--- cvs-1.11.22/src/login.c
+++ cvs-1.11.22/src/login.c
@@ -591,7 +591,7 @@ get_cvs_password ()
        context, then assume they have supplied the correct, scrambled
        password. */
     if (cvs_password)
-	return cvs_password;
+	return xstrdup(cvs_password);
 
     if (getenv ("CVS_PASSWORD") != NULL)
     {