[libfcgi-perl] 01/02: CVE-2012-6687: numerous connections cause segfault DoS

[Salvatore Bonaccorso]

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie
in repository libfcgi-perl.

commit c7f207595fbba0f8bc45c569e07266cdf82f1fc9
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Tue Dec 27 08:02:31 2016 +0100

    CVE-2012-6687: numerous connections cause segfault DoS
    
    Closes: #815840
---
 debian/patches/CVE-2012-6687.patch | 85 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 86 insertions(+)

diff --git a/debian/patches/CVE-2012-6687.patch b/debian/patches/CVE-2012-6687.patch
new file mode 100644
index 0000000..7db15a5
--- /dev/null
+++ b/debian/patches/CVE-2012-6687.patch
@@ -0,0 +1,85 @@
+Description: fix CVE-2012-6687 in bundled libfcgi
+Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
+Bug-Debian: https://bugs.debian.org/815840
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
+Last-Update: 2016-12-27
+
+--- a/os_unix.c
++++ b/os_unix.c
+@@ -36,6 +36,7 @@
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <signal.h>
++#include <poll.h>
+ 
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+@@ -97,6 +98,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+ 
++static int libfcgiOsClosePollTimeout = 2000;
++static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
++
+ void OS_ShutdownPending()
+ {
+     shutdownPending = TRUE;
+@@ -162,6 +166,16 @@
+     if(libInitialized)
+         return 0;
+ 
++    char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
++    if(libfcgiOsClosePollTimeoutStr) {
++        libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
++    }
++
++    char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
++    if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
++        libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
++    }
++
+     asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+     if(asyncIoTable == NULL) {
+         errno = ENOMEM;
+@@ -751,19 +765,16 @@
+     {
+         if (shutdown(fd, 1) == 0)
+         {
+-            struct timeval tv;
+-            fd_set rfds;
++            struct pollfd pfd;
+             int rv;
+             char trash[1024];
+ 
+-            FD_ZERO(&rfds);
++            pfd.fd = fd;
++            pfd.events = POLLIN;
+ 
+             do 
+             {
+-                FD_SET(fd, &rfds);
+-                tv.tv_sec = 2;
+-                tv.tv_usec = 0;
+-                rv = select(fd + 1, &rfds, NULL, NULL, &tv);
++                rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+             }
+             while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+         }
+@@ -1113,13 +1124,11 @@
+  */
+ static int is_af_unix_keeper(const int fd)
+ {
+-    struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+-    fd_set read_fds;
+-
+-    FD_ZERO(&read_fds);
+-    FD_SET(fd, &read_fds);
++    struct pollfd pfd;
++    pfd.fd = fd;
++    pfd.events = POLLIN;
+ 
+-    return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
++    return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+ 
+ /*
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1d61539
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-6687.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libfcgi-perl.git