Accepting request 97777 from home:darix:branches:OBS_Maintained:FastCGI

- added FastCGI-fix_deprecated_api.patch: (bnc#735882) Fixes an issue where CGI.pm received CGI variables from previous requests. CVE-2011-2766 OBS-URL: https://build.opensuse.org/request/show/97777 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/FastCGI?expand=0&rev=24
2011-12-21 16:26:41 +00:00 · 2011-12-21 16:26:41 +00:00 · 0027213963
commit 0027213963
parent 5934706f91
3 changed files with 62 additions and 0 deletions
--- a/FastCGI-fix_deprecated_api.patch
+++ b/FastCGI-fix_deprecated_api.patch
@ -0,0 +1,53 @@
+From: Florian Ragwitz <rafl@debian.org>
+Date: Sat, 24 Sep 2011 07:54:33 +0000 (+0200)
+Subject: Stop leaking information across requests
+X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2Ffcgi2.git;a=commitdiff_plain;h=297693dc8362d25bb25e473899c72508a0f71d2e
+
+Stop leaking information across requests
+
+%hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+empty. This causes the environment from the *second* request (that is, the
+environment produced by the first request) to be saved as default if the first
+request had empty environment. This way, request after the first can get access
+to credentials set up by the first request.
+
+Instead of fixing this, I'd much rather remove this old and buggy
+interface. However, 10 years of deprecation don't seem to have been enough for
+CGI::Fast to switch to the new and properly supported interface. :-(
+
+This is CVE-2011-2766.
+---
+
+Index: perl/FCGI.PL
+===================================================================
+--- perl/FCGI.PL.orig	2002-12-15 21:02:48.000000000 +0100
+++ perl/FCGI.PL	2011-12-12 11:24:08.885998082 +0100
+@@ -291,14 +291,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (defined %FCGI::ENV) {
+-	%ENV = %FCGI::ENV;
+    if ( defined($FCGI::ENV) ) {
+        %ENV = %$FCGI::ENV;
+     } else {
+-	%FCGI::ENV = %ENV;
+        $FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-	$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
+    for (keys %$FCGI::ENV) {
+        $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -310,7 +310,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if (defined %FCGI::ENV);
+    %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
--- a/FastCGI.changes
+++ b/FastCGI.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Dec 21 16:14:12 UTC 2011 - mrueckert@suse.com
+
+- added FastCGI-fix_deprecated_api.patch: (bnc#735882)
+  Fixes an issue where CGI.pm received CGI variables from previous
+  requests. CVE-2011-2766
+
 -------------------------------------------------------------------
 Sat Oct 15 04:47:09 UTC 2011 - coolo@suse.com

--- a/FastCGI.spec
+++ b/FastCGI.spec
@ -37,6 +37,7 @@ Patch2:         FastCGI-supervise_cgi-fcgi.patch
 Patch3:         fastcgi-2.4.0_missing_call_to_fclose.patch
 Patch4:         FastCGI-gcc44.patch
 Patch5:         FastCGI-perl514.patch
+Patch6:         FastCGI-fix_deprecated_api.patch
 #
 Summary:        A Scalable, Open Extension to CGI

@ -82,6 +83,7 @@ APIs.
 %patch3
 %patch4
 %patch5
+%patch6
 touch NEWS AUTHORS ChangeLog COPYING
 find doc/{fastcgi-prog-guide,fastcgi-whitepaper} -type f -print0 | xargs -r0 chmod 0644