Vulnerability Note VU#650937
Concurrent Versions System (CVS) server improperly deallocates memory
A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.
CVS is a source code maintenance system that is widely used by open-source software development projects.
The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.
Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.
Disable CVS Server
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||20 Jan 2003||20 Aug 2003|
|Conectiva||Affected||20 Jan 2003||21 Jan 2003|
|Cray Inc.||Affected||20 Jan 2003||21 Jan 2003|
|CVS Home||Affected||-||22 Jan 2003|
|CVSNT||Affected||-||14 Feb 2003|
|Debian||Affected||20 Jan 2003||22 Jan 2003|
|FreeBSD||Affected||20 Jan 2003||04 Feb 2003|
|Gentoo Linux||Affected||-||03 Feb 2003|
|IBM||Affected||20 Jan 2003||22 Jan 2003|
|MandrakeSoft||Affected||20 Jan 2003||21 Jan 2003|
|NetBSD||Affected||20 Jan 2003||04 Feb 2003|
|OpenBSD||Affected||20 Jan 2003||04 Apr 2003|
|OpenPKG||Affected||-||03 Feb 2003|
|Red Hat Inc.||Affected||20 Jan 2003||03 Feb 2003|
|Slackware||Affected||-||03 Feb 2003|
CVSS Metrics (Learn More)
This document was written by Art Manion.
- CVE IDs: CAN-2003-0015
- CERT Advisory: CA-2003-02
- Date Public: 20 Jan 2003
- Date First Published: 21 Jan 2003
- Date Last Updated: 20 Aug 2003
- Severity Metric: 40.10
- Document Revision: 33
If you have feedback, comments, or additional information about this vulnerability, please send us email.