Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
Hi: There is a stack smashing/corruption bug in libfcgi/2.4.0-8. The bug was fixed in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591, however this package is currently in unstable as other changes were added as well. This bug is a security issue as you can DoS a server process quite easily. A CVE has been assigned (CVE-2012-6687): http://www.openwall.com/lists/oss-security/2015/02/07/4. Ubuntu accepted my patched version of their package into 12.04 precise-security: https://bugs.launchpad.net/ubuntu/precise/+source/libfcgi/+bug/1418778 Instructions for setting up a PoC: https://gist.github.com/ice799/abc2522397b1605a5d7f. I sent my changes to the security team who told me this should be fixed with an 's-p-u' so I am trying to follow directions found online on how to do this. I've attached a debdiff I generated against the version in stable. Let me know how else I can help. Thanks, Joe -- System Information: Debian Release: 7.6 APT prefers wheezy APT policy: (500, 'wheezy'), (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
libfcgi_2.4.0-8.1_2.4.0-8.2.diff.gz
Description: GNU Zip compressed data
