Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 471356 (CVE-2013-2117) - <www-apps/cgit-0.9.2: directory traversal (CVE-2013-2117)
Summary: <www-apps/cgit-0.9.2: directory traversal (CVE-2013-2117)
Alias: CVE-2013-2117
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2013-05-26 18:44 UTC by Agostino Sarubbo
Modified: 2013-08-31 23:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-05-26 18:44:18 UTC
From ${URL} :

As mentioned in early messages to oss-sec, I've inherited
maintainership of the cgit codebase and am gradually auditing it.
Today I found a nasty directory traversal:


This should be pretty straightforward to categorize.

Exploitation looks like:

I've committed a fix for it here:

And this fix will be in the master branch and a new release will be made soon.

Cgit by default is not vulnerable to this, and the vulnerability only
exists when a user has configured cgit to use a readme file from a
filesystem filepath instead of from the git repo itself. Until a
release is made, administrators are urged to disable reading the
readme file from a filepath, if currently enabled.

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jason A. Donenfeld gentoo-dev 2013-05-27 20:43:06 UTC
Bumped to the just released version.

Ebuild was never stable to begin with, but stabilize it if you want.