Bug#849438: marked as done (jessie-pu: package libfcgi-perl/0.77-1+deb8u1)

Debian Bug Tracking System Sat, 14 Jan 2017 04:47:44 -0800

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #849438,
regarding jessie-pu: package libfcgi-perl/0.77-1+deb8u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
849438: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849438
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi SRM

Moritz Mühlenhoff suggested to fix CVE-2012-6687 for libfcgi-perl via
a point release (since it does not warrant a DSA). Attached is a
debdiff for libfcgi-perl as in stable.

Could you consider to have it included in the upcoming point release?

Regards,
Salvatore

diff -Nru libfcgi-perl-0.77/debian/changelog libfcgi-perl-0.77/debian/changelog
--- libfcgi-perl-0.77/debian/changelog	2014-08-12 23:13:41.000000000 +0200
+++ libfcgi-perl-0.77/debian/changelog	2016-12-27 08:06:30.000000000 +0100
@@ -1,3 +1,10 @@
+libfcgi-perl (0.77-1+deb8u1) jessie; urgency=medium
+
+  * Team upload.
+  * CVE-2012-6687: numerous connections cause segfault DoS (Closes: #815840)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Tue, 27 Dec 2016 08:06:30 +0100
+
 libfcgi-perl (0.77-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch
--- libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch	2016-12-27 08:06:30.000000000 +0100
@@ -0,0 +1,85 @@
+Description: fix CVE-2012-6687 in bundled libfcgi
+Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
+Bug-Debian: https://bugs.debian.org/815840
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
+Last-Update: 2016-12-27
+
+--- a/os_unix.c
++++ b/os_unix.c
+@@ -36,6 +36,7 @@
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <signal.h>
++#include <poll.h>
+ 
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+@@ -97,6 +98,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+ 
++static int libfcgiOsClosePollTimeout = 2000;
++static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
++
+ void OS_ShutdownPending()
+ {
+     shutdownPending = TRUE;
+@@ -162,6 +166,16 @@
+     if(libInitialized)
+         return 0;
+ 
++    char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
++    if(libfcgiOsClosePollTimeoutStr) {
++        libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
++    }
++
++    char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
++    if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
++        libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
++    }
++
+     asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+     if(asyncIoTable == NULL) {
+         errno = ENOMEM;
+@@ -751,19 +765,16 @@
+     {
+         if (shutdown(fd, 1) == 0)
+         {
+-            struct timeval tv;
+-            fd_set rfds;
++            struct pollfd pfd;
+             int rv;
+             char trash[1024];
+ 
+-            FD_ZERO(&rfds);
++            pfd.fd = fd;
++            pfd.events = POLLIN;
+ 
+             do 
+             {
+-                FD_SET(fd, &rfds);
+-                tv.tv_sec = 2;
+-                tv.tv_usec = 0;
+-                rv = select(fd + 1, &rfds, NULL, NULL, &tv);
++                rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+             }
+             while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+         }
+@@ -1113,13 +1124,11 @@
+  */
+ static int is_af_unix_keeper(const int fd)
+ {
+-    struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+-    fd_set read_fds;
+-
+-    FD_ZERO(&read_fds);
+-    FD_SET(fd, &read_fds);
++    struct pollfd pfd;
++    pfd.fd = fd;
++    pfd.events = POLLIN;
+ 
+-    return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
++    return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+ 
+ /*
diff -Nru libfcgi-perl-0.77/debian/patches/series libfcgi-perl-0.77/debian/patches/series
--- libfcgi-perl-0.77/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-perl-0.77/debian/patches/series	2016-12-27 08:06:30.000000000 +0100
@@ -0,0 +1 @@
+CVE-2012-6687.patch

--- End Message ---

--- Begin Message ---

Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---

Bug#849438: marked as done (jessie-pu: package libfcgi-perl/0.77-1+deb8u1)

Reply via email to