Hello community, here is the log from the commit of package cgit for openSUSE:Factory checked in at 2012-10-31 06:57:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cgit (Old) and /work/SRC/openSUSE:Factory/.cgit.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cgit", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/cgit/cgit.changes 2012-10-11 10:41:44.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.cgit.new/cgit.changes 2012-10-31 06:57:01.000000000 +0100 @@ -1,0 +2,7 @@ +Mon Oct 29 11:45:50 CET 2012 - ti...@suse.de + +- cgit-CVE-2012-4548-fix.diff: + Fix VUL-0: cgit: arbitrary code / command execution via + improperly quoted arguments (CVE-2012-4548, bnc#787074) + +------------------------------------------------------------------- New: ---- cgit-CVE-2012-4548-fix.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cgit.spec ++++++ --- /var/tmp/diff_new_pack.B200BG/_old 2012-10-31 06:57:03.000000000 +0100 +++ /var/tmp/diff_new_pack.B200BG/_new 2012-10-31 06:57:03.000000000 +0100 @@ -36,6 +36,7 @@ Patch3: cgit-fix-print-tree.diff Patch4: cgit-fix-more-read_tree_recursive-invocations.diff Patch5: cgit-CVE-2012-4465-fix.diff +Patch6: cgit-CVE-2012-4548-fix.diff # Requirements for cgit BuildRequires: gnu-crypto libopenssl-devel libzip-devel # Requirements for cgitrc man page generation @@ -59,6 +60,7 @@ %patch3 %patch4 %patch5 -p1 +%patch6 -p1 rm -rf git mv git-%{git_version} git ++++++ cgit-CVE-2012-4548-fix.diff ++++++ >From 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld <ja...@zx2c4.com> Date: Sun, 28 Oct 2012 02:03:41 +0000 Subject: syntax-highlighting.sh: Fix command injection. By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting. --- --- filters/syntax-highlighting.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/filters/syntax-highlighting.sh +++ b/filters/syntax-highlighting.sh @@ -31,4 +31,4 @@ EXTENSION="${BASENAME##*.}" # map Makefile and Makefile.* to .mk [ "${BASENAME%%.*}" == "Makefile" ] && EXTENSION=mk -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org