[libfcgi-perl] 01/01: Add fix for CVE-2012-6687 in bundled libfcgi (closes: #815840)
Florian Schlichting
fsfs at moszumanska.debian.org
Sun Oct 16 13:51:21 UTC 2016
This is an automated email from the git hooks/post-receive script.
fsfs pushed a commit to branch master
in repository libfcgi-perl.
commit 24222cbef33447aec059153d3ac7abbd99988258
Author: Florian Schlichting <fsfs at debian.org>
Date: Sun Oct 16 15:48:29 2016 +0200
Add fix for CVE-2012-6687 in bundled libfcgi (closes: #815840)
---
debian/changelog | 10 ++++-
debian/patches/CVE-2012-6687.patch | 84 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 93 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 542a44f..de1b37a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,14 @@
-libfcgi-perl (0.78-2) UNRELEASED; urgency=medium
+libfcgi-perl (0.78-2) unstable; urgency=medium
+ * Team upload
+
+ [ gregor herrmann ]
* Remove Jonathan Yu from Uploaders. Thanks for your work!
- -- gregor herrmann <gregoa at debian.org> Sat, 20 Aug 2016 02:40:20 +0200
+ [ Florian Schlichting ]
+ * Add fix for CVE-2012-6687 in bundled libfcgi (closes: #815840)
+
+ -- Florian Schlichting <fsfs at debian.org> Sun, 16 Oct 2016 15:48:17 +0200
libfcgi-perl (0.78-1) unstable; urgency=medium
diff --git a/debian/patches/CVE-2012-6687.patch b/debian/patches/CVE-2012-6687.patch
new file mode 100644
index 0000000..146cb6f
--- /dev/null
+++ b/debian/patches/CVE-2012-6687.patch
@@ -0,0 +1,84 @@
+Description: fix CVE-2012-6687 in bundled libfcgi
+Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815840
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
+
+--- a/os_unix.c
++++ b/os_unix.c
+@@ -36,6 +36,7 @@
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <signal.h>
++#include <poll.h>
+
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+@@ -97,6 +98,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+
++static int libfcgiOsClosePollTimeout = 2000;
++static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
++
+ void OS_ShutdownPending()
+ {
+ shutdownPending = TRUE;
+@@ -162,6 +166,16 @@
+ if(libInitialized)
+ return 0;
+
++ char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
++ if(libfcgiOsClosePollTimeoutStr) {
++ libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
++ }
++
++ char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
++ if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
++ libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
++ }
++
+ asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+ if(asyncIoTable == NULL) {
+ errno = ENOMEM;
+@@ -751,19 +765,16 @@
+ {
+ if (shutdown(fd, 1) == 0)
+ {
+- struct timeval tv;
+- fd_set rfds;
++ struct pollfd pfd;
+ int rv;
+ char trash[1024];
+
+- FD_ZERO(&rfds);
++ pfd.fd = fd;
++ pfd.events = POLLIN;
+
+ do
+ {
+- FD_SET(fd, &rfds);
+- tv.tv_sec = 2;
+- tv.tv_usec = 0;
+- rv = select(fd + 1, &rfds, NULL, NULL, &tv);
++ rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+ }
+ while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+ }
+@@ -1113,13 +1124,11 @@
+ */
+ static int is_af_unix_keeper(const int fd)
+ {
+- struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+- fd_set read_fds;
+-
+- FD_ZERO(&read_fds);
+- FD_SET(fd, &read_fds);
++ struct pollfd pfd;
++ pfd.fd = fd;
++ pfd.events = POLLIN;
+
+- return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
++ return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+
+ /*
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1d61539
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-6687.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libfcgi-perl.git
More information about the Pkg-perl-cvs-commits
mailing list