CVS flaw could give hackers access to servers

The CERT Coordination Center (CERT/CC) security organization has warned of a critical vulnerability in the widely-used Concurrent Versions System (CVS) software which could enable an unauthenticated remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service to servers.

CVS is used by teams of software developers to coordinate their code writing and to maintain a single standard view of the development process to all team members. It runs on several proprietary variants of Unix and on the open-source Linux OS.

It is a key tool for the open-source development community, and has been used in large-scale developments such as the Mozilla browser, the Python programming language, some versions of Linux such as ARM Linux, the freeDOS operating system and a Palm OS emulator.

The vulnerability is described by CERT/CC as a “double-free” vulnerability in the CVS server, whereby a set of specially crafted directory requests could cause an attempt to free a particular memory reference more than once. That in turn could lead to heap corruption, which an attacker could leverage to execute arbitrary code, alter the logical operation of the CVS server program, or read sensitive information stored in memory, CERT/CC said.

CERT/CC recommended users to disable anonymous CVS server access or block or restrict access to CVS servers from untrusted hosts and networks until patches or upgrades can be applied.

Vendors which offer CVS with their Unix products such as IBM Corp., Sun Microsystems Inc., Cray Inc. and the vendors of the principal Linux distributions are offering patches for the flaw.

The most high-profile opponent of CVS as a development methodology is Linux founder Linus Torvalds who uses an alternative system known as Bitkeeper to manage the ongoing development of the Linux kernel. Torvalds has frequently stated his objection to the way that CVS maintains a central repository of the source code tree rather than giving all developers equal access to the code.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now