[thelist] News Item: Major Security Flaw in CVS

David Kaufman david at gigawatt.com
Thu Jan 23 13:42:01 CST 2003 

"James Aylard" <evolt at pixelwright.com> wrote...
> If this has made the rounds on this list, I missed it, although I'm sure
> it's all over the place elsewhere by now:
>
> http://news.com.com/2100-1001-981830.html
>
> Not to start a flame war, I do hope that this brings a bit of balance to
> the commercial vs. open source debate.

if by that you mean that you hope this stops people from believing that open
source software is more secure than commercial software (that does not share
or publish its' source code), i'd like to point out that, as Stefan Esser
who discovered this vulnerability in CVS states (at
http://security.e-matters.de/advisories/012003.html/), "While auditing the
CVS sourcetree I found a flaw within the handling of the Directory request
within the server code".

so, since outside security experts are not able to audit the source trees
of proprietary software in the first place, such a flaw in a proprietary
package would never have been discovered at all.  this gentleman discovering
this vulnerability stands out as evidence *supporting* the
already-widely-agreed-upon belief that open-source software is more secure
than source-secret software, precisely because the source code is made
public, for any and all to see.  it's also interesting to note that due to
his work, the vulnerability has now been eliminated from the software and a
new version of CVS is shipping, just under three weeks later.  few
proprietary software vendors would have reacted this quickly, especially
considering that not a single case of anyone having *exploited* this
security hole has even been reported.  this bugfind-bugfix-update cycle is
the norm for open source.  the fixes for bugs reported to proprietary
software vendors which have *not* been the subject of new media reports
are normally withheld from users unless or until those users pay for the
next new version of the software, and even then users are not told that
the new version fixes bugs in the last version; they're told only of the
new features, and those not wanting the new features keep the old version
along with it's secret hidden bugs.

i also think that Mr. Esser is overbroad in his summary, stating that "this
vulnerability is a threat to *most* open source projects because nearly all
of them offer anonymous CVS access to the source tree. Even if the attacker
is not able to extend his attack on the developer CVS server (if it is
separated at all) he could still backdoor everything other people download
from the anonymous server."

he states that the flaw can only be exploited "by any CVS user with write
access to the repository".  but in fact anonymous-write is *not* the default
configuration for CVS and i have *never* heard of any open source project
allowing anonymous *write* access to their CVS repository.  that would be
madness.  even without a security flaw in CVS, configuring CVS to allow
anonymous users to commit changes to your code would be a serious flaw ...in
judgement!  Mr. Essan seems to have confused anonymous *read* access, which
most open-source projects *do* allow (hence his ability to audit the CVS
source tree in the first place) with anonymous *write* access, a level of
password-protected (and usually ssh-encrypted) access to which only trusted
developers of the project are granted.

so, just remember the next time you hear of a big security flaw being found
in widely-used software, that if the package is open-source, nine times out
of ten you are hearing about how the open philosophy has just *worked* to
prevent possibly security breaches before they've occurred.  on the other
hand, if the package is a source-secret compiled binary licensed from a
software publishing corporation, then (*ten* times out of ten) the only
reason it is being reported publicly at all is that the vulnerability is
already being actively exploited by malicious hackers all over the Internet,
and the company is still scrambling to find out how and why, and come up
with a fix.  and when the fix does arrive, it will also be a source-secret
patch, and no one outside the corporation will ever be able to know if it
actually resolves the problem, or simply obscures it further from being
exploited so easily.

open source prevents the possibility of lazy non-security measures, such as
those security-through-obscurity patches that over and over again, claim to
fix or prevent the same security breaches in commercial browser or email
packages.  how do we know if the latest patch is secure?  we don't.  and
until the source code is public, we won't.

-dave

More information about the thelist mailing list