CVS flaw has Linux vendors rushing out patches

Linux vendors have rushed to distribute patches for a critical flaw in CVS, a widely used program for collaborating on software development, that could allow a malicious user unauthorized access to development code. By Friday FreeBSD all the major Linux distributors, including Red Hat Inc., Debian, Suse Linux AG, MandrakeSoft SA, Slackware and Gentoo Software, had all issued patches for the versions of CVS (Concurrent Versioning System) packaged to run on their distributions, following an advisory published earlier this week by German security firm E-Matters. The firm also warned of a similar, more easily exploitable flaw in Subversion, a newer and less popular revision of CVS.

CVS allows large numbers of contributors to collaborate on software development projects, letting them keep their own modifications up to date with those of other developers, stored on a server. The flaw found by E-Matters allows a user to exploit a "heap overflow" that could allow them to execute arbitrary code on the CVS server, according to Stefan Esser, chief security and technology officer at E-Matters. "This could allow a repository compromise," Esser wrote in the advisory.

Read Full Story