[SCM] Debian packaging of libfcgi-perl branch, master, updated. 491e5d141a11c750d1213a947a8c2ecf424145ee
Damyan Ivanov
dmn at debian.org
Sat Sep 17 19:01:24 UTC 2011
The following commit has been merged in the master branch:
commit 491e5d141a11c750d1213a947a8c2ecf424145ee
Author: Damyan Ivanov <dmn at debian.org>
Date: Sat Sep 17 22:01:17 2011 +0300
Add patch from upstream bug tracker fixing CVE-2011-2766
Closes: #607479
Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for
the patch.
diff --git a/debian/changelog b/debian/changelog
index 2214972..19e9e46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,11 @@ libfcgi-perl (0.73-2) UNRELEASED; urgency=low
* debian/copyright: Replace DEP5 Format-Specification URL from
svn.debian.org to anonscm.debian.org URL.
+ [ Damyan Ivanov ]
+ * Add patch from upstream bug tracker fixing CVE-2011-2766
+ Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
+ analysis and chansen for the patch.
+
-- Ansgar Burchardt <ansgar at debian.org> Wed, 27 Jul 2011 18:43:44 +0200
libfcgi-perl (0.73-1) unstable; urgency=low
diff --git a/debian/patches/cve-2011-2766.patch b/debian/patches/cve-2011-2766.patch
new file mode 100644
index 0000000..a63694e
--- /dev/null
+++ b/debian/patches/cve-2011-2766.patch
@@ -0,0 +1,42 @@
+Description: replace testing of hash value with hash reference
+ %hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+ empty. This causes the environment from the *second* request (that is, the
+ environment produced by the first request) to be saved as default if the first
+ request had empty environment. This way, request after the first can get
+ access to credentials set up by the first request. badbadbad
+ This is CVE-2011-2766.
+Author: chansen at cpan.org
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380
+Bug-Debian: http://bugs.debian.org/607479
+
+--- a/FCGI.PL
++++ b/FCGI.PL
+@@ -295,14 +295,14 @@ sub Request(;***$*$) {
+
+ sub accept() {
+ warn "accept called as a method; you probably wanted to call Accept" if @_;
+- if (%FCGI::ENV) {
+- %ENV = %FCGI::ENV;
++ if ( defined($FCGI::ENV) ) {
++ %ENV = %$FCGI::ENV;
+ } else {
+- %FCGI::ENV = %ENV;
++ $FCGI::ENV = {%ENV};
+ }
+ my $rc = Accept($global_request);
+- for (keys %FCGI::ENV) {
+- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++ for (keys %$FCGI::ENV) {
++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+ }
+
+ # not SFIO
+@@ -314,7 +314,7 @@ sub accept() {
+
+ sub finish() {
+ warn "finish called as a method; you probably wanted to call Finish" if @_;
+- %ENV = %FCGI::ENV if %FCGI::ENV;
++ %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+
+ # not SFIO
+ if (tied (*STDIN)) {
diff --git a/debian/patches/series b/debian/patches/series
index a6b8568..016c835 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+cve-2011-2766.patch
fix-pod-error.patch
--
Debian packaging of libfcgi-perl
More information about the Pkg-perl-cvs-commits
mailing list