Open source bug threatens Linux

A weakness in the widely used Concurrent Versions System (CVS) development aid has left Linux and open source code vulnerable to attack.

A Computer Emergency Response Team advisory has warned the flaw could allow hackers to alter the operation of the CVS program, read sensitive information or launch denial of service attacks.

The CVS version management tool is by far the most popular resource used by the major Linux developers and companies to keep track of different software versions.

Although CVS is open source, it is used to keep track of all types of software used by a company.

The problem was first reported on 20 January by German software, security and internet company E-Matters.

It has warned that, although companies have released patches for the vulnerability, it typically takes people two months to download and install the patch.

Kevin Besthorn, chief executive at E-Matters, said: "Anyone who is developing some sort of serious software uses this system to keep track of developments, so it can hit IT departments. Anyone that uses this should download the patch and install it."

The bug applies to release 1.11.4 and earlier of CVS. Among companies that issue CVS are Sun Microsystems (for Linux 5.0.3 and earlier), Red Hat, Debian, MandrakeSoft, Conectiva and Cray.

Most vendors have issued patches for the problem, according to Simon Dowlut, penetration tester and security consultant at analyst company Information Risk Management.

"Any bug that allows you to execute code of your choice is a bad thing," he said.

"It is possible that lots of code was compromised. It could have far-reaching consequences. But did anybody know before? Once it came to light everyone moved to issue patches."

Dowlut added that it is now up to users to apply the patches. "There is a black hat community out there who hang on to vulnerabilities.

But, he said, because it is open source code, there were thousands of sets of eyes looking at the code to find vulnerabilities. Any flaws are usually reported straightaway, significantly reducing the risk, said Dowlut.

E-Matters has also warned about two other commands, Update-prog and Checkin-prog, which allow any CVS user to execute programming commands on the server.

The company has issued patches that let the user turn off these two commands within the configuration files.

Users should download a patch from their Linux supplier, or from E-Matters here.

Get the latest news, views and technology updates in a weekly round up of the Penguin's unstoppable march by signing up to vnunet.com's FREE Linux newsletter here.