Security Advisory 07/2004

Das e-matters Security Team hat eine kritische Sicherheitslücke in CVS gefunden. Diese erlaubt es beliebigen Code auszuführen. Damit könnte ein Angreifer z.b. Hintertüren in den Quelltext von Open Source Projekten einbauen.

Advisory 07/2004
CVS remote vulnerability


Release Date: 2004/05/19
Author: Stefan Esser
Application: CVS feature release <= 1.12.7, CVS stable release <= 1.11.15
Severity: A vulnerability within CVS allows remote compromise of CVS servers.
Risk: Critical
Last Modified:   2004/05/19



Concurrent Versions System (CVS) is the dominant open-source version control software that allows developers to access the latest code using a network connection.

Stable CVS releases up to 1.11.15 and CVS feature releases up to 1.12.7 both contain a flaw when deciding if a CVS entry line should get a modified or unchanged flag attached. This results in a heap overflow which can be exploited to execute arbitrary code on the CVS server. This could allow a repository compromise.



While auditing the CVS source a flaw within the handling of modified and unchanged flag insertion into entry lines was discovered.

When the client sends an entry line to the server an additional byte is allocated to have enough space for later flagging the entry as modified or unchanged. In both cases the check if such a flag is already attached is flawed. This allows to insert M or = chars into the middle of a user supplied string one by one for every call to one of these functions.

It should be obvious that already the second call could possibly overflow the allocated buffer by shifting the part after the insertion point one char backward. If the alignment of the block is choosen wisely this is already exploitable by malloc() off-by-one exploitation techniques. However carefully crafted commands allow the functions to be called several times to overwrite even more bytes (although this is not really needed if you want to exploit this bug on f.e. glibc based systems).


Proof of Concept

e-matters is not going to release an exploit for this vulnerability to the public.


Disclosure Timeline

02 May 2004 CVS developers and vendor-sec were notified by email Derek Robert Price replied nearly immediately that the issue is fixed
03 May 2004 Pre-notification process of important repositories was started
11 May 2004 Sourceforge discovered that the patch breaks compatibility with some pserver protocol violating versions of WinCVS/TortoiseCVS
12 May 2004 Pre-notified repositories were warned about this problem with a more compatible patch.
19 May 2004 Coordinated Public Disclosure


CVE Information

The Common Vulnerabilities and Exposures project ( has assigned the name CAN-2004-0396 to this issue.



Recommended is an immediate update to the new version. Additionally you should consider running your CVS server chrooted over SSH instead of using the :pserver: method. You can find a tutorial how to setup such a server at