Slashdot Mirror
Security Holes in CVS and Subversion Found
joe_bruin writes "News.com.com is reporting a two separate vulnerabilities that affect current versions of CVS and Subversion source control systems. Apparently, major users of these products (Linux and BSD distros, Samba, etc.) have been notified and have patched their systems." Update: 05/20 02:01 GMT by S : Clarification that there are separate issues for both CVS and Subversion.
OMG I LOVE CHEESE!
That's teh suxor!!!
Good thing only windbloze is vunerable...oh waiot doh!!!!! SUPAR DOH!!!!!!1111one
No comments? Unbelievable.
Flames Suck
...had better get proactive :)
/. to help out its fellow OSDN member*
God knows it took them ages to get their CVS server problems resolved a few years back.
*points
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Man- I used CVS in a project just last year. Sure hope Olivetree has patched their server.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
If you compromise it, it's so broken you can't even use it to control source.
Developers and admins have to keep security aware constantly, which is one of the hardest problems in real production environments.
open source incecure?
BLASPHEMY, how dare you post this on slashdot?
Why don't highly important OSS projects use second level protection, like only allowing X user to modify files N Y P at a file system level? If such measures where taken the worst that could happen is a DOS attack.
This also helps to sell managed code for mission critical systems.
Great, I'll grab it just as soon as the source for the patch goes into CVS! Oh wait...
Flaws drill holes in open-source databases
Geez, this is why open source needs a frickin' PR department. These flaws DRILL HOLES!!! Into Open source DATABASES!! OMGLOLWTF??!111
CVS and its pudgy cousin Subversion are not databases. They may use the *concept* of a database *internally*, but then again so do iTunes and Emacs and probably a bunch of other programs.
Does CNET not understand the concept of a version control system? Hint: only people who know what they are use them in the first place.
Regardless, I only use these things via SSH, and have never recommended running CVS with pserver or Subversion via Apache or its server, except on a well-firewalled LAN. I think that's the common practice anyway.
Pretty good rule of thumb: if you can run the service over an SSH tunnel, DO IT! Don't assume Yet Another Server Daemon is secure. Then you just have to keep an eye out for SSH exploits (which you should be doing anyway since SSH bugs are more serious than bugs in TEH OPEN-SORCE DATABASS anyway!).
"The Samba Project, which maintains file server software that integrates with Microsoft Windows networks, uses Subversion. However, the project's developers were warned about the security issue before it was made public, Esser noted."
- By Robert Lemos Staff Writer, CNET News.com
Creative Demolition
hopefully no evil hax0rs use this to steal the source code of linux! ( I know it in't in a cvs but it has a cvs gateway )
superman runs linux
From the FAQ:
""First Post" comments are one of those odd little memetic hiccups that come out of nowhere and run amok. Basically, people with altogether far too much spare time sit and reload Slashdot, hoping that they will get the "First Post" in a discussion. This is one of those things that the moderation system was designed to clean up, and for the most part, it works. "First Post" comments usually get moderated down as off-topic almost instantly."
Hmm, so does this mean that we need to go looking for backdoors in every piece of code out there that uses a publicly visible CVS tree? Better get started!
As mentioned in a previous comment, perhaps there DOES need to be some kind of PR department for open source.
Perhaps a group of dedicated OSS developers needs to form some kind of committee to produce non-biased articles re: open source, and pass those on to the media.
Think about it - it could work, and if it was committee-based, unbiased views could be maintained.
Factual (rather than MS-funded/manufactured) data could be used to generate anti-FUD articles which, if advertised/promoted correctly, could reveal to the public some of Microsoft's baseless attacks in the name of profit, and could sway the masses' views of OSS in general.
Homonyms are fun!
You're driving your car, but they're riding their bikes there.
Just goes to show how open source leads to insecure software and the commercial software model is better.
Oh wait..thats not right...
Take 2
this just goes to show that with so many eyes viewing the software that bugs will be found and corrected, and we do not know how many undetected bugs are in commercial software.
If CVS was implemented in Java it couldn't suffer from this
... I just :-)
kind of problem. Sure, there are still plenty of other bugs
that can be coded up in Java, but not nearly the plethora of
agonizing painful excruciating unfindable bugs you can
subject yourself (and your users) to with applications written
in C & C++ and other archaic languages.
I'm sure there are good reasons to program in C, C++,
assembly language, FORTRAN, COBOL, BASIC,
can't think of any offhand.
The GNAA, a popular Slashdot trolling group were today defeated in their attempt to make a Slashdot first post. Rumour has it that a previously unheard of group, the Society for the Appreciation of Cheese (SAC), secured the coveted first post spot, some seconds before a GNAA member was able to tear his eyes away from a poster-sized depiction of the Goatse man on his wall, and hit the reply button.
The demands of the SAC are currently unknown, but are sure to include Chedder, Edam, Parmesan, and CowboyNeal's socks. An SAC inside source has also informed us that "Natalie Portman coated in cream cheese" may also be requested by the group.
****BROADCAST INTERRUPTED
SAC RECRUITMENT DRIVE: -
Bored of standard Slashdot trolling? Feel Slashdot needs more dairy related posts? Do you have a cheese fixation? Be alone no longer, join the SAC (Society for the Appreciation of Cheese). To join you must submit a cheese related first post to Slashdot.
Long live the revolution, have a gouda on us!
I'm confused. I thought SVN was a rewrite of CVS...? Is the flaw based on a common library or something? Puzzled.
Note that this problem only exists in pserver code. Anyone using pserver on critical systems needs to reassess their security anyway.
Tarsnap: Online backups for the truly paranoid
Is this the third hole in cvs in a very short amount of time?
This is sadly quite unsurprising considering the fact how many otherwise great programmers and source control systems gurus cannot post bugfixes to CVS and Subversion codebases thanks to Bitkeeper's EULA. I really hope Linus will change his mind and will finally start using CVS or Subversion like the rest of the GNU and Free Software community does. This is something much more important than refusing to call GNU system with its name because as we can clearly see on the example of this shameful incident it can easily lead to a catastrophe. Please let us not forget that the source control system is one of the most important parts of every programmer's O/Sen. Any exploit directly targetting the very centre of our productivity just cannot be tolerated. That is why we have to fix every errour we can find and boycott every single EULA which does not let us do it Freely. Some posts on the LKML seem to prove my point but in my opinion this is not enough. We have to stop talking and start acting as soon as possible. Otherwise nothing will ever change. We have to keep that in mind. Please let us remember this before it is too late.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Laugh, it's a joke.
that was fucking funny
yOU DumB ASS gET a FuCKInG cLUE (Score:0)
by Anonymous Coward on Wednesday May 19, @09:03PM (#9200710)
Wi-fI iS dAnGeROUS tO yOUR coMPUter AND oThER LIVing THIngs.
DON't yOU wAtCH dAteLine NBC? THey SAD wireLESS is SEcuRITy hAzzarD!!
BAn ALL wi-FI and all LuNix because ThAT iS tHE REAL souRce OF thE worMs!
I wonder how many virus would be released that will take advantage of these security holes.
Is that a sign of how dificult the holes tend to be to exploint on *nix systems or is it more to microsoft being popular?
I don't doubt that a virus could take advantage of a security hole in *nix systems isn't the execution/spreading by default going to be alot harder?
just curious -- which distros have already released updates for these packages? i see debian released them promptly, but up2date on my redhat enterprise 3 does not yet show an update being available.
This isn't possible! Are we sure it isn't April 1st? I mean, we've been told time and time again that this kind of thing isn't possible because of so many people reviewing the code! This affects all versions of CVS released before May 19th? How is that possible? Hasn't anyone LOOKED at the code?
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Okay, I'm familiar with stack overflows. What is a heap overflow?
According to the alerts below, Fedora Core 2 has these vulnerabilities, and furthermore, they can lead to arbitrary code execution:
FC2 CVS alert
FC2 Subversion alert
I can understand that a buffer overflow can cause a DoS (e.g. crashing a daemon), but how can it lead to arbitrary code execution with FC2's kernel-level stack protection? Is this just a cut and paste typo from alerts of older distros?
hurry
I run a CVS server on behalf of a client on a FreeBSD box. It is running in pserver mode, and is launched by cvsd , which is a chroot() jail for CVS.
It is not clear from the sensationalistic news story what an administrator should do, or whether my particular configuration is vulnerable. Could a more knowledgeable person please summarize the issues involved, or point to the original vulnerability report so I can evaluate my risk?
Thanks,
Schwab
Editor, A1-AAA AmeriCaptions
These vulnerabilities are a consequence of an architectural security flaw in both CVS and Subversion: they require an active server that talks a complex protocol to an unauthenticated client.
Whenever you allow an untrusted client to control code running on your server, there is a risk of a compromise.
The distributed version control systems Darcs and Arch show a better way. Read-only access requires only some read-only files published over HTTP. Since most projects already have a web site, this means there is no increase in the network services that need to be offered.
Once those files are downloaded, the anonymous user can get updates, make their own patches, branch -- all the facilities allowed by anonsvn/anoncvs and more.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
Well, it's a damn good thing the *major users* are already safe. I can rest easy tonight knowing that just because I am a "Linux and BSD distro, Samba, etc.) user that I am safe.
Sorry, my sarcasm bit must be stuck.
"non-biased view" on /.? What galaxy do you hail from? Do you get reruns of Green Acres on your home planet/habitat? Is Arnold Ziffel a God there?
Er, how is your proposal different from seteuid? A tiny setuid root wrapper gets authentication information, checks it with PAM, and then forks & seteuid to that user.
i read this article. from the headline, one could have thought:
hehe, these stupid semi-smart "geeks", complaining all the time about these insecure microsoft products. and now? they got these nice security holes themselves!
but, you know what? i rtfa. and i read this particular line:
Apparently, major users of these products have been notified and have patched their systems.
i mean, is that cool or what? the message that the system is insecure arrives at the same time as the patch. and you dont't have to be a major user (translated: msce) to get the patch.
this is just one reason i trust my sources to cvs.
beer as in "free beer"
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
It is possible that there's a vulnerability in the patch command, or in the equivalent in darcs or arch that accepts changes from contributors. Such a vulnerability might allow a malicious submitter to take over a developer's machine when they try to read or apply the change.
This is conceptually no different to a vulnerability in a mail client or HTML viewer or any other program that views files read over the network. Those things happen, but they're not generally seen as such a big problem as an attack on a network server, for two reasons: the attack is harder to carry out, and easier to trace.
I'm only likely to even think about applying a changeset from a credible source, whereas anoncvs by definition accepts requests from any IP. If they do attempt an attack then I have a record of where it was sent from, etc.
One fix is that change requests should be easy for a human to read without a special tool. Darcs does this, and Arch and Bitkeeper do not. It's probably pretty unlikely there could be an exploit that would look harmless when viewed by a human. In this case basically the only way Darcs is going to be invoked is when the input has already been vetted by a person.
Not sure, but I think one issue is, in the Win32 world things need to be binary comp. where as in the OSS world, source comp. is enough.
If you have a vuln. in a Debian package, you do
apt-get update && apt-get -u install package
You'll see that (especially if it's a library) all kinds of other packages will automatically be upgraded
The same will not happen in the Win32-world.
New things are always on the horizon
11 May 2004 Sourceforge discovered that the patch breaks compatibility with some pserver protocol violating versions of WinCVS/TortoiseCVS
The secret of success is honesty and fair dealing. If you can fake those, you've got it made. (Marx)
Subversion is not pudgy! It's just... buxom! And anyway, it's in much better shape than that flabby Aegis thing. So there.
Whence? Hence. Whither? Thither.
The issue affects cvs +pserver. It's listed with references at Mitre.
The interior nodes are also contributors, so the tree can actually contain 2^0 + 2^1 + 2^2 + ... + 2^7 = 2^8 - 1 = 255 contributors with 7 levels. Still nowhere near millions, but the "tree" used in e.g. the Linux kernel has much higher fanout than 2 (at least near/at the top), so you end up with many more nodes.
When people here speak of a "database" they really mean a "database system".
Technically, you're correct, though. But I would content that the definition of "database" is so wide as to make it completely worthless to refer to a "database" and not "database system" in any technical context -- which is why people use "database" as shorthand for referring to a database system.
HAND.
Quoting from the OpenBSD Erata Page this problem was remedied from May 5, 2004
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
...up on CougaarForge.
Just the source and the i386 binary RPMs, but perhaps they'll be useful to someone...
The Army reading list
You just made a double-fault.
Patently False
source: CVS-RCS-HOWTO
It's NOT! It's something else. irony misuseSCO wants their name changed to Sourceforgery.
That won't do much good because SCO will too easily become confused with alternative labels such as SoreForce or SoreFarce.
"Provided by the management for your protection."
Place your bets: How long will it take for Darl McBride to issue a press statement saying that this flaw proves that IBM have been able to covertly insert SCO Unix code into the Linux kernel?
How many programmers does it take to change a LED?
None. It's a hardware problem.
How many engineers does it take to change a LED?
5. One to find the manual, and 4 to try to follow the instructions.
How many people does it take to change a LED?
One, but he has to remember how. After all, it was so long ago...
Sure I'm paranoid, but am I paranoid enough?
I have worked on commercial software for three different commercial companies, including a very large one (three letters, starts with S), and also on a "smaller" open-source project (fltk).
Even this small open source project gets me far more "code review" than anything at any commercial place. Nobody looks at commercial code, they do not have the time. EVERY single fix and improvement is suggested, located, and coded by me. All I get are bug reports, almost all of those are "I ran it for 3 hours, I forget what I did, and it crashed!"
In fltk, certainly there are bugs reported, and just like the commercial stuff the same bug is reported dozens of times, by people too lazy to even check if the bug is already in the database. But I also get many patches where people actually found out about the bugs. The number of patches I have received for the commercial software (where many of the users have access to the source code)? ZERO!
The other comment about accepting blocks of unknown code is bogus. The submitted patches are all about 1 line long and I can easily tell if they really fix the problem. Same is true for the commercial software, incidentally. Any contributed code is always read over and analyzed.
I can catagorically state that my OSS software is higher quality than my commercial software. Now I spend about 10x or more time on the commercial software, and it is probably 20-30x more complicated than the OSS stuff. Therefore it is more valuable, but that does not mean it is better.
Unfortunately the real difference I am talking about is the difference between commercial development and a hobby. Unfortunately for your argument, it is obvious to me that "hobby" software is much higher quality than commercial. The difference is in the motivation of the authors, and the fact that they know their work is visible to the world.
Its already in portage and marked stable.should get you going.
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
How exactly is parent troll and off topic? In my opinion it's way Underrated. I'm not the only one. For example, boots@work (17305) also thinks that parent has a point. It's obviously not off topic and parent is not a troll (check out his posting history). It might be flamebait, but is IMHO also very Insightful.
.. and of the other thoughtful replies on the thread. This goes to help prove a point I've tried to make several times, but being a non coder I am at a loss how to present it without sounding overly churlish. The point is, software is usually presented with no warranty. The argument is, that it can't be done. I have always thought it could be done, that very good code could be released, but it wasn't, for the various reasons outlined in this thread, all of which CAN be addressed, but for the most part, are not.
I guess my point is, as a company/developer/project takes on quality and auditing as job 1,rather than just rush it out the door when it's "good enough", their market star will shine, because they have so little *true* competition then.
I hope it happens.