438462 – (CVE-2012-4465) <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)

Bug 438462 (CVE-2012-4465) - <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)

Summary: <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)

Status:	RESOLVED FIXED

Alias:	CVE-2012-4465

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-10-15 11:20 UTC by GLSAMaker/CVETool Bot
Modified:	2012-11-15 12:08 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2012-10-15 11:20:47 UTC

CVE-2012-4465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4465):
  Heap-based buffer overflow in the substr function in parsing.c in cgit
  0.9.0.3 and earlier allows remote authenticated users to cause a denial of
  service (crash) and possibly execute arbitrary code via an empty username in
  the "Author" field in a commit.

Comment 1 Jason A. Donenfeld gentoo-dev

2012-10-15 11:35:27 UTC

I'm currently maintaining cgit. Two ways to go here --

Either you include this patch in the ebuild:
http://git.zx2c4.com/cgit/patch/?id=7757d1b046ecb67b830151d20715c658867df1ec

Or you wait for me / convince me to make a new release.


AFAIK, it's not possible to get code execution out of this. I could be mistaken, however.

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-11-15 12:08:54 UTC

*cgit-0.9.1 (15 Nov 2012)

  15 Nov 2012; Jason A. Donenfeld <zx2c4@gentoo.org> +cgit-0.9.1.ebuild,
  -cgit-0.8.3.5.ebuild, -cgit-0.9.0.2-r1.ebuild,
  -files/cgit-0.9.0.2-fix-xss.patch, cgit-9999.ebuild, files/cgitrc:
  Version bump, with security fixes. Remove old insecure versions.

Closing noglsa for ~arch only.