CVS/Subversion vulnerability
As if on cue, a vulnerability in CVS and Subversion was announced, which allows remote compromise of machines that publish read-only repositories.
I don't mention it to be mean to the Subversion or CVS developers. Security problems happen in complex code.
I do think it's an argument against version control systems that need custom protocols and special servers to publish code. Most of the distributed systems can do without this, and can make read-only repositories available through a static HTTP server. Arch and Darcs can do this. Monotone and Codeville seem to require their own servers.
I think this reduces security exposure because most projects are likely to have at least a static web site already. Adding read-only files containing the repository doesn't increase the surface of code in the web server that can be reached by an attacker.
There has been discussing of adding an archd daemon that can speak a more efficient protocol than HTTP. Having the option is fine, but I think it would be unfortunate it it were no longer possible to publish repositories through a web server.
To some extent you can simulate this under CVS or Subversion by copying code to a separate machine which provides a read-only public repository, but it's still a little more risky.
More on this on slashdot, and David Wheeler has an essay on SCM security.
[typos fixed 2004-05-27]
posted Thu 20 May 2004 in /software/vc | link
Archives 2008: Apr Feb 2007: Jul May Feb Jan 2006: Dec Nov Oct Sep Aug Jul Jun Jan 2005: Sep Aug Jul Jun May Apr Mar Feb Jan 2004: Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan 2003: Dec Nov Oct Sep Aug Jul Jun May
Copyright (C) 1999-2007 Martin Pool.