Concurrent Versions System (CVS) server improperly deallocates memory

Overview

A “double-free” vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.

Description

CVS is a source code maintenance system that is widely used by open-source software development projects.

The CVS server component contains a “double-free” vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.

CVS clients are not affected.

---

Impact

Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.

---

Solution

Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor. This vulnerability is resolved in CVS 1.11.5.

---

Disable CVS Server

Until patches are available and can be applied, consider disabling the CVS server.
Disable Anonymous CVS Access

Disable anonymous access to the CVS server.
Block or Restrict Access

Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.
Limit CVS Server Privileges

* Configure CVS server to run in a restricted (`chroot`) environment.
* Run CVS servers with the minimum set of privileges required on the host file system.
* Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
* Host public/anonymous CVS servers on single-purpose, secured systems.

Note that none of these workarounds will prevent exploitation of this vulnerability. These workarounds will only limit the scope and impact of possible attacks. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Vendor Information

650937

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Notified: January 21, 2003 Updated: August 20, 2003

Status

Affected

Vendor Statement

Apple: Not Vulnerable. The underlying code in Mac OS X is not susceptible to the vulnerability described in this notice.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Based on source code analysis, cvs-29 from the Darwin Projects Directory appears to be vulnerable. However, the Apple OS X malloc(3) implementation (phkmalloc) may safely handle the double-free condition. If malloc(3) is configured such that all warnings are fatal (“A” option), the impact of this vulnerability on Darwin cvs-29 may be limited to a denial of service.

Darwin cvs-29 may not be the same cvs code that is shipped with the Apple OS X Developer Tools package.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

CVS Home __ Affected

Updated: January 22, 2003

Status

Affected

Vendor Statement

CVS release 1.11.5 addresses this issue for CVS servers. CVS clients are not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

CVSNT __ Affected

Updated: February 14, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

According to the sordid history of CVSNT, this issue was addressed in CVSNT 1.11.1.3-68:

<<http://www.cvsnt.org/&gt;&gt;

<<http://www.cvsnt.org/pipermail/cvsnt/2003-January/004878.html&gt;&gt;

<http://cvs.cvsnt.org/cgi-bin/viewcvs.cgi/cvsnt/src/server.c.diff?r1=1.59.4.40&r2=1.59.4.41>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Conectiva __ Affected

Notified: January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

Conectiva Linux is affected by this issue and updated packages are available at <ftp://atualizacoes.conectiva.com.br/&gt;:

6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm
6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm
6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm
7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm
7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm
7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm
8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm

An official announcement is pending and will show up in our updates website at <http://distro.conectiva.com.br/atualizacoes?idioma=en&gt; shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Cray Inc. __ Affected

Notified: January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

Cray Inc. supports CVS through their Cray Open Software (COS) package. COS 3.3 and earlier is vulnerable. A new CVS will be available shortly. Please contact your local Cray service representative if you need this new package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Debian __ Affected

Notified: January 21, 2003 Updated: January 22, 2003

Status

Affected

Vendor Statement

Debian has updated their distribution with DSA 233.

<http://www.debian.org/security/2003/dsa-233&gt;

For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1.

For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2.

For the unstable distribution (sid) this problem will be fixed soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

FreeBSD __ Affected

Notified: January 21, 2003 Updated: February 04, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Gentoo Linux __ Affected

Updated: February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://forums.gentoo.org/viewtopic.php?t=31285&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

IBM __ Affected

Notified: January 21, 2003 Updated: January 22, 2003

Status

Affected

Vendor Statement

The AIX operating system does not ship with CVS. However, CVS is available for installation on AIX from the Linux Affinity Toolbox.

CVS versions 1.11.1p1-2 and earlier are vulnerable to the issues discussed in CERT Vulnerability Note VU#650937 and any advisories which follow.

Users are advised to download CVS 1.11.1p1-3 from:

ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/cvs/
cvs-1.11.1p1-3.aix4.3.ppc.rpm

Please note that the above address was wrapped to two lines.

CVS 1.11.1p1-3 contains the security fixes made in CVS 1.11.5 to address these issues.

This software is offered on an “as-is” basis.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

MandrakeSoft __ Affected

Notified: January 21, 2003 Updated: January 21, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:009&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

NetBSD __ Affected

Notified: January 21, 2003 Updated: February 04, 2003

Status

Affected

Vendor Statement

The NetBSD project’s CVS servers are constructed such that this issue exposed no vulnerability. Nevertheless the fix was applied, and incorporated into the in-tree version of CVS for the benefit of NetBSD users who may be offering their own CVS services.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/cvs/patches/patch-ar#rev1.8&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

OpenBSD __ Affected

Notified: January 21, 2003 Updated: April 04, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.openbsd.org/errata32.html#cvs&gt;&gt;

<<http://www.openbsd.org/errata31.html#cvs&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

OpenPKG __ Affected

Updated: February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.openpkg.org/security/OpenPKG-SA-2003.004-cvs.html&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Red Hat Inc. __ Affected

Notified: January 21, 2003 Updated: February 03, 2003

Status

Affected

Vendor Statement

Red Hat Linux and Red Hat Linux Advanced Server shipped with a cvs package vulnerable to these issues. New cvs packages are now available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.

Red Hat Linux Advanced Server:
<http://rhn.redhat.com/errata/RHSA-2003-013.html&gt;
Red Hat Linux:
<http://rhn.redhat.com/errata/RHSA-2003-012.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Slackware __ Affected

Updated: February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.212920>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

SuSE Inc. __ Affected

Notified: January 21, 2003 Updated: February 14, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.suse.com/de/security/2003_007_cvs.html&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Sun Microsystems Inc. __ Affected

Notified: January 21, 2003 Updated: August 19, 2003

Status

Affected

Vendor Statement

Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD:

<http://wwws.sun.com/software/solaris/freeware/index.html&gt;
as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue.

Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from:

<http://sunsolve.Sun.COM>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable:

<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50439&zone_32=category:security>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

The SCO Group __ Affected

Notified: January 21, 2003 Updated: February 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-006.0.txt&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Wirex __ Affected

Notified: January 21, 2003 Updated: April 08, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<<http://www.securityfocus.com/archive/1/317685/2003-04-05/2003-04-11/0&gt;&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Fujitsu __ Not Affected

Notified: January 21, 2003 Updated: February 03, 2003

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V o.s. is not vulnerable to the problem reported in VU#650937 because it does not support CVS server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Hitachi __ Not Affected

Notified: January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

GR2000 router does not contain any parts of the CVS. Therefore, it is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Ingrian Networks __ Not Affected

Notified: January 21, 2003 Updated: February 14, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks platforms are not vulnerable to VU#650937.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

NEC Corporation __ Not Affected

Notified: January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

Subject: VU650937

sent on January 23, 2003

[Server Products]

* EWS/UP 48 Series operating system

- is NOT vulnerable, which does not include CVS.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Openwall GNU/*/Linux __ Not Affected

Notified: January 21, 2003 Updated: February 04, 2003

Status

Not Affected

Vendor Statement

We don’t yet re-distribute CVS in Openwall GNU/*/Linux.

We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Data General Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Guardian Digital Inc. Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Hewlett-Packard Company __ Unknown

Notified: January 21, 2003 Updated: February 14, 2003

Status

Unknown

Vendor Statement

SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company

RE: x-reference SSRT3463

Not Vulnerable:
HP-UX
HP-MPE/ix
HP Tru64 UNIX
HP NonStop Servers
HP OpenVMS

To report any security issue for any HP software products send email to [email protected]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux may be affected.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

MontaVista Software Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Nokia Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

SGI Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Sequent Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Sony Corporation Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Unisys Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

Wind River Systems Inc. Unknown

Notified: January 21, 2003 Updated: January 21, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23650937 Feedback>).

View all 34 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://security.e-matters.de/advisories/012003.html&gt;
• <http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&gt;
• <http://www.cvshome.org/docs/manual/cvs_1.html&gt;
• <http://www.netsys.com/library/papers/chrooted-ssh-cvs-server.txt&gt;
• <http://openbsd.sunsite.ualberta.ca/papers/anoncvs-paper.ps&gt;

Acknowledgements

This vulnerability was publicly reported by Stefan Esser of e-matters.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0015
CERT Advisory:	CA-2003-02 Severity Metric: