--- cvs-1.11.23/src/filesubr.c
+++ cvs-1.11.23/src/filesubr.c
@@ -997,6 +997,11 @@ last_component (path)
    The workaround is to put -f in inetd.conf which means that
    get_homedir won't get called until after the switch in user ID.
 
+   NOTE: the above paragraph is not sufficient if the HOME environment
+   variable is set, it overrides the uid based password lookup, hence
+   the change_uid logic path that blocks the HOME environment variable
+   when the uid gets changed.
+
    The whole concept of a "home directory" on the server is pretty
    iffy, although I suppose some people probably are relying on it for
    .cvsrc and such, in the cases where it works.  */
@@ -1004,15 +1009,24 @@ char *
 get_homedir ()
 {
     static char *home = NULL;
+    static uid_t home_uid = -1;
+    static int changed_uid = 0;
+    uid_t uid = getuid();
     char *env;
     struct passwd *pw;
 
+    if (home && home_uid != -1 && home_uid != uid) {
+	home = 0;
+	changed_uid = 1;
+    }
+    home_uid = uid;
+
     if (home != NULL)
 	return home;
 
-    if (!server_active && (env = getenv ("HOME")) != NULL)
+    if (!server_active && !changed_uid && (env = getenv ("HOME")) != NULL)
 	home = env;
-    else if ((pw = (struct passwd *) getpwuid (getuid ()))
+    else if ((pw = (struct passwd *) getpwuid (uid))
 	     && pw->pw_dir)
 	home = xstrdup (pw->pw_dir);
     else