Control: tags -1 + patch
Hi,
here is a proposed patch picked from upstream repo.
Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index b359986..18bd65c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libfcgi (2.4.2-2.2) unstable; urgency=medium
+
+ * Non-maintainer upload
+ * Fix potential memory corruption (Closes: #1092774, CVE-2025-23016)
+
+ -- Yadd <y...@debian.org> Mon, 14 Apr 2025 10:07:31 +0200
+
libfcgi (2.4.2-2.1) unstable; urgency=medium
* Non-maintainer upload.
diff --git a/debian/patches/CVE-2025-23016.patch
b/debian/patches/CVE-2025-23016.patch
new file mode 100644
index 0000000..f33d7df
--- /dev/null
+++ b/debian/patches/CVE-2025-23016.patch
@@ -0,0 +1,35 @@
+Description: Fix vuln (CVE-2025-23016) in ReadParams func
+Author: Jiri Karlik <kar...@evc00921nb.ad001.siemens.net>
+Bug: https://github.com/FastCGI-Archives/fcgi2/issues/67
+Bug-Debian: https://bugs.debian.org/1092774
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2025-04-14
+
+--- a/libfcgi/fcgiapp.c
++++ b/libfcgi/fcgiapp.c
+@@ -19,6 +19,7 @@
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ #include <string.h>
+ #include <sys/types.h>
+
+@@ -1186,6 +1187,16 @@
+ valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+ + (lenBuff[1] << 8) + lenBuff[2];
+ }
++ /* Check that nameLen and valueLen are not negative */
++ if (nameLen < 0 || valueLen < 0) {
++ SetError(stream, FCGX_PARAMS_ERROR);
++ return -1;
++ }
++ /* Check for integer overflow in the allocation size calculation */
++ if (nameLen > INT_MAX - valueLen - 2) {
++ SetError(stream, FCGX_PARAMS_ERROR);
++ return -1;
++ }
+ /*
+ * nameLen and valueLen are now valid; read the name and value
+ * from stream and construct a standard environment entry.
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b42c1c0
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-23016.patch
