oss-sec mailing list archives
CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Sun, 27 Nov 2011 18:21:15 +0100
Hello Kurt, Steve, vendors, a format string flaw was found in the Python CGI Kit (neo_cgi) module of ClearSilver, a language-neutral HTML templating system, processed certain input, leading to Common Gateway Interface (CGI) script errors. A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code execution with the privileges of the user running the application. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322 [2] https://bugzilla.redhat.com/show_bug.cgi?id=757542 Patch, proposed by the issue reporter to the Debian Bug Tracking System:[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-cgi-error-format-security.patch;att=1;bug=649322
Could you allocate a CVE id for this issue? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request -- ClearSilver (neo_cgi) -- Format string flaw by processing CGI error messages in Python module Jan Lieskovsky (Nov 27)