-=| Dominic Hargreaves, 30.09.2011 18:26:41 +0100 |=- > I'm reopening the bug, because I believe this fix applies to > squeeze, and should be fixed there.
Agreed.
> Has anyone yet contacted the security team about this/is anyone
> working on packages for squeeze?
I don't think so.
Porting the patch (for some reason it doesn't apply cleanly) is
trivial. Attached is a patch that does exactly that (to be git
apply'ed to the debian/0.71-1 tag, which is the squeeze version).
HTH,
dam
From e2619c1cd684d68b704f24d66c7672746c89d92f Mon Sep 17 00:00:00 2001 From: Damyan Ivanov <d...@debian.org> Date: Sat, 17 Sep 2011 22:01:17 +0300 Subject: [PATCH] Add patch from upstream bug tracker fixing CVE-2011-2766 Closes: #607479 Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for the patch. Conflicts: debian/changelog debian/patches/series --- debian/changelog | 8 ++++++ debian/patches/cve-2011-2766.patch | 42 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 51 insertions(+), 0 deletions(-) create mode 100644 debian/patches/cve-2011-2766.patch diff --git a/debian/changelog b/debian/changelog index a6c45ff..2985a8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libfcgi-perl (0.71-1+squeeze.1) unstable; urgency=high + + * Add patch from upstream bug tracker fixing CVE-2011-2766 + Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the + analysis and chansen for the patch. + + -- Damyan Ivanov <d...@debian.org> Sat, 01 Oct 2011 07:55:15 +0300 + libfcgi-perl (0.71-1) unstable; urgency=low * New upstream release. diff --git a/debian/patches/cve-2011-2766.patch b/debian/patches/cve-2011-2766.patch new file mode 100644 index 0000000..96fcdd4 --- /dev/null +++ b/debian/patches/cve-2011-2766.patch @@ -0,0 +1,42 @@ +Description: replace testing of hash value with hash reference + %hash is false if the hash hasn't been assigned to, *or* if the hash is simply + empty. This causes the environment from the *second* request (that is, the + environment produced by the first request) to be saved as default if the first + request had empty environment. This way, request after the first can get + access to credentials set up by the first request. badbadbad + This is CVE-2011-2766. +Author: chan...@cpan.org +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380 +Bug-Debian: http://bugs.debian.org/607479 + +--- a/FCGI.PL ++++ b/FCGI.PL +@@ -294,14 +294,14 @@ sub Request(;***$*$) { + + sub accept() { + warn "accept called as a method; you probably wanted to call Accept" if @_; +- if (%FCGI::ENV) { +- %ENV = %FCGI::ENV; ++ if ( defined($FCGI::ENV) ) { ++ %ENV = %$FCGI::ENV; + } else { +- %FCGI::ENV = %ENV; ++ $FCGI::ENV = {%ENV}; + } + my $rc = Accept($global_request); +- for (keys %FCGI::ENV) { +- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_}; ++ for (keys %$FCGI::ENV) { ++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_}; + } + + # not SFIO +@@ -313,7 +313,7 @@ sub accept() { + + sub finish() { + warn "finish called as a method; you probably wanted to call Finish" if @_; +- %ENV = %FCGI::ENV if %FCGI::ENV; ++ %ENV = %$FCGI::ENV if defined($FCGI::ENV); + + # not SFIO + if (tied (*STDIN)) { diff --git a/debian/patches/series b/debian/patches/series index 5622f22..a574581 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix-pod-spelling.patch +cve-2011-2766.patch -- 1.7.6.3
signature.asc
Description: Digital signature
