A flaw in a control and collaboration server widely used by open-source software developers could allow an attacker with read-only access to run arbitrary code, alter program operation, read information, or cause a denial of service, according to the Computer Emergency Response Team Coordination Center (CERT).

The CERT Coordination Center also reported a significant secondary impact of this flaw for the Concurrent Versions System (CVS) server, which is used to update and alter source code via the Internet: an attacker who is able to compromise a CVS server could modify source-code repositories to contain Trojan horses, backdoors, or other malicious code.

The CVS server vulnerability can be triggered by a set of specially crafted directory requests.

"While processing these requests, an error-checking routine may attempt to free the same memory reference more than once. Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code, alter the logical operation of the CVS server program, or read sensitive information stored in memory," Cert said. However, in most cases heap corruption will result in a segmentation fault, causing a denial of service.

But because the CVS server process is typically started by the Internet services daemon and runs with root privileges, arbitrary code would also run with root privileges.

Vendors whose systems running CVS Home project versions of CVS prior to 1.11.5, whose operating system distributions provide CVS, or whose source code repositories are managed by CVSsupport, are affected by the flaw. Those companies include Cray, IBM, and Sun Microsystems.

CERT, which said Stefan Esser of e-matters reported the issue, recommends users apply the appropriate patch or upgrade as specified by vendor.