Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass
Russ Allbery
rra at debian.org
Wed Oct 12 20:13:17 UTC 2011
Dominic Hargreaves <dom at earth.li> writes:
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
>> The changes look sane "in theory". They address all mentions of
>> FCGI::ENV in the source.
>> The RT testing by Dominic seems sufficient additional assurance to me.
> Russ, I guess you've been involved in fixing this locally; are you able
> to make any comments on the soundness of the patch at
> <http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=blob;f=debian/patches/cve-2011-2766.patch;h=62ca4ac0aff279faba37ce2168fccd248e5c45a6;hb=48b6294e73f73323310250fde667b2a2b7032df2> ?
Yeah, that should be fine. Personally, I would have just added a second
variable that's set to true if the environment was stored, since I think
it's easier to read and more comprehensible, but this is equivalent.
I haven't actually tested it since we worked around the problem in our
application instead (by ensuring that some environment variable was always
set), but I'm pretty sure that will work.
--
Russ Allbery (rra at debian.org) <http://www.eyrie.org/~eagle/>
More information about the pkg-perl-maintainers
mailing list