search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Concurrent Versions System (CVS) server improperly deallocates memory

Vulnerability Note VU#650937

Original Release Date: 2003-01-21 | Last Revised: 2003-08-20

Overview

A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.

Description

CVS is a source code maintenance system that is widely used by open-source software development projects.

The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.

CVS clients are not affected.

Impact

Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.

Solution


Patch or Upgrade

Apply the appropriate patch or upgrade as specified by your vendor. This vulnerability is resolved in CVS 1.11.5.

Disable CVS Server

Until patches are available and can be applied, consider disabling the CVS server.
Disable Anonymous CVS Access

Disable anonymous access to the CVS server.
Block or Restrict Access

Block or restrict access to the CVS server from untrusted hosts and networks. The CVS server typically listens on 2401/tcp, but may use another port or protocol.
Limit CVS Server Privileges

    • Configure CVS server to run in a restricted (chroot) environment.
    • Run CVS servers with the minimum set of privileges required on the host file system.
    • Provide separate systems for development (write) and public/anonymous (read-only) CVS access.
    • Host public/anonymous CVS servers on single-purpose, secured systems.
Note that none of these workarounds will prevent exploitation of this vulnerability. These workarounds will only limit the scope and impact of possible attacks. Other features inherent in CVS may give anonymous users the ability to gain shell access.

Vendor Information

650937
Expand all

Apple Computer Inc.

Notified:  January 21, 2003 Updated:  August 20, 2003

Status

  Vulnerable

Vendor Statement

Apple: Not Vulnerable. The underlying code in Mac OS X is not susceptible to the vulnerability described in this notice.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Based on source code analysis, cvs-29 from the Darwin Projects Directory appears to be vulnerable. However, the Apple OS X malloc(3) implementation (phkmalloc) may safely handle the double-free condition. If malloc(3) is configured such that all warnings are fatal ("A" option), the impact of this vulnerability on Darwin cvs-29 may be limited to a denial of service.

Darwin cvs-29 may not be the same cvs code that is shipped with the Apple OS X Developer Tools package.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVS Home

Updated:  January 22, 2003

Status

  Vulnerable

Vendor Statement

CVS release 1.11.5 addresses this issue for CVS servers. CVS clients are not affected.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSNT

Updated:  February 14, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

According to the sordid history of CVSNT, this issue was addressed in CVSNT 1.11.1.3-68:

<http://www.cvsnt.org/>

<http://www.cvsnt.org/pipermail/cvsnt/2003-January/004878.html>

<http://cvs.cvsnt.org/cgi-bin/viewcvs.cgi/cvsnt/src/server.c.diff?r1=1.59.4.40&r2=1.59.4.41>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Vulnerable

Vendor Statement

Conectiva Linux is affected by this issue and updated packages are available at ftp://atualizacoes.conectiva.com.br/:

6.0/SRPMS/cvs-1.10.8-5U60_3cl.src.rpm
6.0/RPMS/cvs-1.10.8-5U60_3cl.i386.rpm
6.0/RPMS/cvs-doc-1.10.8-5U60_3cl.i386.rpm
7.0/SRPMS/cvs-1.11-7U70_2cl.src.rpm
7.0/RPMS/cvs-1.11-7U70_2cl.i386.rpm
7.0/RPMS/cvs-doc-1.11-7U70_2cl.i386.rpm
8/SRPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-1.11-9U80_2cl.i386.rpm
8/RPMS/cvs-doc-1.11-9U80_2cl.i386.rpm

An official announcement is pending and will show up in our updates website at http://distro.conectiva.com.br/atualizacoes?idioma=en shortly.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Vulnerable

Vendor Statement

Cray Inc. supports CVS through their Cray Open Software (COS) package. COS 3.3 and earlier is vulnerable. A new CVS will be available shortly. Please contact your local Cray service representative if you need this new package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  January 21, 2003 Updated:  January 22, 2003

Status

  Vulnerable

Vendor Statement

Debian has updated their distribution with DSA 233.

http://www.debian.org/security/2003/dsa-233

For the stable distribution (woody) this problem has been fixed in version 1.11.1p1debian-8.1.

For the old stable distribution (potato) this problem has been fixed in version 1.10.7-9.2.

For the unstable distribution (sid) this problem will be fixed soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  January 21, 2003 Updated:  February 04, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:01.cvs.asc>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  February 03, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://forums.gentoo.org/viewtopic.php?t=31285>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  January 21, 2003 Updated:  January 22, 2003

Status

  Vulnerable

Vendor Statement

The AIX operating system does not ship with CVS. However, CVS is available for installation on AIX from the Linux Affinity Toolbox.

CVS versions 1.11.1p1-2 and earlier are vulnerable to the issues discussed in CERT Vulnerability Note VU#650937 and any advisories which follow.

Users are advised to download CVS 1.11.1p1-3 from:

ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/cvs/
cvs-1.11.1p1-3.aix4.3.ppc.rpm

Please note that the above address was wrapped to two lines.

CVS 1.11.1p1-3 contains the security fixes made in CVS 1.11.5 to address these issues.

This software is offered on an "as-is" basis.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:009>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  January 21, 2003 Updated:  February 04, 2003

Status

  Vulnerable

Vendor Statement

The NetBSD project's CVS servers are constructed such that this issue exposed no vulnerability. Nevertheless the fix was applied, and incorporated into the in-tree version of CVS for the benefit of NetBSD users who may be offering their own CVS services.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/cvs/patches/patch-ar#rev1.8>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  January 21, 2003 Updated:  April 04, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openbsd.org/errata32.html#cvs>

<http://www.openbsd.org/errata31.html#cvs>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  February 03, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openpkg.org/security/OpenPKG-SA-2003.004-cvs.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  January 21, 2003 Updated:  February 03, 2003

Status

  Vulnerable

Vendor Statement

Red Hat Linux and Red Hat Linux Advanced Server shipped with a cvs package vulnerable to these issues. New cvs packages are now available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.

Red Hat Linux Advanced Server:
http://rhn.redhat.com/errata/RHSA-2003-013.html
Red Hat Linux:
http://rhn.redhat.com/errata/RHSA-2003-012.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  February 03, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2003&m=slackware-security.212920>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  January 21, 2003 Updated:  February 14, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.suse.com/de/security/2003_007_cvs.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  January 21, 2003 Updated:  August 19, 2003

Status

  Vulnerable

Vendor Statement

Sun does not include CVS with Solaris and therefore Solaris is not affected by this issue. Sun does provide CVS on the Solaris Companion CD:

http://wwws.sun.com/software/solaris/freeware/index.html
as an unsupported package which installs to /opt/sfw and is vulnerable to this issue. Sites using the freeware version of CVS from the Solaris Companion CD will have to upgrade to a later version from CVS Home.

Sun Linux, versions 5.0.3 and below, does ship with a vulnerable CVS package. Sun recommends that CVS services be disabled on affected Sun Linux systems until patches are available for this issue.

Sun will be publishing a Sun Alert for Sun Linux describing the patch information which will be available from:

http://sunsolve.Sun.COM

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Sun Cobalt Legacy Products and Linux 5.0.3 are vulnerable:


<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50439&zone_32=category:security>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group

Notified:  January 21, 2003 Updated:  February 03, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-006.0.txt>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  January 21, 2003 Updated:  April 08, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.securityfocus.com/archive/1/317685/2003-04-05/2003-04-11/0>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  January 21, 2003 Updated:  February 03, 2003

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not vulnerable to the problem reported in VU#650937 because it does not support CVS server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  January 21, 2003 Updated:  February 04, 2003

Status

  Not Vulnerable

Vendor Statement

GR2000 router does not contain any parts of the CVS. Therefore, it is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  January 21, 2003 Updated:  February 14, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian Networks platforms are not vulnerable to VU#650937.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  January 21, 2003 Updated:  February 04, 2003

Status

  Not Vulnerable

Vendor Statement

Subject: VU650937

sent on January 23, 2003

[Server Products]

    • EWS/UP 48 Series operating system
- is NOT vulnerable, which does not include CVS.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  January 21, 2003 Updated:  February 04, 2003

Status

  Not Vulnerable

Vendor Statement

We don't yet re-distribute CVS in Openwall GNU/*/Linux.

We do, however, provide public anonymous CVS access to a copy of our repository, hosted off a separate machine and in a chroot jail. This kind of vulnerabilities in CVS was expected, and our anoncvs setup is mostly resistant to them: read-only access to the repository is achieved primarily with the use of regular Unix permissions, not controls built into CVS. CVS LockDir option is used to direct CVS lock files to a separate directory tree, actually writable to the pseudo-user. Nevertheless, the anoncvs server has been upgraded to CVS 1.11.5 a few hours after it was released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  January 21, 2003 Updated:  February 14, 2003

Status

  Unknown

Vendor Statement

SOURCE: Hewlett-Packard Company and Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company

RE: x-reference SSRT3463

Not Vulnerable:
HP-UX
HP-MPE/ix
HP Tru64 UNIX
HP NonStop Servers
HP OpenVMS

To report any security issue for any HP software products send email to security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux may be affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  January 21, 2003 Updated:  January 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was publicly reported by Stefan Esser of e-matters

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2003-0015
CERT Advisory: CA-2003-02
Severity Metric: 40.10
Date Public: 2003-01-20
Date First Published: 2003-01-21
Date Last Updated: 2003-08-20 20:12 UTC
Document Revision: 33

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.