A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow a remote attacker to execute arbitrary code or commands or cause a denial of service on a vulnerable system.
CVS is a source code maintenance system that is widely used by open-source software development projects.
The CVS server component contains a "double-free" vulnerability that can be triggered by a set of specially crafted directory change requests. While processing these requests, an error checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory can lead to heap corruption, which may be leveraged by an attacker to execute arbitrary code. The CVS server process is commonly started by the Internet services daemon (inetd) and run with root privileges.
Depending on configuration, operating system, and platform architecture, a remote attacker with anonymous read-only access to a vulnerable CVS server could execute arbitrary code, read sensitive information, or cause a denial of service. There is a significant secondary impact in that source code maintained in CVS repositories could be modified to include trojan horses, backdoors, or other malicious code.
Disable CVS Server
Apple Computer Inc.
Red Hat Inc.
Sun Microsystems Inc.
The SCO Group
Guardian Digital Inc.
Wind River Systems Inc.
This vulnerability was publicly reported by Stefan Esser of e-matters
This document was written by Art Manion.