pool/FastCGI
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 97778 from devel:libraries:c_c++

Browse Source 
- added FastCGI-fix_deprecated_api.patch: (bnc#735882)
  Fixes an issue where CGI.pm received CGI variables from previous
  requests. CVE-2011-2766 (forwarded request 97777 from darix)

OBS-URL: https://build.opensuse.org/request/show/97778
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/FastCGI?expand=0&rev=18
This commit is contained in:
Stephan Kulow 2011-12-25 16:34:01 +00:00 committed by Git OBS Bridge
commit 3f2c01970f
3 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
FastCGI-fix_deprecated_api.patch Normal file
View File

@ -0,0 +1,53 @@
From: Florian Ragwitz <rafl@debian.org>
Date: Sat, 24 Sep 2011 07:54:33 +0000 (+0200)
Subject: Stop leaking information across requests
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?p=catagits%2Ffcgi2.git;a=commitdiff_plain;h=297693dc8362d25bb25e473899c72508a0f71d2e
Stop leaking information across requests
%hash is false if the hash hasn't been assigned to, *or* if the hash is simply
empty. This causes the environment from the *second* request (that is, the
environment produced by the first request) to be saved as default if the first
request had empty environment. This way, request after the first can get access
to credentials set up by the first request.
Instead of fixing this, I'd much rather remove this old and buggy
interface. However, 10 years of deprecation don't seem to have been enough for
CGI::Fast to switch to the new and properly supported interface. :-(
This is CVE-2011-2766.
---
Index: perl/FCGI.PL
===================================================================
--- perl/FCGI.PL.orig 2002-12-15 21:02:48.000000000 +0100
+++ perl/FCGI.PL 2011-12-12 11:24:08.885998082 +0100
@@ -291,14 +291,14 @@ sub Request(;***$*$) {
sub accept() {
warn "accept called as a method; you probably wanted to call Accept" if @_;
- if (defined %FCGI::ENV) {
- %ENV = %FCGI::ENV;
+ if ( defined($FCGI::ENV) ) {
+ %ENV = %$FCGI::ENV;
} else {
- %FCGI::ENV = %ENV;
+ $FCGI::ENV = {%ENV};
}
my $rc = Accept($global_request);
- for (keys %FCGI::ENV) {
- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
+ for (keys %$FCGI::ENV) {
+ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
}
# not SFIO
@@ -310,7 +310,7 @@ sub accept() {
sub finish() {
warn "finish called as a method; you probably wanted to call Finish" if @_;
- %ENV = %FCGI::ENV if (defined %FCGI::ENV);
+ %ENV = %$FCGI::ENV if defined($FCGI::ENV);
# not SFIO
if (tied (*STDIN)) {

7
FastCGI.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Dec 21 16:14:12 UTC 2011 - mrueckert@suse.com
- added FastCGI-fix_deprecated_api.patch: (bnc#735882)
Fixes an issue where CGI.pm received CGI variables from previous
requests. CVE-2011-2766
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Oct 15 04:47:09 UTC 2011 - coolo@suse.com Sat Oct 15 04:47:09 UTC 2011 - coolo@suse.com

2
FastCGI.spec
View File

@ -37,6 +37,7 @@ Patch2: FastCGI-supervise_cgi-fcgi.patch
Patch3: fastcgi-2.4.0_missing_call_to_fclose.patch Patch3: fastcgi-2.4.0_missing_call_to_fclose.patch
Patch4: FastCGI-gcc44.patch Patch4: FastCGI-gcc44.patch
Patch5: FastCGI-perl514.patch Patch5: FastCGI-perl514.patch
Patch6: FastCGI-fix_deprecated_api.patch
# #
Summary: A Scalable, Open Extension to CGI Summary: A Scalable, Open Extension to CGI
@ -82,6 +83,7 @@ APIs.
%patch3 %patch3
%patch4 %patch4
%patch5 %patch5
%patch6
touch NEWS AUTHORS ChangeLog COPYING touch NEWS AUTHORS ChangeLog COPYING
find doc/{fastcgi-prog-guide,fastcgi-whitepaper} -type f -print0 | xargs -r0 chmod 0644 find doc/{fastcgi-prog-guide,fastcgi-whitepaper} -type f -print0 | xargs -r0 chmod 0644