Open-source defect reaches deep

A critical vulnerability has been found in the Concurrent Versions System, which is used in the majority of open-source projects to update and maintain source code.

A critical vulnerability has been found in the Concurrent Versions System (CVS), which is used in the vast majority of open-source projects to update and maintain source code.

CVS allows open-source developers to remotely update and modify the source code to projects while ensuring that collaborative efforts don?t overlap.

By using CVS, changes to source code made by one developer aren?t overwritten by another. It also tracks version control and provides the open-source community with a means by which to manage open projects that have multiple contributors.

The security hole allows attackers to take control of a CVS server and alarmingly, it may also allow anonymous attackers to fiddle with open-source code at the development level.

"There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors or other malicious code," a Computer Emergency Response Team Coordination Center (CERT) advisory said. CERT is responsible for much of the software-vulnerability information released on the Internet.

Stefan Esser of E-Matters, a European technology company, discovered the vulnerability in early January.

Recognizing the potential impact of the problem, Esser first disclosed the vulnerability to several key CVS repositories. This allowed them to work around the vulnerability, hence protecting their source code from would-be attackers.

Esser then contacted the group that maintains CVS, and waited until they had produced a fix for the vulnerability before he disclosed the flaw to the public.

The scope of the vulnerability is immeasurable. alone uses CVS to maintain over 55,000 open-source projects. Even CVS is maintained by CVS.

Unlike other incidents in which open-source software has been modified, which has been easily detected as in the case of the "Trojaning" of and SSH distributions last year, this vulnerability is present at the very coal-face of open-source development.

An exploit for this potentially devastating security hole is not thought to be circulating, and E-Matters has stated that it would not be releasing one to the public.

Versions of CVS vulnerable to this attack include those shipped by Connectiva, Cray, Debian, IBM, MandrakeSoft and Red Hat, although many others may be vulnerable.

ZDNet Australia's Patrick Gray reported from Australia.

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Details about Apple's 'spaceship' campus from the drone pilot who flies over it

MyithZ has one of the most popular aerial photography channels on YouTube. With the exception of revealing his identity, he is an open book as he shares with CNET's Brian Tong the drone hardware he uses to capture flyover shots of the construction of Apple's new campus, which looks remarkably like an alien craft.

by Brian Tong