Gentoo Logo

CVS Server and Client Vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200404-13 / cvs
Release Date April 14, 2004
Latest Revision May 22, 2006: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
dev-util/cvs <= 1.11.14 >= 1.11.15 All supported architectures

Related bugreports: #47800


There are two vulnerabilities in CVS; one in the server and one in the client. These vulnerabilities allow the reading and writing of arbitrary files on both client and server.

2.  Impact Information


CVS, which stands for Concurrent Versions System, is a client/server application which tracks changes to sets of files. It allows multiple users to work concurrently on files, and then merge their changes back into the main tree (which can be on a remote system). It also allows branching, or maintaining separate versions for files.


There are two vulnerabilities in CVS; one in the server and one in the client. The server vulnerability allows a malicious client to request the contents of any RCS file to which the server has permission, even those not located under $CVSROOT. The client vulnerability allows a malicious server to overwrite files on the client machine anywhere the client has permissions.


Arbitrary files may be read or written on CVS clients and servers by anybody with access to the CVS tree.

3.  Resolution Information


There is no known workaround at this time. All users are encouraged to upgrade to the latest stable version of CVS.


All CVS users should upgrade to the latest stable version.

Code Listing 3.1: Resolution

# emerge sync

# emerge -pv ">=dev-util/cvs-1.11.15"
# emerge ">=dev-util/cvs-1.11.15"

4.  References


Page updated April 14, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.