Search finds more holes in open source tool

A close investigation of a common open source tool has uncovered more critical security holes in software used by developers to track and manage changes in computer code.

Six vulnerabilities were discovered in the Concurrent Versions System (CVS), which is used to manage code on a number of leading open source software development projects. CVS is also used by organizations developing proprietary software. The holes could enable remote attackers to launch denial-of-service attacks or run malicious code on systems hosting vulnerable versions of CVS, according to an alert published by E-matters.

Word of the new vulnerabilities comes just two weeks after another security hole in the software was used to hack the CVS project Web site. That compromise prompted an investigation of the CVS computer code, which revealed the latest holes, according to E-matters.

While some of the new vulnerabilities require a valid CVS user or administrator login to use, others can be exploited remotely and with few privileges on the vulnerable system, said David Endler, director of digital vaccine at TippingPoint Technologies, which makes network intrusion prevention systems.

In particular, a vulnerability in a CVS function called “double-free()” was used to exploit a number of systems running the Linux operating systems, according to the E-matters alert.

“I wouldn’t be surprised to see an exploit for the double-free vulnerability within the next few days,” Endler said.

The CVS project released a software update fixing the holes, including the three discovered by E-matters researcher Stefan Esser. There is no evidence that the new holes have resulted in attacks. However, once security holes are announced, a race begins between organizations that need to patch their systems and hackers eager to take advantage of the vulnerability, Endler said. That is especially true of open source code projects, where the raw code that underlies products is in the public domain, he said.

The news of vulnerabilities in the CVS product has raised concerns about the security of open source projects, many of which have been breached by hackers in recent years. In October 2002, for example, a Trojan horse program was discovered in some distributions of the open source Sendmail e-mail software. In August 2003 the Free Software Foundation, sponsors of the GNU free software project, said that a key server housing the group’s Linux software was broken into by a malicious hacker.

Open source development projects rely on the assumption that the platforms people use to collaborate on the development are secure. Vulnerabilities in the CVS product and hacking of CVS project resources invariably cause people to wonder whether the products developed using CVS might also have unknowingly been compromised by hackers, Endler said.