Original patch from CVS, slightly munged to apply to 1.11.2.

Index: src/client.c
===================================================================
RCS file: /cvs/ccvs/src/client.c,v
retrieving revision 1.318.4.12
diff -u -p -r1.318.4.12 client.c
--- cvs-1.11.1p1/src/client.c	25 Feb 2004 06:46:15 -0000	1.318.4.12
+++ cvs-1.11.1p1/src/client.c	18 Mar 2004 21:04:46 -0000
@@ -1045,6 +1045,19 @@ call_in_directory (pathname, func, data)
     int reposdirname_absolute;
     int newdir = 0;
 
+    /* For security reasons, if PATHNAME is absolute or attemps to ascend
+     * outside of the current sanbbox, we abort.  The server should not send us
+     * anything but relative paths which remain inside the sandbox here.
+     * Anything less means a trojan CVS server could create and edit arbitrary
+     * files on the client.
+     */
+    if (isabsolute (pathname) || pathname_levels (pathname) > 0)
+    {
+	error (0, 0,
+               "Server attempted to update a file via an invalid pathname:");
+        error (1, 0, "`%s'.", pathname);
+    }
+
     reposname = NULL;
     read_line (&reposname);
     assert (reposname != NULL);