Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 372979

Summary: www-apps/cgit: DOS (CVE-2011-1027)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: trivial CC: nikoli, pva, ramereth, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [ebuild]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-25 12:53:21 UTC 
CVE-2011-1027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1027):
  Off-by-one error in the convert_query_hexchar function in html.c in cgit.cgi
  in cgit before 0.8.3.5 allows remote attackers to cause a denial of service
  (infinite loop) via a string composed of a % (percent) character followed by
  invalid hex characters, as demonstrated by a %gg sequence.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-06-25 12:53:50 UTC 
Please punt the vulnerable version left in tree.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-06-26 20:43:50 UTC 

*** This bug has been marked as a duplicate of bug 357819 ***