From: Serhat Ayan (serhat@ayan.org)
Date: Thu 10 Jun 2004 - 12:58:37 EEST
Holes Found in Open Source Tool
Paul Roberts, IDG News Service
A close investigation of a common open source tool has uncovered more
critical security holes in software used by developers to track and manage
changes in computer code.
Missed Tech Tuesday?
LCD TVs may finally have a leg up on plasma displays. Digital projectors can
turn a wall into a dream theater. Take a look at the Top 10 LCD monitors for
sprucing up your desktop.
Six vulnerabilities were discovered in the Concurrent Versions System, which
is used to manage code on a number of leading open source software
development projects. CVS is also used by organizations developing
proprietary software. The holes could enable remote attackers to launch
denial of service attacks or run malicious code on systems hosting
vulnerable versions of CVS, according to an alert published by E-matters, a
German security firm.
Patch Available
Word of the new vulnerabilities comes just two weeks after another security
hole in the software was used to hack the CVS project Web site. That
compromise prompted an investigation of the CVS computer code, which
revealed the latest holes, according to E-matters.
While some of the new vulnerabilities require a valid CVS user or
administrator login to use, others can be exploited remotely and with few
privileges on the vulnerable system, says David Endler, director of digital
vaccine at TippingPoint Technologies, which makes network intrusion
prevention systems.
In particular, a vulnerability in a CVS function called "double-free()" was
used to exploit a number of systems running the Linux (news - web sites)
operating systems, according to the E-matters alert.
"I wouldn't be surprised to see an exploit for the double-free vulnerability
within the next few days," Endler says.
The CVS project released a software update fixing the holes, including the
three discovered by E-matters researcher Stefan Esser. There is no evidence
that the new holes have resulted in attacks.
However, once security holes are announced, a race begins between
organizations that need to patch their systems and hackers eager to take
advantage of the vulnerability, Endler says. That is especially true of open
source code projects, where the raw code that underlies products is in the
public domain, he notes.
Open Source Vulnerable
The news of vulnerabilities in the CVS product has raised concerns about the
security of open source projects, many of which have been breached by
hackers in recent years.
In October 2002, for example, a Trojan horse program was discovered in some
distributions of the open source Sendmail e-mail software. In August 2003
the Free Software Foundation, sponsors of the GNU free software project,
said that a key server housing the group's Linux software was broken into by
a malicious hacker.
Open source development projects rely on the assumption that the platforms
people use to collaborate on the development are secure. Vulnerabilities in
the CVS product and hacking of CVS project resources invariably cause people
to wonder whether the products developed using CVS might also have
unknowingly been compromised by hackers, Endler says.