-=| Moritz Muehlenhoff, 14.10.2011 17:54:44 +0200 |=- > On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote: > > > > Hello Damyan, are you planning to do this or do you need someone > > > else to take over? IMO this one warrants a DSA. > > > > Thanks for the nudge. I have pushed the squeeze branch of > > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary > > with the changes so others can take over for the actual uploading if I am > > away. > > > > The squeeze version still has Vcs-Svn in its control file. Would it be > > acceptable to change that too? > > Yes. Please upload to security-master. Note that it needs to be build > with "-sa", since libfcgi-perl is new in stable-security.
Done. Sorry about the delay. Interdiff and debdiff follow: ========== interdiff ============ diff -Nru libfcgi-perl-0.71/debian/changelog libfcgi-perl-0.71/debian/changelog --- libfcgi-perl-0.71/debian/changelog 2010-04-01 20:30:50.000000000 +0300 +++ libfcgi-perl-0.71/debian/changelog 2011-10-24 13:06:30.000000000 +0300 @@ -1,3 +1,14 @@ +libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high + + * Team upload + + * Add patch from upstream bug tracker fixing CVE-2011-2766 + Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the + analysis and chansen for the patch. + * control: update Vcs-* fields to point to Git + + -- Damyan Ivanov <d...@debian.org> Mon, 24 Oct 2011 13:06:17 +0300 + libfcgi-perl (0.71-1) unstable; urgency=low * New upstream release. diff -Nru libfcgi-perl-0.71/debian/control libfcgi-perl-0.71/debian/control --- libfcgi-perl-0.71/debian/control 2010-04-01 20:30:50.000000000 +0300 +++ libfcgi-perl-0.71/debian/control 2011-10-24 12:59:14.000000000 +0300 @@ -8,8 +8,8 @@ Krzysztof Krzyżaniak (eloy) <e...@debian.org> Standards-Version: 3.8.4 Homepage: http://search.cpan.org/dist/FCGI/ -Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libfcgi-perl/ -Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libfcgi-perl/ +Vcs-Git: git://git.debian.org/pkg-perl/packages/libfcgi-perl.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git Package: libfcgi-perl Architecture: any diff -Nru libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch --- libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch 1970-01-01 02:00:00.000000000 +0200 +++ libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch 2011-10-24 13:02:33.000000000 +0300 @@ -0,0 +1,42 @@ +Description: replace testing of hash value with hash reference + %hash is false if the hash hasn't been assigned to, *or* if the hash is simply + empty. This causes the environment from the *second* request (that is, the + environment produced by the first request) to be saved as default if the first + request had empty environment. This way, request after the first can get + access to credentials set up by the first request. badbadbad + This is CVE-2011-2766. +Author: chan...@cpan.org +Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380 +Bug-Debian: http://bugs.debian.org/607479 + +--- a/FCGI.PL ++++ b/FCGI.PL +@@ -294,14 +294,14 @@ sub Request(;***$*$) { + + sub accept() { + warn "accept called as a method; you probably wanted to call Accept" if @_; +- if (%FCGI::ENV) { +- %ENV = %FCGI::ENV; ++ if ( defined($FCGI::ENV) ) { ++ %ENV = %$FCGI::ENV; + } else { +- %FCGI::ENV = %ENV; ++ $FCGI::ENV = {%ENV}; + } + my $rc = Accept($global_request); +- for (keys %FCGI::ENV) { +- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_}; ++ for (keys %$FCGI::ENV) { ++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_}; + } + + # not SFIO +@@ -313,7 +313,7 @@ sub accept() { + + sub finish() { + warn "finish called as a method; you probably wanted to call Finish" if @_; +- %ENV = %FCGI::ENV if %FCGI::ENV; ++ %ENV = %$FCGI::ENV if defined($FCGI::ENV); + + # not SFIO + if (tied (*STDIN)) { diff -Nru libfcgi-perl-0.71/debian/patches/series libfcgi-perl-0.71/debian/patches/series --- libfcgi-perl-0.71/debian/patches/series 2010-01-15 23:05:14.000000000 +0200 +++ libfcgi-perl-0.71/debian/patches/series 2011-10-12 11:49:36.000000000 +0300 @@ -1 +1,2 @@ fix-pod-spelling.patch +cve-2011-2766.patch ========== debdiff ========= $ debdiff libfcgi-perl_0.71-1_amd64.deb libfcgi-perl_0.71-1+squeeze1_amd64.deb File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Depends: perl (>= [-5.10.1-11),-] {+5.10.1-17squeeze2),+} perlapi-5.10.1, libc6 (>= 2.4) Version: [-0.71-1-] {+0.71-1+squeeze1+}
signature.asc
Description: Digital signature
