Bug#1092774: Stable security: libfcgi: CVE-2025-23016

Bastian Germann Mon, 14 Apr 2025 12:12:19 -0700

The upstream patch applies cleanly on (old)stable.
Please find two debdiffs attached.

diff -Nru libfcgi-2.4.2/debian/changelog libfcgi-2.4.2/debian/changelog
--- libfcgi-2.4.2/debian/changelog      2020-01-01 00:00:01.000000000 +0000
+++ libfcgi-2.4.2/debian/changelog      2025-04-14 18:53:11.000000000 +0000
@@ -1,3 +1,10 @@
+libfcgi (2.4.2-2+deb12u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix integer overflow. (Closes: #1092774, CVE-2025-23016)
+
+ -- Bastian Germann <b...@debian.org>  Mon, 14 Apr 2025 18:53:11 +0000
+
 libfcgi (2.4.2-2) unstable; urgency=medium
 
   * Move to unstable: no changes required.
diff -Nru libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch 
libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch
--- libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch   1970-01-01 
00:00:00.000000000 +0000
+++ libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch   2025-04-14 
18:51:14.000000000 +0000
@@ -0,0 +1,31 @@
+Origin: upstream, b0eabcaf4d4f371514891a52115c746815c2ff15
+From: Pycatchown <39068868+pycatch...@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: Update fcgiapp.c
+
+Fixing an integer overflow (CVE-2025-23016)
+---
+--- a/libfcgi/fcgiapp.c
++++ b/libfcgi/fcgiapp.c
+@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream 
*stream)
+           }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++          if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++          }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream 
*stream)
+           }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++          if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++          }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
diff -Nru libfcgi-2.4.2/debian/patches/series 
libfcgi-2.4.2/debian/patches/series
--- libfcgi-2.4.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ libfcgi-2.4.2/debian/patches/series 2025-04-14 18:52:10.000000000 +0000
@@ -0,0 +1 @@
+CVE-2025-23016.patch

diff -Nru libfcgi-2.4.2/debian/changelog libfcgi-2.4.2/debian/changelog
--- libfcgi-2.4.2/debian/changelog      2020-01-01 00:00:01.000000000 +0000
+++ libfcgi-2.4.2/debian/changelog      2025-04-14 18:53:11.000000000 +0000
@@ -1,3 +1,10 @@
+libfcgi (2.4.2-2+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix integer overflow. (Closes: #1092774, CVE-2025-23016)
+
+ -- Bastian Germann <b...@debian.org>  Mon, 14 Apr 2025 18:53:11 +0000
+
 libfcgi (2.4.2-2) unstable; urgency=medium
 
   * Move to unstable: no changes required.
diff -Nru libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch 
libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch
--- libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch   1970-01-01 
00:00:00.000000000 +0000
+++ libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch   2025-04-14 
18:51:14.000000000 +0000
@@ -0,0 +1,31 @@
+Origin: upstream, b0eabcaf4d4f371514891a52115c746815c2ff15
+From: Pycatchown <39068868+pycatch...@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: Update fcgiapp.c
+
+Fixing an integer overflow (CVE-2025-23016)
+---
+--- a/libfcgi/fcgiapp.c
++++ b/libfcgi/fcgiapp.c
+@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream 
*stream)
+           }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++          if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++          }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream 
*stream)
+           }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++          if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++          }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
diff -Nru libfcgi-2.4.2/debian/patches/series 
libfcgi-2.4.2/debian/patches/series
--- libfcgi-2.4.2/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ libfcgi-2.4.2/debian/patches/series 2025-04-14 18:52:10.000000000 +0000
@@ -0,0 +1 @@
+CVE-2025-23016.patch

Bug#1092774: Stable security: libfcgi: CVE-2025-23016

Reply via email to