Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass
Damyan Ivanov
dmn at debian.org
Mon Oct 24 10:23:59 UTC 2011
-=| Moritz Muehlenhoff, 14.10.2011 17:54:44 +0200 |=-
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
>
> > > Hello Damyan, are you planning to do this or do you need someone
> > > else to take over? IMO this one warrants a DSA.
> >
> > Thanks for the nudge. I have pushed the squeeze branch of
> > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
> > with the changes so others can take over for the actual uploading if I am away.
> >
> > The squeeze version still has Vcs-Svn in its control file. Would it be
> > acceptable to change that too?
>
> Yes. Please upload to security-master. Note that it needs to be build
> with "-sa", since libfcgi-perl is new in stable-security.
Done. Sorry about the delay. Interdiff and debdiff follow:
========== interdiff ============
diff -Nru libfcgi-perl-0.71/debian/changelog libfcgi-perl-0.71/debian/changelog
--- libfcgi-perl-0.71/debian/changelog 2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/changelog 2011-10-24 13:06:30.000000000 +0300
@@ -1,3 +1,14 @@
+libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high
+
+ * Team upload
+
+ * Add patch from upstream bug tracker fixing CVE-2011-2766
+ Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
+ analysis and chansen for the patch.
+ * control: update Vcs-* fields to point to Git
+
+ -- Damyan Ivanov <dmn at debian.org> Mon, 24 Oct 2011 13:06:17 +0300
+
libfcgi-perl (0.71-1) unstable; urgency=low
* New upstream release.
diff -Nru libfcgi-perl-0.71/debian/control libfcgi-perl-0.71/debian/control
--- libfcgi-perl-0.71/debian/control 2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/control 2011-10-24 12:59:14.000000000 +0300
@@ -8,8 +8,8 @@
Krzysztof Krzyżaniak (eloy) <eloy at debian.org>
Standards-Version: 3.8.4
Homepage: http://search.cpan.org/dist/FCGI/
-Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libfcgi-perl/
-Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libfcgi-perl/
+Vcs-Git: git://git.debian.org/pkg-perl/packages/libfcgi-perl.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git
Package: libfcgi-perl
Architecture: any
diff -Nru libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch
--- libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch 1970-01-01 02:00:00.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch 2011-10-24 13:02:33.000000000 +0300
@@ -0,0 +1,42 @@
+Description: replace testing of hash value with hash reference
+ %hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+ empty. This causes the environment from the *second* request (that is, the
+ environment produced by the first request) to be saved as default if the first
+ request had empty environment. This way, request after the first can get
+ access to credentials set up by the first request. badbadbad
+ This is CVE-2011-2766.
+Author: chansen at cpan.org
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380
+Bug-Debian: http://bugs.debian.org/607479
+
+--- a/FCGI.PL
++++ b/FCGI.PL
+@@ -294,14 +294,14 @@ sub Request(;***$*$) {
+
+ sub accept() {
+ warn "accept called as a method; you probably wanted to call Accept" if @_;
+- if (%FCGI::ENV) {
+- %ENV = %FCGI::ENV;
++ if ( defined($FCGI::ENV) ) {
++ %ENV = %$FCGI::ENV;
+ } else {
+- %FCGI::ENV = %ENV;
++ $FCGI::ENV = {%ENV};
+ }
+ my $rc = Accept($global_request);
+- for (keys %FCGI::ENV) {
+- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++ for (keys %$FCGI::ENV) {
++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+ }
+
+ # not SFIO
+@@ -313,7 +313,7 @@ sub accept() {
+
+ sub finish() {
+ warn "finish called as a method; you probably wanted to call Finish" if @_;
+- %ENV = %FCGI::ENV if %FCGI::ENV;
++ %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+
+ # not SFIO
+ if (tied (*STDIN)) {
diff -Nru libfcgi-perl-0.71/debian/patches/series libfcgi-perl-0.71/debian/patches/series
--- libfcgi-perl-0.71/debian/patches/series 2010-01-15 23:05:14.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/series 2011-10-12 11:49:36.000000000 +0300
@@ -1 +1,2 @@
fix-pod-spelling.patch
+cve-2011-2766.patch
========== debdiff =========
$ debdiff libfcgi-perl_0.71-1_amd64.deb libfcgi-perl_0.71-1+squeeze1_amd64.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: perl (>= [-5.10.1-11),-] {+5.10.1-17squeeze2),+} perlapi-5.10.1, libc6 (>= 2.4)
Version: [-0.71-1-] {+0.71-1+squeeze1+}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111024/99dba6c3/attachment.pgp>
More information about the pkg-perl-maintainers
mailing list