ClearSilver 'neo_cgi' Module Format String Vulnerability

Bugtraq ID:	50874
Class:	Input Validation Error
CVE:	CVE-2011-4357
Remote:	Yes
Local:	No
Published:	Dec 01 2011 12:00AM
Updated:	Apr 13 2015 10:06PM
Credit:	Leo Iannacone and Colin Watson
Vulnerable:	Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Brandon Long Clearsilver 0
Not Vulnerable:

ClearSilver 'neo_cgi' Module Format String Vulnerability

ClearSilver is prone to an unspecified format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as a format specifier to a formatted-printing function.

An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition.

ClearSilver 'neo_cgi' Module Format String Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

ClearSilver 'neo_cgi' Module Format String Vulnerability

Solution:
Updates are available. Please see the references for details.

ClearSilver 'neo_cgi' Module Format String Vulnerability

References:

• (CVE-2011-4357) CVE-2011-4357 clearsilver (neo_cgi): Format string flaw by proce (Red Hat)
  
• Clearsilver Homepage (Brandon Long)