| Summary: | dev-libs/clearsilver format string flaw vulnerability (CVE-2011-4357) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | proxy-maint, treecleaner, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322 | ||
| Whiteboard: | B2 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2011-11-28 21:19:49 UTC
CVE-2011-4357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4357): Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function. This is fixed upstream in http://code.google.com/p/clearsilver/source/detail?r=919 but there has been no release since then. Recommended to patch using the provided patch in comment 0 / upstream patch. still no movement on a patch or release from upstream. candidate for tree cleaning with no rdeps. # Aaron Bauman <bman@gentoo.org> (05 Mar 2016) # Per security bug #392325 this package is vulnerable # and unmaintained. Removal in 30 days. dev-libs/clearsilver |