Posted on 05/19/2004 9:03:58 PM PDT by Bush2000
Flaws drill holes in open-source repository
Last modified: May 19, 2004, 1:42 PM PDT
By Robert Lemos
Staff Writer, CNET News.com
Flaws in two popular source code repository applications could allow attackers to access and corrupt open-source software projects, a security researcher said Wednesday.
One vulnerability affects the Concurrent Versions System (CVS), an application used by many developers to store program code. The other flaw affects a newer, less widely used system known as Subversion, said Stefan Esser, the researcher who discovered the security holes.
The CVS software, in particular, is run by many large open-source projects to create servers that maintain the versions of a program under development. Groups developing the Gnome and KDE Linux desktops, the Apache Web server and large Linux distributions, are among those that use servers with the source code databases.
These groups were notified of the security issues earlier in May and have already installed patches, said Esser, who is the chief security and technology officer at e-Matters, a German software company.
"The really big projects usually use CVS...servers just as a distribution channel," Esser stated in an e-mail interview, noting that the servers used by major developers to hold code are generally accessible only through a secured connection. "Lots of smaller open-source projects are, however, running their development on vulnerable servers," he added.
The flaw in CVS, which is used more widely than Subversion, affects all versions of the software released before May 19, according to an alert sent out by Esser. The vulnerability, technically known as a "heap overflow," occurs because data from the system's users is not vetted carefully enough. The CVS Project and major Linux and BSD distributions have posted advisories on the issue.
The hole in Subversion, a rewrite of the CVS application, is much easier to take advantage of, Esser said. That vulnerability is caused by an error in the way the code parses dates. It could be exploited to allow "remote code execution on Subversion servers and therefore could lead to a repository compromise," according to Esser's advisory.
(Excerpt) Read more at news.com.com ...
Time to get patchin'...
"These groups were notified of the security issues earlier in May and have already installed patches..."
I'm surprised that a UNIX security alert even made it into a column. Each OS Web site keeps a list of security alerts, most of which are issued after holes are found by users and developers (before system crackers get a chance).
Ah, it is nice, indeed, not to have had any virus, spyware or anything like that for over seven years!
And why suck-up to the Microsoft commies by buying their toys when we can have real networking systems?
The Bill & Melinda Gates Foundation gave $8.8 million to the Planned Parenthood Federation.
http://www.cnn.com/2000/HEALTH/women/12/11/health.women.gates.reut/
"Microsoft offers source code to China"
http://itmatters.com.ph/news/news_03032003a.html
(removed from major news sites)
Gates: Buy stamps to send e-mail
http://www.cnn.com/2004/TECH/internet/03/05/spam.charge.ap/
Bill Gates against repealing the inheritance tax
http://www.pbs.org/now/transcript/transcript_inheritance.html
"Soros, one of the wealthiest men in the world, promised $15.5
million to defeating President Bush. Also on this list are
Bill Gates,..."
http://www.americasvoices.org/archives2003/CoxJ/CoxJ_112403.htm
(most excellent link so far)
The Left-Wing Billionaire Collectivist Pigs
http://www.newsmax.com/archives/articles/2002/9/25/191020.shtml
(pretty good)
Billionaire Collectivist Pigs on a Roll
http://www.newsmax.com/archives/articles/2002/10/11/171315.shtml
"Gun-Control Group Changes Name, Keeps Agenda"
http://www.cnsnews.com/ViewNation.asp?Page=%5C%5CNation%5C%5Carchive%5C%5C200106%5C%5CNAT20010615a.html
(and Bill is a contributor)
"Is Bill Gates a closet liberal?"
http://archive.salon.com/21st/feature/1998/01/cov_29feature.html
(Bill Gates for gun control, pro-abortion, etc.)
http://vikingphoenix.com/news/madminute/1997/mm970040.htm
(Gates on gun control)
http://www.pbs.org/newshour/bb/law/july-dec97/guns_11-4.html
(more money for gun control from Gates and his father)
"Bill Gates Is No Free Market Hero"
http://brian.carnell.com/articles/2000/12/000046.html
http://www.pittsburghlive.com/x/tribune-review/opinion/datelinedc/s_176864.html
(ah, somewhat good)
Windows XP Shows the Direction Microsoft is Going
http://www.hevanet.com/peace/microsoft.htm
"the changing politics of Bill Gates" (national review, john j. miller)
http://www.findarticles.com/cf_dls/m1282/2_51/53662235/p1/article.jhtml
2002 Feb 2, In NYC protesters of the World Economic Forum turned
out in large numbers. Inside foreign economic leaders criticized
the US for protectionist policies, and Bill Gates and U2 rock star
Bono pushed for increases in foreign aid by rich countries to poor
countries."
http://timelines.ws/days/02_02.HTML
"Software, soft money, and Libertarians"
http://www.seattleweekly.com/features/0039/news-anderson.shtml
[Bill gives money to both sides--whoever supports Microsoft and extreme social left policies. ...includes Barney Frank.]
Client testimonials, Bill Gates in China, Bill Clinton in China
http://www.beijinghighlights.com/testimonials/testimonials.htm
"State-owned Software Firm Ties up with Microsoft China"
http://fpeng.peopledaily.com.cn/200107/07/eng20010707_74398.html
As for the CVS bug, it's no great shakes. Every responsibile developer (and group) out there has PGP/GPG signatures on their source code that's available for download. Thus, those source code sets could get modified six ways to Sunday and it wouldn't get far at all after the first admin does a signature check.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.