From 0027213963febf628273774b16803ac4fef552706502defdb6745ef0a57621ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Wed, 21 Dec 2011 16:26:41 +0000 Subject: [PATCH] Accepting request 97777 from home:darix:branches:OBS_Maintained:FastCGI - added FastCGI-fix_deprecated_api.patch: (bnc#735882) Fixes an issue where CGI.pm received CGI variables from previous requests. CVE-2011-2766 OBS-URL: https://build.opensuse.org/request/show/97777 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/FastCGI?expand=0&rev=24 --- FastCGI-fix_deprecated_api.patch | 53 ++++++++++++++++++++++++++++++++ FastCGI.changes | 7 +++++ FastCGI.spec | 2 ++ 3 files changed, 62 insertions(+) create mode 100644 FastCGI-fix_deprecated_api.patch diff --git a/FastCGI-fix_deprecated_api.patch b/FastCGI-fix_deprecated_api.patch new file mode 100644 index 0000000..0cc65b8 --- /dev/null +++ b/FastCGI-fix_deprecated_api.patch @@ -0,0 +1,53 @@ +From: Florian Ragwitz +Date: Sat, 24 Sep 2011 07:54:33 +0000 (+0200) +Subject: Stop leaking information across requests +X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2Ffcgi2.git;a=commitdiff_plain;h=297693dc8362d25bb25e473899c72508a0f71d2e + +Stop leaking information across requests + +%hash is false if the hash hasn't been assigned to, *or* if the hash is simply +empty. This causes the environment from the *second* request (that is, the +environment produced by the first request) to be saved as default if the first +request had empty environment. This way, request after the first can get access +to credentials set up by the first request. + +Instead of fixing this, I'd much rather remove this old and buggy +interface. However, 10 years of deprecation don't seem to have been enough for +CGI::Fast to switch to the new and properly supported interface. :-( + +This is CVE-2011-2766. +--- + +Index: perl/FCGI.PL +=================================================================== +--- perl/FCGI.PL.orig 2002-12-15 21:02:48.000000000 +0100 ++++ perl/FCGI.PL 2011-12-12 11:24:08.885998082 +0100 +@@ -291,14 +291,14 @@ sub Request(;***$*$) { + + sub accept() { + warn "accept called as a method; you probably wanted to call Accept" if @_; +- if (defined %FCGI::ENV) { +- %ENV = %FCGI::ENV; ++ if ( defined($FCGI::ENV) ) { ++ %ENV = %$FCGI::ENV; + } else { +- %FCGI::ENV = %ENV; ++ $FCGI::ENV = {%ENV}; + } + my $rc = Accept($global_request); +- for (keys %FCGI::ENV) { +- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_}; ++ for (keys %$FCGI::ENV) { ++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_}; + } + + # not SFIO +@@ -310,7 +310,7 @@ sub accept() { + + sub finish() { + warn "finish called as a method; you probably wanted to call Finish" if @_; +- %ENV = %FCGI::ENV if (defined %FCGI::ENV); ++ %ENV = %$FCGI::ENV if defined($FCGI::ENV); + + # not SFIO + if (tied (*STDIN)) { diff --git a/FastCGI.changes b/FastCGI.changes index 807a210..eaa8b6b 100644 --- a/FastCGI.changes +++ b/FastCGI.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Dec 21 16:14:12 UTC 2011 - mrueckert@suse.com + +- added FastCGI-fix_deprecated_api.patch: (bnc#735882) + Fixes an issue where CGI.pm received CGI variables from previous + requests. CVE-2011-2766 + ------------------------------------------------------------------- Sat Oct 15 04:47:09 UTC 2011 - coolo@suse.com diff --git a/FastCGI.spec b/FastCGI.spec index a79f917..066acb3 100644 --- a/FastCGI.spec +++ b/FastCGI.spec @@ -37,6 +37,7 @@ Patch2: FastCGI-supervise_cgi-fcgi.patch Patch3: fastcgi-2.4.0_missing_call_to_fclose.patch Patch4: FastCGI-gcc44.patch Patch5: FastCGI-perl514.patch +Patch6: FastCGI-fix_deprecated_api.patch # Summary: A Scalable, Open Extension to CGI @@ -82,6 +83,7 @@ APIs. %patch3 %patch4 %patch5 +%patch6 touch NEWS AUTHORS ChangeLog COPYING find doc/{fastcgi-prog-guide,fastcgi-whitepaper} -type f -print0 | xargs -r0 chmod 0644