posted Monday, January 27, 2003 at 10:26 am MSTTuck in your CVS Server! - Running CVS 1.11.4 or earlier? Well ... don't do that.
According to CERT Advisory CA-2003-02 - Double-Free Bug: "The CVS server component contains a "double-free" vulnerability[...] an error-checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code [...] The CVS server process is typically started by the Internet services daemon (inetd) [...] Arbitrary code inserted by an attacker would therefore run with root privileges." (Common Vulnerabilities and Exposures also issued a report.)
On 20JAN03 CVS posted notice that 1.11.5 was available.
The exploit was discovered first reported, apparently, *sigh* by Stefan Esser at e-matters. His report/advisory includes a timeline on the fix *!OpenSource rawks!* and ends with a suggestion: "You should also consider running your CVS server chrooted over SSH instead of using the :pserver: method." and points to a tutorial on this: Chrooted SSH CVS server how-to.
