A critical vulnerability has been found in the Concurrent Versions System (CVS), which is used by the vast majority of open-source projects to update and maintain source code.
CVS allows open-source developers to remotely update and modify the source code to projects while ensuring that collaborative efforts don't overlap. By using CVS, changes to source code made by one developer aren't overwritten by another. It also tracks version control and provides the open-source community with a means by which to manage open projects with multiple contributors.
The security hole allows attackers to take control of a CVS server and alarmingly, it may also allow anonymous attackers to fiddle with open-source code at the development level.
"There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include Trojan horses, backdoors, or other malicious code," a CERT advisory said.
Stefan Esser of E-Matters, a European technology company, discovered the vulnerability in early January.
Recognising the potential impact of the problem, Esser first disclosed the vulnerability to several key CVS repositories. This allowed them to work around the vulnerability hence protecting their source code from would-be attackers. Esser then contacted the group that maintains CVS, and waited until they had produced a fix for the vulnerability before he disclosed the flaw to the public on the E-Matters Web site.
The scope of the vulnerability is immeasurable. Sourceforge.net alone uses CVS to maintain over 55,000 open-source projects. Even CVS is maintained by CVS.
Unlike other incidents in which open-source software has been modified, which has been easily detected as in the case of the Trojaning of Sendmail and SSH distributions last year, this vulnerability is present at the very coal-face of open-source development.
An exploit for this potentially devastating security hole is not thought to be circulating, and E-Matters have stated that they will not be releasing one to the public.
Versions of CVS vulnerable to this attack include those shipped by Connectiva, Cray, Debian, IBM, Mandrake and Red Hat, although many others may be vulnerable.