[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- ClearSilver (neo_cgi) -- Format
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2011-11-28 15:22:46
Message-ID: 4ED3A746.6050407 () redhat ! com
[Download RAW message or body]

On 11/27/2011 10:21 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   a format string flaw was found in the Python CGI Kit (neo_cgi)
> module of ClearSilver, a language-neutral HTML templating system,
> processed certain input, leading to Common Gateway Interface (CGI)
> script errors. A remote attacker could provide a specially-crafted
> input, which once processed by an application, using the Python
> language API of ClearSilver neo_cgi module, could lead to that
> particular application crash, or, potentially arbitrary code
> execution with the privileges of the user running the application.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=757542
>
> Patch, proposed by the issue reporter to the Debian Bug Tracking System:
> [3]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-cgi-error-format-security.patch;att=1;bug=649322
>
> Could you allocate a CVE id for this issue?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2011-4357 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team

[prev in list] [next in list] [prev in thread] [next in thread]