Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 392325 (CVE-2011-4357) - dev-libs/clearsilver format string flaw vulnerability (CVE-2011-4357)
Summary: dev-libs/clearsilver format string flaw vulnerability (CVE-2011-4357)
Alias: CVE-2011-4357
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [noglsa]
Depends on:
Reported: 2011-11-28 21:19 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:19 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-28 21:19:49 UTC
From debian bugzilla at $URL:


A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code
execution with the privileges of the user running the application.

There is a proposed patch:
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-12-12 23:53:19 UTC
CVE-2011-4357 (
  Format string vulnerability in the p_cgi_error function in python/neo_cgi.c
  in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier
  allows remote attackers to cause a denial of service (crash) and possibly
  execute arbitrary code via format string specifiers that are not properly
  handled when creating CGI error messages using the cgi_error API function.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-05 19:20:49 UTC
This is fixed upstream in but there has been no release since then. Recommended to patch using the provided patch  in comment 0 / upstream patch.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-02-29 14:05:54 UTC
still no movement on a patch or release from upstream. candidate for tree cleaning with no rdeps.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 00:15:33 UTC
# Aaron Bauman <> (05 Mar 2016)
# Per security bug #392325 this package is vulnerable
# and unmaintained.  Removal in 30 days.