stack and any other mapping, such that overflows can be catched. (Could you overflow a kernel stack it would be an entirely different matter)

    A heap overflow just means you overflow a buffer allocated from the heap. Any return address is far away, so they are not as trivial to exploit. But you can corrupt memory management data structures, which you might be able to use to have the memory management system return allocations overlapping with other important areas, which you might then be able to get overwritten. It can get very complicated. Take a look on Vudo - An object superstitiously believed to embody magical powers (Smashing The Heap For Fun And Profit)

    --

    Do you care about the security of your wireless mouse?
  19. Re:FC2 by IamTheRealMike · · Score: 2, Informative
    When exec-shield randomization is enabled, the DSO load addresses are scrambled. What that means is that while you can run arbitrary code, it's not really possible to make any library calls. Have you ever written non-trivial code without the presence of libc? I have, it's not much fun. You have to do everything using direct syscalls into the kernel, which is tricky and limited.

    So in short while exec-shield in this case won't prevent the overflow (as it can with ASCII stack based overflows), it does make it harder to do things when you've infiltrated the system.

  20. FALSE! You little history revisionist you. by Anonymous Coward · · Score: 5, Informative

    You just made a double-fault.

    ... was originally a Perl program ...

    Patently False

    HISTORY of CVS:

    [...]

    CVS algorithms actually started in Universities several decades ago and CVS implementation started out as a bunch of shell scripts written by Dick Grune, who posted it to the newsgroup comp.sources.unix in the volume 6 release of December, 1986. While no actual code from these shell scripts is present in the current version of CVS much of the CVS conflict resolution algorithms come from them. In April, 1989, Brian Berliner designed and coded CVS. Jeff Polk later helped Brian with the design of the CVS module and vendor branch support.

    [...]

    source: CVS-RCS-HOWTO

    Ironically, CVS was originally a Perl program until a C version was needed to make it real software.
    It's NOT! It's something else. irony misuse