NEWS Flaws in two popular source code database applications could allow attackers to access and corrupt open-source software projects, according to a security researcher.
One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. The other flaw affects a newer, less widely used system known as Subversion, said Stefan Esser, the researcher who discovered the security holes.
The CVS software, in particular, is run by many large open-source projects to create servers that maintain the versions of a program under development. Groups developing the Gnome and KDE Linux desktops, the Apache web server and large Linux distributions, are among those that use servers with the source code databases.
These groups were notified of the security issues earlier in May and have already installed patches, said Esser, who is the chief security and technology officer at e-Matters, a German software company.
Esser said in an email interview: "The really big projects usually use CVS...servers just as a distribution channel. Lots of smaller open-source projects are, however, running their development on vulnerable servers," he added.
The flaw in CVS, which is used more widely than Subversion, affects all versions of the software released before 19 May, according to an alert sent out by Esser. The vulnerability, technically known as a "heap overflow," occurs because data from the system's users is not vetted carefully enough. The CVS Project and major Linux and BSD distributions have posted advisories on the issue.
The hole in Subversion, a rewrite of the CVS application, is much easier to take advantage of, Esser said. That vulnerability is caused by an error in the way the code parses dates. It could be exploited to allow "remote code execution on Subversion servers and therefore could lead to a repository compromise," according to Esser's advisory.
"The CVS flaw is several levels harder to abuse," Esser said.
The source-code database holes aren't the first to cause developers some worry. Last year, a vulnerability in CVS software opened up development servers to attacks by allowing an intruder to raise his or her level of privilege. The flaw led to some compromises.
Attackers have increasingly started to focus on software that runs on Linux, the operating system most often used with CVS. In March and April, Linux and Solaris servers at academic supercomputing centres were struck by unknown intruders.
Robert Lemos writes for CNET News.com
Comments
There is 1 comment. Join the discussion
1. Doug K
Again with the misleading article titles from Silicon.com. CVS stands for 'Concurrent Versions System'. It is used for keeping track of source code and source code changes and happens to use a database to store the information. It does not make it an 'open source database' just because it uses a database. Otherwise you could call Apache Web Server(open source) an open source database because it has a database backend. This is misleading because it looks like MySQL and PostGRESql or other open source databases have security flaws. THAT IS NOT WHAT THIS ARTICLE IS ABOUT!!!!!