Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 438462 (CVE-2012-4465) - <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)
Summary: <www-apps/cgit-0.9.1: Buffer overflow (CVE-2012-4465)
Alias: CVE-2012-4465
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2012-10-15 11:20 UTC by GLSAMaker/CVETool Bot
Modified: 2012-11-15 12:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-10-15 11:20:47 UTC
CVE-2012-4465 (
  Heap-based buffer overflow in the substr function in parsing.c in cgit and earlier allows remote authenticated users to cause a denial of
  service (crash) and possibly execute arbitrary code via an empty username in
  the "Author" field in a commit.
Comment 1 Jason A. Donenfeld gentoo-dev 2012-10-15 11:35:27 UTC
I'm currently maintaining cgit. Two ways to go here --

Either you include this patch in the ebuild:

Or you wait for me / convince me to make a new release.

AFAIK, it's not possible to get code execution out of this. I could be mistaken, however.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:08:54 UTC
*cgit-0.9.1 (15 Nov 2012)

  15 Nov 2012; Jason A. Donenfeld <> +cgit-0.9.1.ebuild,
  -cgit-, -cgit-,
  -files/cgit-, cgit-9999.ebuild, files/cgitrc:
  Version bump, with security fixes. Remove old insecure versions.

Closing noglsa for ~arch only.