Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440756 (CVE-2012-4548) - <www-apps/cgit-0.9.1: command injection (CVE-2012-4548)
Summary: <www-apps/cgit-0.9.1: command injection (CVE-2012-4548)
Alias: CVE-2012-4548
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa]
Depends on:
Reported: 2012-11-01 15:30 UTC by Agostino Sarubbo
Modified: 2012-11-15 12:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 15:30:46 UTC
From Fix command injection.

By not quoting the argument, an attacker with the ability to add files to the 
repository could pass arbitrary arguments to the highlight command, in 
particular, the --plug-in argument which can lead to arbitrary command 

This patch adds simple argument quoting. 

External references:
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-11 16:22:45 UTC
CVE-2012-4548 (
  Argument injection vulnerability in in cgit 9.0.3 and
  earlier allows remote authenticated users with permissions to add files to
  execute arbitrary commands via the --plug-in argument to the highlight
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:07:32 UTC
*cgit-0.9.1 (15 Nov 2012)

  15 Nov 2012; Jason A. Donenfeld <> +cgit-0.9.1.ebuild,
  -cgit-, -cgit-,
  -files/cgit-, cgit-9999.ebuild, files/cgitrc:
  Version bump, with security fixes. Remove old insecure versions.

Closing noglsa for ~arch only.