A buffer overflow vulnerability in cgit was found. ctx.env.content_length is an unsigned int, coming from the CONTENT_LENGTH environment variable, which is parsed by strtoul. The HTTP/1.1 spec says that "any Content-Length greater than or equal to zero is a valid value." By storing this unsigned int into an int, we potentially overflow it, resulting in the following bounding check failing, leading to a buffer overflow. Upstream patch: http://git.zx2c4.com/cgit/commit/?id=4458abf64172a62b92810c2293450106e6dfc763 CVe assignment: http://openwall.com/lists/oss-security/2016/01/14/6
Created cgit tracking bugs for this issue: Affects: fedora-all [bug 1298862] Affects: epel-all [bug 1298863]
cgit-0.12-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
cgit-0.12-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
cgit-0.12-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
cgit-0.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.