Security Advisory 01/2003

Das e-matters Security Team hat eine kritische Sicherheitslücke in CVS gefunden. Diese erlaubt es beliebigen Code auszuführen. Damit könnte ein Angreifer z.b. Hintertüren in den Quelltext von Open Source Projekten einbauen.

Advisory 01/2003
CVS remote vulnerability


Release Date: 2003/01/20
Author: Stefan Esser
Application: CVS <= 1.11.4
Severity: A vulnerability within CVS allows remote compromise of CVS servers.
Risk: Critical
Last Modified:   2003/01/20



Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection. CVS version 1.11.4 and below contain a flaw that can be used by a remote attacker to execute arbitrary code on the server.

You should also note, that the CVS client/server protocol includes two commands (Update-prog and Checkin-prog) that can be used by any CVS user with write access to the repository to execute arbitrary shell commands on the server. This is a questionable feature, because it is very badly documented, is unknown to most CVS administrators and cannot be turned off within the configuration files.



While auditing the CVS sourcetree I found a flaw within the handling of the Directory request within the server code. By sending a malformed directory name it is possible to trigger an error condition that will make the function return at a point where a global pointer variable is already freed and has not got a new value assigned yet. This will result in a classical double-free() when the next Directory request is handled. With the help of other CVS requests it is possible to either leak some information that could be used to determine the heap position or to execute arbitrary code on systems that are known to be vulnerable to this kind of bugs. This includes Linux, Solaris and most probably Windows systems.

Additionally I was also able to create proof of concept code that uses this vulnerability to execute arbitrary shell commands on BSD servers. I was able to achieve this because all allocated memory is aligned on BSD systems which makes it very easy to get newly allocated memory blocks into the same position of already freed blocks of the same slotsize. In combination with some CVS requests that work on lists of pointers, I was able to use this bug to free arbitrary memory addresses. With the help of the information leak capabilities of this vulnerability it is possible to guess the address of some strings that are needed for the read/write access checks. Combined this allowes to bypass the write access checks and to abuse the Update-prog/Checkin-prog requests to execute arbitrary commands on the server with an anonymous read-only account.

The impact of this vulnerability depends highly on the configuration of the server. The CVS server is by default started via inetd with root privileges. If CVSROOT/passwd is left writeable to the CVS user this means a remote root compromise. You must also consider that chrooting the CVS daemon may protect the rest of your system against the intruder but will still leave the whole source tree vulnerable to the attacker.

Summarized this means that this vulnerability is a threat to most open source projects because nearly all of them offer anonymous CVS access to the source tree. Even if the attacker is not able to extend his attack on the developer CVS server (if it is seperated at all) he could still backdoor everything other people download from the anonymous server.

This does not only apply to :pserver: method


Proof of Concept

e-matters is not going to release an exploit for this vulnerability to the public.


Disclosure Timeline

04 January 2003 Vendor was notified via email. Unfourtunately the person that I tried to contact was on vacation, so I received no answer.

12 January 2003 The vulnerability was disclosed to the admins of several big public CVS repositories and to some distributors.

15 January 2003 Vendor has committed the fix to the CVS CVS repository.

16 January 2003 Vendor-sec was notified that a new bugfixed CVS version will be released on 20th January.

21 January 2003 Vendor has released a new version which fixes the double free problem. You can download it at:


CVE Information

The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2003-0015 to this issue.



My recommendation is to immediantly update to the new version. You may also consider to additionally apply my patch which adds the ability to turn off Update-prog and Checkin-prog within your configuration files. You can download it from

You should also consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at