Vulnerability Note VU#650937

Concurrent Versions System (CVS) server improperly deallocates memory

Original Release date: 21 Jan 2003 | Last revised: 20 Aug 2003


A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.


CVS is a source code maintenance system that is widely used by open-source software development projects.

The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.

CVS clients are not affected.


Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.


Patch or Upgrade

    Apply the appropriate patch or upgrade as specified by your vendor. This vulnerability is resolved in CVS 1.11.5.

Disable CVS Server

    Until patches are available and can be applied, consider disabling the CVS server.
Disable Anonymous CVS Access
    Disable anonymous access to the CVS server.
Block or Restrict Access
    Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.
Limit CVS Server Privileges
  • Configure CVS server to run in a restricted (chroot) environment.
  • Run CVS servers with the minimum set of privileges required on the host file system.
  • Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
  • Host public/anonymous CVS servers on single-purpose, secured systems.
Note that none of these workarounds will prevent exploitation of this vulnerability. These workarounds will only limit the scope and impact of possible attacks. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected20 Jan 200320 Aug 2003
ConectivaAffected20 Jan 200321 Jan 2003
Cray Inc.Affected20 Jan 200321 Jan 2003
CVS HomeAffected-22 Jan 2003
CVSNTAffected-14 Feb 2003
DebianAffected20 Jan 200322 Jan 2003
FreeBSDAffected20 Jan 200304 Feb 2003
Gentoo LinuxAffected-03 Feb 2003
IBMAffected20 Jan 200322 Jan 2003
MandrakeSoftAffected20 Jan 200321 Jan 2003
NetBSDAffected20 Jan 200304 Feb 2003
OpenBSDAffected20 Jan 200304 Apr 2003
OpenPKGAffected-03 Feb 2003
Red Hat Inc.Affected20 Jan 200303 Feb 2003
SlackwareAffected-03 Feb 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was publicly reported by Stefan Esser of e-matters.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0015
  • CERT Advisory: CA-2003-02
  • Date Public: 20 Jan 2003
  • Date First Published: 21 Jan 2003
  • Date Last Updated: 20 Aug 2003
  • Severity Metric: 40.10
  • Document Revision: 33


If you have feedback, comments, or additional information about this vulnerability, please send us email.