Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.

New cvs packages are available for Slackware 8.1, 9.0, 9.1, and
-current to fix a buffer overflow vulnerability which could allow an attacker to run arbitrary programs on the CVS server. Sites running a CVS server should upgrade to the new CVS package right away.

Stefan Esser discovered a heap overflow in the CVS server, which serves the popular Concurrent Versions System. Malformed 'Entry' Lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory. This was proven to be exploitable.

The remote host is affected by the vulnerability described in GLSA-200405-12 (CVS heap overflow vulnerability)

    Stefan Esser discovered a heap overflow in the CVS server, which can be     triggered by sending malicious 'Entry' lines and manipulating the flags     related to that Entry. This vulnerability was proven to be exploitable.
  Impact :

    A remote attacker can execute arbitrary code on the CVS server, with the     rights of the CVS server. By default, Gentoo uses the 'cvs' user to run the     CVS server. In particular, this flaw allows a complete compromise of CVS     source repositories. If you're not running a server, then you are not     vulnerable.
  Workaround :

    There is no known workaround at this time. All users are advised to upgrade     to the latest available version of CVS.

The remote CVS server, according to its version number, might allow an attacker to execute arbitrary commands on the remote system because of a heap overflow in the cvs pserver code.

Stefan Esser discovered that malformed 'Entry' lines in combination with Is-modified and Unchanged can be used to overflow malloc()ed memory in a way that can be remotely exploited.

The updated packages contain a patch to correct the problem.

The remote host is missing the patch for the advisory SuSE-SA:2004:013 (cvs).


The Concurrent Versions System (CVS) offers tools which allow developers to share and maintain large software projects.
Stefan Esser reported buffer overflow conditions within the cvs program.
They allow remote attackers to execute arbitrary code as the user the cvs server runs as. Since there is no easy workaround we strongly recommend to update the cvs package.

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

Stefan Esser discovered a flaw in cvs where malformed 'Entry' lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0396 to this issue.

This update includes a patch by Derek Price, based on a patch by Stefan Esser, which corrects this flaw.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of FreeBSD which contains a heap overflow in the cvs pserver code. This flaw may be used by an attacker to execute arbitrary code on the remote host, provided that it's running a cvs pserver.

An updated cvs package that fixes a server vulnerability that could be exploited by a malicious client is now available.

CVS is a version control system frequently used to manage source code repositories.

Stefan Esser discovered a flaw in cvs where malformed 'Entry' lines could cause a heap overflow. An attacker who has access to a CVS server could use this flaw to execute arbitrary code under the UID which the CVS server is executing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0396 to this issue.

Users of CVS are advised to upgrade to this updated package, which contains a backported patch correcting this issue.

Red Hat would like to thank Stefan Esser for notifying us of this issue and Derek Price for providing an updated patch.

According to its version number, the remote CVS server has a heap- based buffer overflow vulnerability.  A remote attacker could exploit this to crash the service, or possibly execute arbitrary code.

ID	Name	Product	Family	Severity
18763	Slackware 8.1 / 9.0 / 9.1 / current : cvs (SSA:2004-140-01)	Nessus	Slackware Local Security Checks	high
15342	Debian DSA-505-1 : cvs - heap overflow	Nessus	Debian Local Security Checks	high
14498	GLSA-200405-12 : CVS heap overflow vulnerability	Nessus	Gentoo Local Security Checks	high
1220	CVS < 1.11.16 / 1.12.8 pserver Line Entry Handling Remote Overflow	Nessus Network Monitor	Generic	critical
14147	Mandrake Linux Security Advisory : cvs (MDKSA-2004:048)	Nessus	Mandriva Local Security Checks	high
13830	SuSE-SA:2004:013: cvs	Nessus	SuSE Local Security Checks	high
13706	Fedora Core 2 : cvs-1.11.15-6 (2004-131)	Nessus	Fedora Local Security Checks	high
13701	Fedora Core 1 : cvs-1.11.15-5 (2004-126)	Nessus	Fedora Local Security Checks	high
12530	FreeBSD : SA-04:10.cvs	Nessus	FreeBSD Local Security Checks	high
12495	RHEL 2.1 / 3 : cvs (RHSA-2004:190)	Nessus	Red Hat Local Security Checks	high
12240	CVS pserver Line Entry Handling Overflow	Nessus	Misc.	critical

Detections

Analytics

CVE-2004-0396

critical

Tenable Plugins

high

high

high

critical

high

high

high

high

high

high

critical