Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Damyan Ivanov dmn at debian.org
Mon Oct 24 10:23:59 UTC 2011


-=| Moritz Muehlenhoff, 14.10.2011 17:54:44 +0200 |=-
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
> 
> > > Hello Damyan, are you planning to do this or do you need someone 
> > > else to take over? IMO this one warrants a DSA.
> > 
> > Thanks for the nudge. I have pushed the squeeze branch of 
> > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
> > with the changes so others can take over for the actual uploading if I am away.
> > 
> > The squeeze version still has Vcs-Svn in its control file. Would it be 
> > acceptable to change that too?
> 
> Yes. Please upload to security-master. Note that it needs to be build
> with "-sa", since libfcgi-perl is new in stable-security.

Done. Sorry about the delay. Interdiff and debdiff follow:

========== interdiff ============
diff -Nru libfcgi-perl-0.71/debian/changelog libfcgi-perl-0.71/debian/changelog
--- libfcgi-perl-0.71/debian/changelog	2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/changelog	2011-10-24 13:06:30.000000000 +0300
@@ -1,3 +1,14 @@
+libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high
+
+  * Team upload
+
+  * Add patch from upstream bug tracker fixing CVE-2011-2766
+    Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
+    analysis and chansen for the patch.
+  * control: update Vcs-* fields to point to Git
+
+ -- Damyan Ivanov <dmn at debian.org>  Mon, 24 Oct 2011 13:06:17 +0300
+
 libfcgi-perl (0.71-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libfcgi-perl-0.71/debian/control libfcgi-perl-0.71/debian/control
--- libfcgi-perl-0.71/debian/control	2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/control	2011-10-24 12:59:14.000000000 +0300
@@ -8,8 +8,8 @@
  Krzysztof Krzyżaniak (eloy) <eloy at debian.org>
 Standards-Version: 3.8.4
 Homepage: http://search.cpan.org/dist/FCGI/
-Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libfcgi-perl/
-Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libfcgi-perl/
+Vcs-Git: git://git.debian.org/pkg-perl/packages/libfcgi-perl.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git
 
 Package: libfcgi-perl
 Architecture: any
diff -Nru libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch
--- libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch	1970-01-01 02:00:00.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch	2011-10-24 13:02:33.000000000 +0300
@@ -0,0 +1,42 @@
+Description: replace testing of hash value with hash reference
+ %hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+ empty. This causes the environment from the *second* request (that is, the
+ environment produced by the first request) to be saved as default if the first
+ request had empty environment. This way, request after the first can get
+ access to credentials set up by the first request. badbadbad
+ This is CVE-2011-2766.
+Author: chansen at cpan.org
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380
+Bug-Debian: http://bugs.debian.org/607479
+
+--- a/FCGI.PL
++++ b/FCGI.PL
+@@ -294,14 +294,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (%FCGI::ENV) {
+-	%ENV = %FCGI::ENV;
++    if ( defined($FCGI::ENV) ) {
++	%ENV = %$FCGI::ENV;
+     } else {
+-	%FCGI::ENV = %ENV;
++	$FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-	$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++    for (keys %$FCGI::ENV) {
++	$ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -313,7 +313,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if %FCGI::ENV;
++    %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
diff -Nru libfcgi-perl-0.71/debian/patches/series libfcgi-perl-0.71/debian/patches/series
--- libfcgi-perl-0.71/debian/patches/series	2010-01-15 23:05:14.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/series	2011-10-12 11:49:36.000000000 +0300
@@ -1 +1,2 @@
 fix-pod-spelling.patch
+cve-2011-2766.patch


========== debdiff =========
$ debdiff libfcgi-perl_0.71-1_amd64.deb libfcgi-perl_0.71-1+squeeze1_amd64.deb     
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: perl (>= [-5.10.1-11),-] {+5.10.1-17squeeze2),+} perlapi-5.10.1, libc6 (>= 2.4)
Version: [-0.71-1-] {+0.71-1+squeeze1+}

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111024/99dba6c3/attachment.pgp>


More information about the pkg-perl-maintainers mailing list