CVE-2012-4465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4465): Heap-based buffer overflow in the substr function in parsing.c in cgit 0.9.0.3 and earlier allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via an empty username in the "Author" field in a commit.
I'm currently maintaining cgit. Two ways to go here -- Either you include this patch in the ebuild: http://git.zx2c4.com/cgit/patch/?id=7757d1b046ecb67b830151d20715c658867df1ec Or you wait for me / convince me to make a new release. AFAIK, it's not possible to get code execution out of this. I could be mistaken, however.
*cgit-0.9.1 (15 Nov 2012) 15 Nov 2012; Jason A. Donenfeld <zx2c4@gentoo.org> +cgit-0.9.1.ebuild, -cgit-0.8.3.5.ebuild, -cgit-0.9.0.2-r1.ebuild, -files/cgit-0.9.0.2-fix-xss.patch, cgit-9999.ebuild, files/cgitrc: Version bump, with security fixes. Remove old insecure versions. Closing noglsa for ~arch only.