Heap-based buffer overflow in the substr function in parsing.c in cgit
0.9.0.3 and earlier allows remote authenticated users to cause a denial of
service (crash) and possibly execute arbitrary code via an empty username in
the "Author" field in a commit.
I'm currently maintaining cgit. Two ways to go here --
Either you include this patch in the ebuild:
Or you wait for me / convince me to make a new release.
AFAIK, it's not possible to get code execution out of this. I could be mistaken, however.
*cgit-0.9.1 (15 Nov 2012)
15 Nov 2012; Jason A. Donenfeld <email@example.com> +cgit-0.9.1.ebuild,
-files/cgit-0.9.0.2-fix-xss.patch, cgit-9999.ebuild, files/cgitrc:
Version bump, with security fixes. Remove old insecure versions.
Closing noglsa for ~arch only.