Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Holes in CVS and Subversion Found

Posted by simoniker on from the nee-naw dept.

joe_bruin writes "News.com.com is reporting a two separate vulnerabilities that affect current versions of CVS and Subversion source control systems. Apparently, major users of these products (Linux and BSD distros, Samba, etc.) have been notified and have patched their systems." Update: 05/20 02:01 GMT by S : Clarification that there are separate issues for both CVS and Subversion.

32 of 250 comments (clear)

  1. Just goes to show... by georgewilliamherbert · · Score: 2, Insightful
    No amount of code review, open source or proprietary, can guarantee that there isn't some lurking bug in the application. We have probably not yet found all the ways there can be security holes, much less all the actual holes in any given thing.

    Developers and admins have to keep security aware constantly, which is one of the hardest problems in real production environments.

    1. Re:Just goes to show... by cduffy · · Score: 4, Insightful

      AFAIK is the only language that automatically does bounds checking

      Not by a long shot.

      Python, most Scheme implementations, Haskel, ADA, and many, many languages provide similar safety features.

      As you say, though, pity they're not more often used.

    2. Re:Just goes to show... by The+Bungi · · Score: 5, Insightful

      I'll post something along these lines in the next Microsoft vulnerability article and we'll see if I get modded +5 with alacrity.

    3. Re:Just goes to show... by Minna+Kirai · · Score: 3, Insightful

      In the current climate, it is just plain foolish to use a language without bounds checking in a security critical capacity.

      Ironically, CVS was originally a Perl program until a C version was needed to make it real software.

    4. Re:Just goes to show... by bladernr · · Score: 4, Insightful
      No amount of code review, open source or proprietary, can guarantee that there isn't some lurking bug in the application.

      I've been thinking through the dynamics of OSS. For a moment, let's forget Linux, Apache, FreeBSD and the four or five other "big guys" out there (the reason: they seem to be managed much like commercial software, in a hierarchial, closed-group fashion, just without the keeping the code a secret part).

      For the vast majority of little OSS that is in so many systems, large and small, is there really any empirical proof that OSS is more secure than proprietary software? I've been wondering if it isn't possible that its even less secure.

      The reason is the dynamics of programmer laziness (and I'm a programmer myself.... I know all about it). Combing through code looking for buffer overflows is tedious and repetative. How many programmers really do it all the time, every time?

      I also understand the "millions of eyeballs" argument, but doesn't that really apply again to the "big guys." Does anyone really believe that literally millions of people have done detailed reviews of the myriad small programs and libraries present on a typical open source operating system?

      I don't know, perhaps I'm wrong, but I'm wondering if there may not be a group-think problem here. I don't look at those tools, because everyone else is, and I'm lazy. I may poke through kernel source because it interests me, but TinyXML source does not. In a commercial environment, I make developers do it, but, except on the few big OSSes that are run basically like commerical operations, how are we really sure it is more, and not less, secure?

      --
      Sarcasm and hyperbole are the final refuges for weak minds
    5. Re:Just goes to show... by harikiri · · Score: 2, Insightful
      Aren't most of the scripting languages (perl, python, ruby, tcl) secure against standard buffer overflow attacks?

      Considering the speed improvements in both the interpreters for these languages, and general processors, I'm suprised more network services (smtp, web, ftp) aren't being written either entirely in these languages, or with a mixture of scripting and native C modules for the areas that need better performance.

      There's a few examples that I've seen out there that already do this, like Zope and Aolserver (i think). Of course, this approach may only eliminate one type of vulnerability, and still leaves other things like these that appeared for Zope at the beginning of the year.

      --
      Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
    6. Re:Just goes to show... by bluGill · · Score: 5, Insightful

      In every commercial software house I've been in the source has been available for my review, but I wasn't given time to do it, nor was anyone else. In fact while I was allowed to read other's code, I was rarely allowed to change it, and I wasn't encouraged to suggest changes.

      In open source I've read a lot of code, not just for fun, but because I'm not limited in the code I can change so I tend to change code in larger parts. That means I have to understand larger parts.

      Now I'm not smart enough to have found a security flaw (yet?), but I have at least read it. Despite working 40 hours programing for years, I've found more opportunity to read other code in the open source movement. I've read some kernel code (didn't understand it), and a lot of KDE code (resulted in a few patches). I've also read code for a few other systems, but didn't get around to doing anything.

    7. Re:Just goes to show... by Zancarius · · Score: 5, Insightful

      In a commercial environment, I make developers do it, but, except on the few big OSSes that are run basically like commerical operations, how are we really sure it is more, and not less, secure?

      While you may be correct -- Open Source may very well be riddled with just as many bugs -- the argument shouldn't be focused on which is more secure but rather on which is more fixable. Open Source is rendered a benefit that closed source lacks: the ability to fix the source yourself. Compare the security flaws released in the last six months on sites like CERT--generally, Open Source outfits release patches much sooner than commercial counterparts. Sure, this doesn't always hold true, but Open Source grants yet another benefit: Users of Open Source are, IMO, more aware of the implications and importance of security and are thus more proactive when an exploit is discovered.

      And, again, I can't stress the "fix it yourself" argument enough!

      --
      He who has no .plan has small finger. ~ Confucius on UNIX
    8. Re:Just goes to show... by darnok · · Score: 3, Insightful

      I think you raise a really good point - hope you don't get modded down and people miss it...

      I think a sizeable number of people read through source code as a way of educating themselves. OSS code is (as you point out, rightly or wrongly) seen as a source of very well-written code, and if I was going to teach myself something from someone else's source code, I'd be inclined to use OSS code as a starting point.

      As these people educating themselves start to learn about what e.g. a buffer overflow is, what it looks like and how to avoid it, they'll think back to the OSS code they've read through and either mentally congratulate the author or possibly notify him/her to say their code has a security hole in it. I'm not sure: OSS code may even be used as a teaching tool in universities, in which case there will be lots of reviewers.

      This reviewing-as-you're-learning approach would probably only apply to big OSS projects such as Apache or the Linux kernel I can't imagine a lot of people are suddenly going to start teaching themselves about buffer overflows using e.g. the Ethereal source. However, it's projects such as Apache and Linux that would be most at risk from buffer overflows; a buffer overflow in Ethereal, while it may be important, isn't likely to lead to lots of exploits in the real world.

      Good point though - I'll be interested in what other replies you get

    9. Re:Just goes to show... by boots@work · · Score: 3, Insightful

      Systems which are more fixable, or more quickly fixed (which is slightly different) present a real-world advantage.

      Discovery of a vulnerability in say CVS or IIS does not mean every installation in the world will be compromised immediately. It means that the clock starts ticking. If a fix is released and applied more quickly, then there is less risk that any given machine will be compromised. Look at Schneier's "exposure envelope" model.

      Historically open source has done reasonably well, though not perfectly, at releasing fixes very soon after vulnerabilities become known to the author. Open source projects tend to also be more responsive to reports, which encourages security reporters to do the right thing and report to the authors, knowing that they will get a quick response and proper credit.

      There are many reports of proprietary companies sitting on vulnerabilities for more than a year. I have seen Microsoft sit on one for a couple of months. That is an enormous exposure. Being able to fix it yourself may be cold comfort but it's better than having your machines rooted.

    10. Re:Just goes to show... by boots@work · · Score: 2, Insightful

      More on this:

      Why would companies react slowly? They ought to have all the capabilities of free projects, plus money. How is it possible that they perform worse?

      I don't know, but I have some theories:

      - Companies tend to grow bureaucracy, which prevents fast action. Open source developers can just commit the change and be done.

      - Companies don't like to admit they had mistakes.

      - Vulnerability reports in open source are more likely to point out where the problem is, which makes it easier to fix.

      - Open source projects can draw on a lot of highly-qualified resources in the community for advice.

    11. Re:Just goes to show... by JamieF · · Score: 2, Insightful

      >Why more programs aren't written in it is beyond me.

      Lots and lots of programs are written in Java. The OSS community hasn't embraced Java, though, because it's not open-source.

      Java also doesn't satisfy the "Lookie I can run stuff on my 486!" fetish quite as well as C does.

      Based on what I've read about Perl 6 and Mono, I would say that Sun has a limited amount of time to open-source Java before the window of adoption closes as far as the open-source crowd is concerned. Obviously the tools and infrastructure stuff will have to catch up (since Java development tools and app servers etc. are generally fantastic) but I doubt that Java could last forever as an open-source product if IBM or someone of their stature started to support one of those other languages.

      (Yes, I know Mono is not a language.)

  2. open source databases?? by Anonymous Coward · · Score: 4, Insightful

    Flaws drill holes in open-source databases

    Geez, this is why open source needs a frickin' PR department. These flaws DRILL HOLES!!! Into Open source DATABASES!! OMGLOLWTF??!111

    CVS and its pudgy cousin Subversion are not databases. They may use the *concept* of a database *internally*, but then again so do iTunes and Emacs and probably a bunch of other programs.

    Does CNET not understand the concept of a version control system? Hint: only people who know what they are use them in the first place.

    Regardless, I only use these things via SSH, and have never recommended running CVS with pserver or Subversion via Apache or its server, except on a well-firewalled LAN. I think that's the common practice anyway.

    Pretty good rule of thumb: if you can run the service over an SSH tunnel, DO IT! Don't assume Yet Another Server Daemon is secure. Then you just have to keep an eye out for SSH exploits (which you should be doing anyway since SSH bugs are more serious than bugs in TEH OPEN-SORCE DATABASS anyway!).

    1. Re:open source databases?? by damiam · · Score: 4, Insightful

      Evolution also uses Berkley DB as a back-end store. Slashcode uses MySQL. That doesn't make them databases. They are an email client and a CMS, respectively. CVs and SVN are both version control systems, not databases, whether or not the use databases on the back end.

      --
      It's hard to be religious when certain people are never incinerated by bolts of lightning.
    2. Re:open source databases?? by shird · · Score: 2, Insightful

      "CVS repository."

      repository
      1. See data dictionary.
      2. The core of a CASE tool, typically a DBMS where all development documents are stored.

      Shit, seems like calling it a '..source database' isn't too far off the mark for a news outlet. Better than 'the fabric of the internet' or something gay.

      give these guys a break.

      --
      I.O.U One Sig.
    3. Re:open source databases?? by Anonymous Coward · · Score: 1, Insightful

      If, say, my boss hits that and reads "drills holes in open-source databases" the first thing that will pop into his head is: "oh shit, our open-source MySQL server has been hacked! Get this open source crap off our systems ASAP and go back to the warm happy comfort of SQL server!"

      I guess they could've said "open-source *source database*" but that would be confusing. Maybe they should just say "popular source-code distribution servers" instead of mentioning open source or databases at all!!

      These are the same outfits who also call Windows viruses "computer viruses" which means I again have to explain to my boss what they /really/ mean.

  3. Re:Second Level security? by jonastullus · · Score: 4, Insightful

    because the whole idea of the "bazaar model" is to allow anyone to contribute. if your restrictions on who is allowed to do what are too stringent, interest on the part of possible developers dwindles and you'll have to all the work by yourself *g*.

    apart from that, many high-profile OSS project use such an approach that only senior developers (i.e. those who have proven themselves reliable in the past) are allowed write access to the repositories. the most obvious case being the linux kernel itself, where most (if not all) patches go through the top level maintainers.

    but instead of just restricting write access (which as i pointed out above can be a hinderance to OSS projects) you can introduce a slashdot-karma-like moderation that ensures that any added code was reviewed by another developer before it is "submitted" into the real repository.

    anyway, by what criterium would you give out privileges to single users and restricted file sets?
    managing huge OSS project is an unbelievably complex task and so far, most of the projects have proven to be pretty responsive towards security issues. but successful intrusions at debian, gnu, etc have shown that one definite draw-back of a completely open community is the risk of shipping planted, evil code!

    well, time for my daily code-review ;-)

  4. pserver only by cperciva · · Score: 5, Insightful

    Note that this problem only exists in pserver code. Anyone using pserver on critical systems needs to reassess their security anyway.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:pserver only by arkanes · · Score: 2, Insightful

      You mean like sourceforge? Anonymous CVS access is a pretty import thing to alot of projects.

    2. Re:pserver only by Anonymous Coward · · Score: 1, Insightful

      Don't run the pserver on the machine with the writable repository. It's like keeping some primary database on the same machine as your public web server, one just shouldn't take that risk.

    3. Re:pserver only by kryptkpr · · Score: 2, Insightful

      I'm quite happy with saying that SourceForge should reassess their security.

      Do you actually run projects at SourceForge? You have to use a ssh tunnel to be able to write to any project repository.

      --
      DJ kRYPT's Free MP3s!
  5. Re:If CVS was implemented in Java... by jonastullus · · Score: 3, Insightful

    how about: java is not Free

    while all these buffer overflows, etc are more than a nuissance in C/C++, many of the bugs stem from a misunderstanding on the part of the programmer (i.e. use of deprecated functions, ...). of course, this does not make it any better and in my opinion manual memory allocation is the GREATEST possible waste of a programmer's time (sensible exceptions excluded ;-).

    languages featuring garbage collection, length encoded strings, array bound checks, etc are hopefully the future, but at the moment (not least due to the lack of a free java compiler/interpreter/RE) many libraries and toolkits are still written for C/C++ and thus are also mostly used from these two languages.

  6. Re:If CVS was implemented in Java... by jonastullus · · Score: 3, Insightful

    java is not slow, it has a high overhead on startup!

    it is just that the loading of the runtime engine, garbage collector, on-the-fly-compiling by the interpreter, etc produce a high overhead at startup. thus small, short programs seem to run slow, whereas in big applications the speed penalty is marginal!

  7. Re:If CVS was implemented in Java... by Anonymous Coward · · Score: 1, Insightful

    If you knew what you were talking about AT ALL, you would not go around spouting off about a lack of free Java implementations.

    Kaffe?
    JikesRVM?
    SableVM?
    GNU Classpath?

  8. Re:Second Level security? by Minna+Kirai · · Score: 4, Insightful

    It seems that you are writing entirely from your imagination. Either you don't know how real OSS projects work, or you misread the parent post to think it suggested a drastic change to development methods.

    because the whole idea of the "bazaar model" is to allow anyone to contribute

    Almost no Open Source developer allows relative strangers write-access to a CVS repository. In reality, "bazaar" development allows anyone to create changes, but it's still up to the original author (or her trusted friends, or a declared maintainer) to actually add them to the codebase. (If they refuse, then somebody can decide to fork a new project containing the desired change)

    Observe how Linux works: millions of people can create changes, which they can send to one of 20 people for possible inclusion. If approved, then the patch is sent onward to the single person maintaining that kernel release (Linus, Marcello, or someone like that).

    That's why it has been broadly noted that CVS is sub-optimal for managing large Free/Open projects. The one master server is too much of a bottleneck/vulnerability. Competitors like BitKeeper have arisen to try making the management of source code as distributed as writing it.

    (Amusingly, BitKeeper supports OSS style development but is not itself open source)

  9. Re:Second Level security? by Minna+Kirai · · Score: 4, Insightful

    Seriously, your solution to the problem makes the source closed to the world and only open to input from 'trusted' people. Managing the list of trusted people would be a huge job on a large project where a million code monkeys are contributing.

    Oh my! Here's another poster with no idea how OSS actually works.

    Guess what: there really IS a small list of trusted people, and somebody works manage which of the million possible helpers deserves to

    Handling "millions" is actually a simple problem for a computer programmer. Any good coder is familiar with binary tree division, which allows you to handle lists of any size with just a few (max ~7) layers of hierarchal control.

    If you want to restrict contributions to people you really trust then don't put your CVS repository on a public server.

    Try this: go over to sourceforge.net, pick a random project, and add a file into the CVS tree. Good luck, you'll need it. The only way you can contribute is to convince a live human project-member that your code is worthwhile.

  10. Re:Another security flaw found by thebatlab · · Score: 4, Insightful

    "and we do not know how many undetected bugs are in commercial software."

    Nor do we know how many undetected bugs there are in open-source software. I guess that's why they are...undetected ;)

  11. Re:Second Level security? by Gilk180 · · Score: 2, Insightful

    The most obvious reason for subversion repos is that subversion uses a small number of berkeley db files for the entire repository, so filesystem level controls may apply to the entire repository, but not individual files.

    With cvs, this is possible if the filesystem uses acl's. If not, there are only the standard user, group and other categories, so there are only 3 possible access levels. Additionally, when a new file is created, the admin will have to set the permissions on these.

    I believe it would be nice to build this into the control system so that a user could specify the privileges for each added file, but that would probably require the system itself to be suid to either root or some repository-specific user, which would make exploits possibly more dangerous.

  12. Re:distro updates? by MobyTurbo · · Score: 2, Insightful

    Slackware has released a security update.

  13. Re:An argument for distributed version control by Anonymous Coward · · Score: 1, Insightful
    they require an active server that talks a complex protocol to an unauthenticated client

    what, kind of like HTTP?

    who the hell moderated this up? Distribution makes untrusted input problems worse since components of your 'server' can no longer even trust each other. At least with a central server you only have to validate the input once.

    Anon Coward
  14. Re:Sourceforge... by Chainsaw · · Score: 4, Insightful

    Actually, you can make a separate tree for the lock files. Not that hard, just check out the administrative CVSROOT directory and examine the config file (if I remember correctly). It's there in someone of the files.

    --
    War is one of the most horrible things a human can be exposed to. And one of the worlds largest industries.
  15. Source Compatibility vs. Binary Compatibility by Lennie · · Score: 2, Insightful

    Not sure, but I think one issue is, in the Win32 world things need to be binary comp. where as in the OSS world, source comp. is enough.

    If you have a vuln. in a Debian package, you do

    apt-get update && apt-get -u install package

    You'll see that (especially if it's a library) all kinds of other packages will automatically be upgraded

    The same will not happen in the Win32-world.

    --
    New things are always on the horizon