This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 870713 - (CVE-2012-4548) CVE-2012-4548 cgit: command injection
CVE-2012-4548 cgit: command injection
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 870714 870715
  Show dependency treegraph
Reported: 2012-10-28 02:59 EDT by Kurt Seifried
Modified: 2015-08-24 11:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-24 11:56:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
cgit-CVE-2012-4548.patch (564 bytes, patch)
2012-10-28 03:00 EDT, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2012-10-28 02:59:04 EDT Fix command injection.

By not quoting the argument, an attacker with the ability to add files to the 
repository could pass arbitrary arguments to the highlight command, in 
particular, the --plug-in argument which can lead to arbitrary command 

This patch adds simple argument quoting. 

External references:
Comment 1 Kurt Seifried 2012-10-28 03:00:46 EDT
Created attachment 634444 [details]
Comment 2 Kurt Seifried 2012-10-28 03:01:38 EDT
Created cgit tracking bugs for this issue

Affects: fedora-all [bug 870714]
Comment 3 Kurt Seifried 2012-10-28 03:02:11 EDT
Created cgit tracking bugs for this issue

Affects: epel-all [bug 870715]

Note You need to log in before you can comment on or make changes to this bug.