A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.
CVS is a source code maintenance system that is widely used by open-source software development projects.
The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.
Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.
Disable CVS Server
Apple Computer Inc. Affected
CVS Home Affected
Cray Inc. Affected
Gentoo Linux Affected
Red Hat Inc. Affected
SuSE Inc. Affected
Sun Microsystems Inc. Affected
The SCO Group Affected
Fujitsu Not Affected
Hitachi Not Affected
Ingrian Networks Not Affected
NEC Corporation Not Affected
Openwall GNU/*/Linux Not Affected
Data General Unknown
Guardian Digital Inc. Unknown
Hewlett-Packard Company Unknown
MontaVista Software Unknown
Sony Corporation Unknown
Wind River Systems Inc. Unknown
This vulnerability was publicly reported by Stefan Esser of e-matters.
This document was written by Art Manion.