Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 438462 (CVE-2012-4465)

Summary: <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: nikoli, pva, ramereth, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2012-10-15 11:20:47 UTC 
CVE-2012-4465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4465):
  Heap-based buffer overflow in the substr function in parsing.c in cgit
  0.9.0.3 and earlier allows remote authenticated users to cause a denial of
  service (crash) and possibly execute arbitrary code via an empty username in
  the "Author" field in a commit.
Comment 1 Jason A. Donenfeld gentoo-dev 2012-10-15 11:35:27 UTC 
I'm currently maintaining cgit. Two ways to go here --

Either you include this patch in the ebuild:
http://git.zx2c4.com/cgit/patch/?id=7757d1b046ecb67b830151d20715c658867df1ec

Or you wait for me / convince me to make a new release.


AFAIK, it's not possible to get code execution out of this. I could be mistaken, however.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:08:54 UTC 
*cgit-0.9.1 (15 Nov 2012)

  15 Nov 2012; Jason A. Donenfeld <zx2c4@gentoo.org> +cgit-0.9.1.ebuild,
  -cgit-0.8.3.5.ebuild, -cgit-0.9.0.2-r1.ebuild,
  -files/cgit-0.9.0.2-fix-xss.patch, cgit-9999.ebuild, files/cgitrc:
  Version bump, with security fixes. Remove old insecure versions.

Closing noglsa for ~arch only.