It was reported [1],[2] that cgit suffers from a heap-based buffer overflow flaw that could lead to a denial of service or, possibly (albeit unlikely as the second report indicates), a remote shell. This has not yet been fixed upstream, but a patch is available [3]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=820733 [2] http://www.openwall.com/lists/oss-security/2012/09/30/1 [3] http://git.zx2c4.com/cgit/commit/?id=7757d1b046ecb67b830151d20715c658867df1ec
Created cgit tracking bugs for this issue Affects: epel-all [bug 862037]
This was assigned the name CVE-2012-4465: http://www.openwall.com/lists/oss-security/2012/10/03/7