Search finds new holes in open source tool

A close investigation of a common open source tool has uncovered more critical security holes in software used by developers to track and manage changes in computer code.

Six vulnerabilities were discovered in the Concurrent Versions System (CVS), which is used to manage code on a number of leading open source software development projects. CVS is also used by organizations developing proprietary software. The holes could enable remote attackers to launch denial of service attacks or run malicious code on systems hosting vulnerable versions of CVS, according to an alert published by e-matters GmbH.

Word of the new vulnerabilities comes just two weeks after another security hole in the software was used to hack the CVS project Web site. That compromise prompted an investigation of the CVS computer code, which revealed the latest holes, according to e-matters.

While some of the new vulnerabilities require a valid CVS user or administrator login to use, others can be exploited remotely and with few privileges on the vulnerable system, said David Endler, director of digital vaccine at TippingPoint Technologies Inc., which makes network intrusion prevention systems.

In particular, a vulnerability in a CVS function called “double-free()” was used to exploit a number of systems running the Linux operating systems, according to the e-matters alert.

“I wouldn’t be surprised to see an exploit for the double-free vulnerability within the next few days,” Endler said.

The CVS project released a software update fixing the holes, including the three discovered by e-matters researcher Stefan Esser. There is no evidence that the new holes have resulted in attacks. However, once security holes are announced, a race begins between organizations that need to patch their systems and hackers eager to take advantage of the vulnerability, Endler said. That is especially true of open source code projects, where the raw code that underlies products is in the public domain, he said.

The news of vulnerabilities in the CVS product has raised concerns about the security of open source projects, many of which have been breached by hackers in recent years. In October 2002, for example, a Trojan horse program was discovered in some distributions of the open source Sendmail e-mail software. In August, 2003 the Free Software Foundation, sponsors of the GNU free software project, said that a key server housing the group’s Linux software was broken into by a malicious hacker.

Open source development projects rely on the assumption that the platforms people use to collaborate on the development are secure. Vulnerabilities in the CVS product and hacking of CVS project resources invariably cause people to wonder whether the products developed using CVS might also have unknowingly been compromised by hackers, Endler said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now