Bug#607479: marked as done (libfcgi-perl: [CVE-2011-2766] After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.)

[Debian Bug Tracking System]

Your message dated Sat, 17 Sep 2011 19:19:10 +0000
with message-id <e1r50pu-0006eq...@franck.debian.org>
and subject line Bug#607479: fixed in libfcgi-perl 0.73-2
has caused the Debian Bug report #607479,
regarding libfcgi-perl: [CVE-2011-2766] After reloading some environment vars 
become constants, that will be used if not overruled by the headers of new 
requests.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
607479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607479
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libfcgi-perl
Version: 0.71-1
Severity: normal


Hi,

I had some strange problems with cookies, it seems that sometimes username 
cookies were highjacked, but not always, even by search bots.
I am using the Fast::CGI (libcgi-fast-perl 5.10.1-16) wrapper, but i think the 
problem lies in the FCGI code. I use apache (apache2 2.2.16-4) as webserver.

This is wat hapens:

I create a simple fpl file to show environment vars, and request that from 2 
different locations (one with a proxy).
Every request is handled fine, i do not have any problems with environment 
vars. But after i change the file,
or simply touch it, the new version is compiled when a new request hapens, but 
some environment vars seems to get
a default value from the request that triggers the recompile. So if that 
request has some cookies, all request
without cookies will according to Fast::CGI module have the same cookies as the 
"recompile request".
I did not check all the env vars, but X_FORWARDED_FOR had the same problem. The 
problem vanished when i clear the %ENV just before i ask for the CGI object.

Example code (with ENV cleaning):

#! /usr/bin/perl -w

use CGI::Fast qw(:standard :cgi-lib);
use Data::Dumper;
use strict;

while ( my $cgi = getRequest() ) {

    print $cgi->header();

    print "<pre>========= ID:$$ =========\n";
    while (my ($key,$value) = each %ENV) {
       print "$key=$value\n";
    }
    print "========= VARS =========\n";
    print Dumper($cgi->Vars());
    print "========= COOKIE =========\n";
    print Dumper($cgi->cookie());
    print ".</pre>";

    #%ENV = undef;
}

sub getRequest {
    %ENV = () if $main::clearENV; # Clear the ENV
    $main::clearENV = 1;          # Do not clear the ENV the first time 
otherwise the Fast::CGI "slow mode" will not work anymore
    return new CGI::Fast;
}


I used 2 wget together to examine it:
(posted to the proxy server to disable caching)

$ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header 
"Cookie: usernaam=test" http://www.myserver.nl/env.fcgi'
$ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi'

After a apache restart, both requests will output only there own env vars, but 
after a touch of the scriptfile,
you get a 50% chance both request will show the same cookie, postdata and 
x_forwarded_for headers. A restart fixes that allways.

I tried to look at the FCGI library, found out that they do some stuff with the 
%ENV, but could not figure out what exectly 
caused the problem.

Regards,
Ferdinand

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10.1]    5.10.1-16  minimal Perl system

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libfcgi-perl
Source-Version: 0.73-2

We believe that the bug you reported is fixed in the latest version of
libfcgi-perl, which is due to be installed in the Debian FTP archive:

libfcgi-perl_0.73-2.debian.tar.gz
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2.debian.tar.gz
libfcgi-perl_0.73-2.dsc
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2.dsc
libfcgi-perl_0.73-2_amd64.deb
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <d...@debian.org> (supplier of updated libfcgi-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Sep 2011 22:09:53 +0300
Source: libfcgi-perl
Binary: libfcgi-perl
Architecture: source amd64
Version: 0.73-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <d...@debian.org>
Description: 
 libfcgi-perl - helper module for FastCGI
Closes: 607479
Changes: 
 libfcgi-perl (0.73-2) unstable; urgency=high
 .
   * Team upload
    + High urgency for fixing a security bug
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ Salvatore Bonaccorso ]
   * debian/copyright: Replace DEP5 Format-Specification URL from
     svn.debian.org to anonscm.debian.org URL.
 .
   [ Damyan Ivanov ]
   * Add patch from upstream bug tracker fixing CVE-2011-2766
     Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
     analysis and chansen for the patch.
Checksums-Sha1: 
 95339ec9d86d68352f76810ee6fe85ccfbefd23d 2035 libfcgi-perl_0.73-2.dsc
 6750e0b7c2c374fa5dae56449206e41640ea15f2 5355 libfcgi-perl_0.73-2.debian.tar.gz
 05b5ddb5f142c269f72241f8b77f399aa42f3688 45584 libfcgi-perl_0.73-2_amd64.deb
Checksums-Sha256: 
 ae3e1a41863d3cd273515227ea4d552e9d384586b42af4e9fb60570f60971572 2035 
libfcgi-perl_0.73-2.dsc
 c2227ad05e59c03db04943e7164680f975e900f0a93aaa8c393ee1fd2f0211f6 5355 
libfcgi-perl_0.73-2.debian.tar.gz
 085055adb606ddbc8a6129cb9da229194dab0dae04d9f2412a6f354a8265e1e0 45584 
libfcgi-perl_0.73-2_amd64.deb
Files: 
 4dc35b7f035a3f0929b464305ba83d1d 2035 perl optional libfcgi-perl_0.73-2.dsc
 35cb368a4da78e4f3f76a145b4fc551d 5355 perl optional 
libfcgi-perl_0.73-2.debian.tar.gz
 6a64fa3351c25d7c42f24747dd0b8a40 45584 perl optional 
libfcgi-perl_0.73-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOdPDzAAoJENu+nU2Z0qAE0usP/2Ui6Ju/NT7gYNgKVdRiJxuq
YBN7lz4y81x1e3FwCCHK8mHun+xMEPreHNBvHrCeRvbnhyyobtOzYoF+tPCk2X+o
CXudy16F0TEKizzWxr01nNZyxk7AhESx676w86EXkJdzTkKck8zOSljqitF603MB
h7hJBtzOL208QIx2sylAI6xJKkR7H7IBGQiTjfalq+ympJguxTKOGPuXkmFtKX5G
Y3+P6MMXVelsrufI37S9ux40axyyu2LNRhSxDeknR6opF5lR2bqu2gdjOJzzf6DD
P6VsY8sZgTXh2MN3PcFaWd+hDvK2BXk8Yuhk6pk9BMv9iADL8XfmattJAJHovwqg
prl+raNTvarOw7jJSfNI7J3HjgVsdWQYvBHG1Q51brxxnrvAYz1s3zUtcP3e1Oae
vn70k+PA6ieJQx84In+mHZLe7pqXyJxVm2Qumna8WlgZbeiRw1EMwl+lzqzGW6gY
IoGHKL9ZbO64FE09SWcekYUJGRRhYmiMUnWmIf94Ihfa2b95eo90noJg4783s8vN
e2y8qW6GkRZngskbscCIb6XVdyiHYHZqG3+P4zMp6qcKT/BoU/u5L1PHVGlm8Ccc
9OTmIXS3xPKrEpuQK/b976MSxiFVNkzuDHSzMdQCaVD+8mVvwY9aeWjPOkO4FKtq
n3zIDxZM5CpQzVZyegww
=+365
-----END PGP SIGNATURE-----

--- End Message ---