From https://bugzilla.redhat.com/show_bug.cgi?id=870713: syntax-highlighting.sh: Fix command injection. By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting. External references: http://git.zx2c4.com/cgit/commit/?id=7ea35f9f8ecf61ab42be9947aae1176ab6e089bd
CVE-2012-4548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4548): Argument injection vulnerability in syntax-highlighting.sh in cgit 9.0.3 and earlier allows remote authenticated users with permissions to add files to execute arbitrary commands via the --plug-in argument to the highlight command.
*cgit-0.9.1 (15 Nov 2012) 15 Nov 2012; Jason A. Donenfeld <zx2c4@gentoo.org> +cgit-0.9.1.ebuild, -cgit-0.8.3.5.ebuild, -cgit-0.9.0.2-r1.ebuild, -files/cgit-0.9.0.2-fix-xss.patch, cgit-9999.ebuild, files/cgitrc: Version bump, with security fixes. Remove old insecure versions. Closing noglsa for ~arch only.
