[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- ClearSilver (neo_cgi) -- Format
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2011-11-28 15:22:46
Message-ID: 4ED3A746.6050407 () redhat ! com
[Download RAW message or body]
On 11/27/2011 10:21 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> a format string flaw was found in the Python CGI Kit (neo_cgi)
> module of ClearSilver, a language-neutral HTML templating system,
> processed certain input, leading to Common Gateway Interface (CGI)
> script errors. A remote attacker could provide a specially-crafted
> input, which once processed by an application, using the Python
> language API of ClearSilver neo_cgi module, could lead to that
> particular application crash, or, potentially arbitrary code
> execution with the privileges of the user running the application.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=757542
>
> Patch, proposed by the issue reporter to the Debian Bug Tracking System:
> [3]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-cgi-error-format-security.patch;att=1;bug=649322
>
> Could you allocate a CVE id for this issue?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2011-4357 for this issue.
--
-Kurt Seifried / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic