Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands.

Stefan Esser discovered a problem in cvs, a concurrent versions system, which is used for many Free Software projects. The current version contains a flaw that can be used by a remote attacker to execute arbitrary code on the CVS server under the user id the CVS server runs as. Anonymous read-only access is sufficient to exploit this problem.

The remote CVS server is vulnerable to a double free() vulnerability that may allow an attacker to gain a shell on this host.

Two vulnerabilities were discoverd by Stefen Esser in the cvs program.
The first is an exploitable double free() bug within the server, which can be used to execute arbitrary code on the CVS server. To accomplish this, the attacker must have an anonymous read-only login to the CVS server. The second vulnerability is with the Checkin-prog and Update-prog commands. If a client has write permission, he can use these commands to execute programs outside of the scope of CVS, the output of which will be sent as output to the client.

This update fixes the double free() vulnerability and removes the Checkin-prog and Update-prog commands from CVS.

The remote host is missing the patch for the advisory SUSE-SA:2003:0007 (cvs).


CVS (Concurrent Versions System) is a version control system which helps to manage concurrent editing of files by various authors.
Stefan Esser of e-matters reported a 'double free' bug in CVS server code for handling directory requests. This free() call allows an attacker with CVS read access to compromise a CVS server.
Additionally two features ('Update-prog' and 'Checkin-prog') were disabled to stop clients with write access to execute arbitrary code on the server. These features may be configurable at run-time in future releases of CVS server.

There is no temporary fix known other then disable public access to the CVS server. You do not need to update the cvs package as long as you need 'Update-prog' and 'Checkin-prog' feature and work in a trusted environment.
Otherwise install the new packages from our FTP servers please.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

Updated CVS packages are now available for Red Hat Linux Advanced Server. These updates fix a vulnerability which would permit arbitrary command execution on servers configured to allow anonymous read-only access.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

CVS is a version control system frequently used to manage source code repositories. During an audit of the CVS sources, Stefan Esser discovered an exploitable double-free bug in the CVS server.

On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges.
Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server.

All users of CVS are advised to upgrade to these packages which contain patches to correct the double-free bug.

Our thanks go to Stefan Esser of e-matters for reporting this issue to us.

According to its version number, the CVS server running on the remote host has a double free bug, which could allow a malicious user to elevate their privileges.

ID	Name	Product	Family	Severity
15070	Debian DSA-233-1 : cvs - doubly freed memory	Nessus	Debian Local Security Checks	high
1899	CVS < 1.11.5 pserver Directory Request Double Free() Privilege Escalation	Nessus Network Monitor	Generic	high
13994	Mandrake Linux Security Advisory : cvs (MDKSA-2003:009)	Nessus	Mandriva Local Security Checks	high
13772	SUSE-SA:2003:0007: cvs	Nessus	SuSE Local Security Checks	high
12351	RHEL 2.1 : cvs (RHSA-2003:013)	Nessus	Red Hat Local Security Checks	high
11385	CVS Malformed Directory Request Double-free Privilege Escalation	Nessus	Misc.	high

Detections

Analytics

CVE-2003-0015

critical

Tenable Plugins

high

high

high

high

high

high