CVS Checkin.prog Binary Execution Vulnerability

A CVS committer can execute arbitrary binaries by using Checkin.prog. Usually CVS/Checkin.prog in a working directory is copied from CVSROOT/modules when the directory is "checkout"ed and it is sent back to the server and executed with committing. Note that when it is executed, committed files exist in the current directory.

Since a working directory can be modified by a committer, Checkin.prog may be modified or even newly created. If a malicious committer does this, cvs server executes the modified Checkin.prog. Also note that the committer can create an arbitrary binary file by `cvs add -kb' and `cvs commit'. The malicious committer can execute the recently committed binary file via Checkin.prog triggered by the `cvs commit'.


Privacy Statement
Copyright 2010, SecurityFocus