[Secure-testing-team] Bug#815840: libfcgi-perl: bundles libfcgi, vulnerable to CVE-2012-6687

Tianon Gravi tianon at debian.org
Thu Feb 25 00:06:54 UTC 2016 

Package: libfcgi-perl
Version: 0.77-1+b2
Severity: important
Tags: security upstream

It would appear that the version of libfcgi that upstream has bundled is vulnerable to CVE-2012-6687.

I had hoped that unbundling would be our easiest solution here (adding "libfcgi-dev" to "Build-Depends" and adding "override_dh_auto_configure" to include "--use-installed"), but it runs into issues with "FCGX_Detach" missing:

|    dh_auto_test -O--buildsystem=perl_makemaker
| 	make -j1 test TEST_VERBOSE=1
| make[1]: Entering directory '/usr/src/pkg'
| Running Mkbootstrap for FCGI ()
| chmod 644 "FCGI.bs"
| PERL_DL_NONLAZY=1 "/usr/bin/perl" "-Iblib/lib" "-Iblib/arch" test.pl
| 1..1
| # Running under perl version 5.022001 for linux
| # Current time local: Wed Feb 24 23:47:47 2016
| # Current time GMT:   Wed Feb 24 23:47:47 2016
| # Using Test.pm version 1.26
| Can't load 'blib/arch/auto/FCGI/FCGI.so' for module FCGI: blib/arch/auto/FCGI/FCGI.so: undefined symbol: FCGX_Detach at /usr/share/perl/5.22/XSLoader.pm line 70.
|  at blib/arch/FCGI.pm line 8.
| BEGIN failed--compilation aborted at blib/arch/FCGI.pm line 9.
| Compilation failed in require at test.pl line 3.
| BEGIN failed--compilation aborted at test.pl line 3.
| Makefile:1017: recipe for target 'test_dynamic' failed
| make[1]: Leaving directory '/usr/src/pkg'
| make[1]: *** [test_dynamic] Error 2
| dh_auto_test: make -j1 test TEST_VERBOSE=1 returned exit code 2


I'm in a bit over my head, but hopefully something sane can be done here (since upstream doesn't seem to be especially active based on the date of the most recent release and the activity on the issue tracker).

Thanks!

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                       2.21-9
ii  perl                        5.22.1-7
ii  perl-base [perlapi-5.22.1]  5.22.1-7

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information

More information about the Secure-testing-team mailing list