search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Concurrent Versions System (CVS) server improperly deallocates memory

Vulnerability Note VU#650937

Original Release Date: 2003-01-21 | Last Revised: 2003-08-20

Overview

A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.

Description

CVS is a source code maintenance system that is widely used by open-source software development projects.

The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.

CVS clients are not affected.

Impact

Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.

Solution


Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor. This vulnerability is resolved in CVS 1.11.5.

Disable CVS Server

Until patches are available and can be applied, consider disabling the CVS server.
Disable Anonymous CVS Access

Disable anonymous access to the CVS server.
Block or Restrict Access

Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.
Limit CVS Server Privileges

    • Configure CVS server to run in a restricted (chroot) environment.
    • Run CVS servers with the minimum set of privileges required on the host file system.
    • Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
    • Host public/anonymous CVS servers on single-purpose, secured systems.
Note that none of these workarounds will prevent exploitation of this vulnerability. These workarounds will only limit the scope and impact of possible attacks. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Vendor Information

650937
 
Expand all

Apple Computer Inc. Affected

Notified:  January 21, 2003 Updated: August 20, 2003

Status

Affected

Vendor Statement

Apple: Not Vulnerable. The underlying code in Mac OS X is not susceptible to the vulnerability described in this notice.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Based on source code analysis, cvs-29 from the Darwin Projects Directory appears to be vulnerable. However, the Apple OS X malloc(3) implementation (phkmalloc) may safely handle the double-free condition. If malloc(3) is configured such that all warnings are fatal ("A" option), the impact of this vulnerability on Darwin cvs-29 may be limited to a denial of service.

Darwin cvs-29 may not be the same cvs code that is shipped with the Apple OS X Developer Tools package.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVS Home Affected

Updated:  January 22, 2003

Status

Affected

Vendor Statement

CVS release 1.11.5 addresses this issue for CVS servers. CVS clients are not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSNT Affected

Updated:  February 14, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

According to the sordid history of CVSNT, this issue was addressed in CVSNT 1.11.1.3-68:

<http://www.cvsnt.org/>

<http://www.cvsnt.org/pipermail/cvsnt/2003-January/004878.html>

<http://cvs.cvsnt.org/cgi-bin/viewcvs.cgi/cvsnt/src/server.c.diff?r1=1.59.4.40&r2=1.59.4.41>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

Conectiva Linux is affected by this issue and updated packages are available at ftp://atualizacoes.conectiva.com.br/:

6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm
6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm
6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm
7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm
7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm
7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm
8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm

An official announcement is pending and will show up in our updates website at http://distro.conectiva.com.br/atualizacoes?idioma=en shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Affected

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

Cray Inc. supports CVS through their Cray Open Software (COS) package. COS 3.3 and earlier is vulnerable. A new CVS will be available shortly. Please contact your local Cray service representative if you need this new package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified:  January 21, 2003 Updated: January 22, 2003

Status

Affected

Vendor Statement

Debian has updated their distribution with DSA 233.

http://www.debian.org/security/2003/dsa-233

For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1.

For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2.

For the unstable distribution (sid) this problem will be fixed soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified:  January 21, 2003 Updated: February 04, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated:  February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://forums.gentoo.org/viewtopic.php?t=31285>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Notified:  January 21, 2003 Updated: January 22, 2003

Status

Affected

Vendor Statement

The AIX operating system does not ship with CVS. However, CVS is available for installation on AIX from the Linux Affinity Toolbox.

CVS versions 1.11.1p1-2 and earlier are vulnerable to the issues discussed in CERT Vulnerability Note VU#650937 and any advisories which follow.

Users are advised to download CVS 1.11.1p1-3 from:

ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/cvs/
cvs-1.11.1p1-3.aix4.3.ppc.rpm

Please note that the above address was wrapped to two lines.

CVS 1.11.1p1-3 contains the security fixes made in CVS 1.11.5 to address these issues.

This software is offered on an "as-is" basis.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:009>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Notified:  January 21, 2003 Updated: February 04, 2003

Status

Affected

Vendor Statement

The NetBSD project's CVS servers are constructed such that this issue exposed no vulnerability. Nevertheless the fix was applied, and incorporated into the in-tree version of CVS for the benefit of NetBSD users who may be offering their own CVS services.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/cvs/patches/patch-ar#rev1.8>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Affected

Notified:  January 21, 2003 Updated: April 04, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openbsd.org/errata32.html#cvs>

<http://www.openbsd.org/errata31.html#cvs>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated:  February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openpkg.org/security/OpenPKG-SA-2003.004-cvs.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Notified:  January 21, 2003 Updated: February 03, 2003

Status

Affected

Vendor Statement

Red Hat Linux and Red Hat Linux Advanced Server shipped with a cvs package vulnerable to these issues. New cvs packages are now available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux Advanced Server:
http://rhn.redhat.com/errata/RHSA-2003-013.html
Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2003-012.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Affected

Updated:  February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.212920>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Affected

Notified:  January 21, 2003 Updated: February 14, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.suse.com/de/security/2003_007_cvs.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Affected

Notified:  January 21, 2003 Updated: August 19, 2003

Status

Affected

Vendor Statement

Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD:

http://wwws.sun.com/software/solaris/freeware/index.html
as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue.

Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from:

http://sunsolve.Sun.COM

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable:


<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50439&zone_32=category:security>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group Affected

Notified:  January 21, 2003 Updated: February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-006.0.txt>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex Affected

Notified:  January 21, 2003 Updated: April 08, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.securityfocus.com/archive/1/317685/2003-04-05/2003-04-11/0>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Notified:  January 21, 2003 Updated: February 03, 2003

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V o.s. is not vulnerable to the problem reported in VU#650937 because it does not support CVS server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi Not Affected

Notified:  January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

GR2000 router does not contain any parts of the CVS. Therefore, it is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Not Affected

Notified:  January 21, 2003 Updated: February 14, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks platforms are not vulnerable to VU#650937.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Not Affected

Notified:  January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

Subject: VU650937

sent on January 23, 2003

[Server Products]

    • EWS/UP 48 Series operating system
- is NOT vulnerable, which does not include CVS.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Not Affected

Notified:  January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

We don't yet re-distribute CVS in Openwall GNU/*/Linux.

We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc. Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Unknown

Notified:  January 21, 2003 Updated: February 14, 2003

Status

Unknown

Vendor Statement

SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company

RE: x-reference SSRT3463

Not Vulnerable:
HP-UX
HP-MPE/ix
HP Tru64 UNIX
HP NonStop Servers
HP OpenVMS

To report any security issue for any HP software products send email to security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux may be affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc. Unknown

Notified:  January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 34 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was publicly reported by Stefan Esser of e-matters.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2003-0015
CERT Advisory: CA-2003-02
Severity Metric: 40.10
Date Public: 2003-01-20
Date First Published: 2003-01-21
Date Last Updated: 2003-08-20 20:12 UTC
Document Revision: 33

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis