On Sat, Nov 08, 2003 at 05:45:21PM -0500, David Maxwell wrote:
> On Sat, Nov 08, 2003 at 09:51:00AM -0800, Jason Thorpe wrote:
> > On Nov 7, 2003, at 10:41 AM, Steven M. Bellovin wrote:
> > >The MSNBC story ( http://www.msnbc.com/news/990343.asp?0si=- )
> > >noted that there was a security problem in CVS.
> > 
> > Err, I thought it was the BK server that was compromised?
> 
> Every commentary I have read says that it was the Public CVS export
> server. Apparently, it gets a copy of the BitKeeper sources, using a
> utility called BitMover.
> 
> It sounds like BitMover discovered, during an update, that the file on
> the export server was no longer identical to the last update copied over
> from BitKeeper. This is why the detection was automatic, and not
> dependent on someone noticing that the patch had been inserted.

Uh, this is pretty wrong.  "BitMover" is the name of the company.
"BitKeeper" is the name of the source control management software.
There's a script (fairly trivial) called bk2cvs that takes a BitKeeper
repository and converts it to CVS (losing a lot of metadata in the
process).  The result is a CVS repository, which can be accessed using
the standard CVS client (perhaps over pserver or rsh or ssh).

The BitKeeper repositories are stored on a private machine; a copy of
the repository is made on another machine, and this copy is run through
bk2cvs.  Finally the CVS repository is placed on a publicly available
machine.  (I don't know offhand if there are three different machines
involved, but at least the master BK repository and the public CVS
repository are on different machines.)

It was the CVS copy that was compromised.  There is no automatic
dataflow from the CVS repository back to the BK repository; in order for
the backdoor to reach Linus' repository it would have had to have been
sent to Linus as a patch, by some developer who used the CVS repository
as a data source.

On Sat, Nov 08, 2003 at 05:00:05PM -0500, Steven M. Bellovin wrote:
> Jason Thorpe writes:
> >On Nov 7, 2003, at 10:41 AM, Steven M. Bellovin wrote:
> >> The MSNBC story ( http://www.msnbc.com/news/990343.asp?0si=- )
> >> noted that there was a security problem in CVS.
> >
> >Err, I thought it was the BK server that was compromised?
> 
> The impression I had was that they ran a CVS mirror.  I could be wrong, 
> of course.

The server that housed the modified code was run by BitMover, and it did
presumably have BitKeeper installed, but the compromise may have sprung
from something else.  (There isn't much evidence either way that's been
made public.)  The recent exploit in CVS would be an obvious suspect,
but I don't know if the machine that was compromised was running a
vulnerable CVS server or not.


Furthermore:  when a clone is made of a BitKeeper repository, the
resulting repository is a fully functional duplicate of its parent.
Every peer who has downloaded a copy of the Linux BK tree has a complete
revision history, so there's no master copy to compromise -- if Linus'
tree were modified by an intruder, he would be able to compare it
against any other copy of the tree to find the changes.  (And in fact,
Linus has several trees; the ones on his main work machine and the ones
on kernel.bkbits.net, to start.)   It's not completely secure, but BK
does make the attacker's job enormously more difficult than a
centralized, there-is-one-repository CVS system.

-andy