|
Advisories!: Flaw leave door open for Trojan contamination |
|
|
Linux developers were warned yesterday of a potentially devastating flaw
affecting Concurrent Versions System (CVS) software widely used by the open
source community.
CVS, a version control and collaboration system often
used in open-source software development projects, is commonly configured to
allow public, anonymous, read-only access via the Internet.
A
"double-free" vulnerability1 in the Concurrent Versions System (CVS)
server means that such limited public access is enough for a skilled, remote
attacker "to execute arbitrary code, alter program operation, read sensitive
information, or cause a denial of service", according to an advisory by
security clearing house CERT.
Very nasty.
Through this vuln an attacker who is able to compromise a
CVS server can contaminate source-code repositories with Trojan code.
Fortunately, a scan of the CERT advisory reveals fixes from major Linux disties
are already available.
Which is just as well: after a succession of
Trojanised software distributions last year the last thing we need is another
such incident. ®
1 Double-free vulnerability - when a process
tries to deallocate already freed memory heap corruption occurs. Either a system
will crash, or if a cracker has crafted malformed data request containing
malicious code, this malware might itself into portions of memory where it is
subsequently run.
Resources:
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
