Linux developers were warned yesterday of a potentially devastating flaw affecting Concurrent Versions System (CVS) software widely used by the open source community.

CVS, a version control and collaboration system often used in open-source software development projects, is commonly configured to allow public, anonymous, read-only access via the Internet.

A "double-free" vulnerability in the Concurrent Versions System (CVS) server means that such limited public access is enough for a skilled, remote attacker "to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service", according to an advisory by security clearing house CERT.

Very nasty.

Through this vuln an attacker who is able to compromise a CVS server can contaminate source-code repositories with Trojan code. Fortunately, a scan of the CERT advisory reveals fixes from major Linux disties are already available.

Which is just as well: after a succession of Trojanised software distributions last year the last thing we need is another such incident. ®

External Links

Advisory by CERT and Stefan Esser of German security outfit e-matters, who discovered the vulnerability.