The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.

Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when determining which files to transmit, including those containing references to parent directories (`../').

These programming errors generally only have a security impact when dealing with remote CVS repositories.

A malicious CVS server may cause a CVS client to overwrite arbitrary files on the client's system.

A CVS client may request RCS files from a remote system other than those in the repository specified by $CVSROOT. These RCS files need not be part of any CVS repository themselves.

CVS is a client/server version control system. As a server, it is used to host source code repositories. As a client, it is used to access such repositories. This advisory affects both uses of CVS. A security problem which could allow a server to create arbitrary files on a client machine, and another security problem which may allow a client to view files outside of the CVS repository have been fixed with the release of cvs-1.11.15. Any sites running CVS should upgrade to the new CVS package.

Two vulnerabilities have been discovered and fixed in CVS :

  - CAN-2004-0180     Sebastian Krahmer discovered a vulnerability whereby a     malicious CVS pserver could create arbitrary files on     the client system during an update or checkout     operation, by supplying absolute pathnames in RCS diffs.

  - CAN-2004-0405

    Derek Robert Price discovered a vulnerability whereby a     CVS pserver could be abused by a malicious client to     view the contents of certain files outside of the CVS     root directory using relative pathnames containing     '../'.

The remote host is affected by the vulnerability described in GLSA-200404-13 (CVS Server and Client Vulnerabilities)

    There are two vulnerabilities in CVS; one in the server and one in the     client. The server vulnerability allows a malicious client to request     the contents of any RCS file to which the server has permission, even     those not located under $CVSROOT. The client vulnerability allows a     malicious server to overwrite files on the client machine anywhere the     client has permissions.
  Impact :

    Arbitrary files may be read or written on CVS clients and servers by     anybody with access to the CVS tree.
  Workaround :

    There is no known workaround at this time. All users are encouraged to     upgrade to the latest stable version of CVS.

Sebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user's disk. This problem affects all versions of CVS prior to 1.11.15 which has fixed the problem.

The updated packages provide 1.11.14 with the pertinent fix for the problem.

Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available.

[Updated Apr 19 2004] The description text has been updated to include CVE-2004-0405 which was also fixed but not mentioned when this advisory was first released. There has been no change to the packages associated with this advisory.

CVS is a version control system frequently used to manage source code repositories.

Sebastian Krahmer discovered a flaw in CVS clients where rcs diff files can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0180 to this issue.

Derek Price discovered a vulnerability whereby a CVS pserver could be abused by a malicious client to view the contents of certain files outside of the CVS root directory using relative pathnames containing '../'. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0405 to this issue.

Users of CVS are advised to upgrade to these erratum packages, which contain a patch correcting this issue.

ID	Name	Product	Family	Severity
36645	FreeBSD : CVS path validation errors (0792e7a7-8e37-11d8-90d1-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	medium
18765	Slackware 8.1 / 9.0 / 9.1 / current : cvs security update (SSA:2004-108-02)	Nessus	Slackware Local Security Checks	medium
15323	Debian DSA-486-1 : cvs - several vulnerabilities	Nessus	Debian Local Security Checks	medium
14478	GLSA-200404-13 : CVS Server and Client Vulnerabilities	Nessus	Gentoo Local Security Checks	medium
14127	Mandrake Linux Security Advisory : cvs (MDKSA-2004:028)	Nessus	Mandriva Local Security Checks	low
12484	RHEL 2.1 / 3 : cvs (RHSA-2004:153)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2004-0180

high

Tenable Plugins

medium

medium

medium

medium

low

medium