libfcgi-perl: [CVE-2011-2766] After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.

Debian Bug report logs - #607479
libfcgi-perl: [CVE-2011-2766] After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ferdinand <debbug@smitplaza.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libfcgi-perl: After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests.

Date: Sat, 18 Dec 2010 22:13:40 +0100

Package: libfcgi-perl
Version: 0.71-1
Severity: normal


Hi,

I had some strange problems with cookies, it seems that sometimes username cookies were highjacked, but not always, even by search bots.
I am using the Fast::CGI (libcgi-fast-perl 5.10.1-16) wrapper, but i think the problem lies in the FCGI code. I use apache (apache2 2.2.16-4) as webserver.

This is wat hapens:

I create a simple fpl file to show environment vars, and request that from 2 different locations (one with a proxy).
Every request is handled fine, i do not have any problems with environment vars. But after i change the file,
or simply touch it, the new version is compiled when a new request hapens, but some environment vars seems to get
a default value from the request that triggers the recompile. So if that request has some cookies, all request
without cookies will according to Fast::CGI module have the same cookies as the "recompile request".
I did not check all the env vars, but X_FORWARDED_FOR had the same problem. The problem vanished when i clear the %ENV just before i ask for the CGI object.

Example code (with ENV cleaning):

#! /usr/bin/perl -w

use CGI::Fast qw(:standard :cgi-lib);
use Data::Dumper;
use strict;

while ( my $cgi = getRequest() ) {

    print $cgi->header();

    print "<pre>========= ID:$$ =========\n";
    while (my ($key,$value) = each %ENV) {
       print "$key=$value\n";
    }
    print "========= VARS =========\n";
    print Dumper($cgi->Vars());
    print "========= COOKIE =========\n";
    print Dumper($cgi->cookie());
    print ".</pre>";

    #%ENV = undef;
}

sub getRequest {
    %ENV = () if $main::clearENV; # Clear the ENV
    $main::clearENV = 1;          # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore
    return new CGI::Fast;
}


I used 2 wget together to examine it:
(posted to the proxy server to disable caching)

$ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi'
$ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi'

After a apache restart, both requests will output only there own env vars, but after a touch of the scriptfile,
you get a 50% chance both request will show the same cookie, postdata and x_forwarded_for headers. A restart fixes that allways.

I tried to look at the FCGI library, found out that they do some stuff with the %ENV, but could not figure out what exectly 
caused the problem.

Regards,
Ferdinand

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                         2.11.2-7   Embedded GNU C Library: Shared lib
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10.1]    5.10.1-16  minimal Perl system

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information

Message #10 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Debian Bug Tracking System <607479@bugs.debian.org>

Subject: libfcgi-perl: Serious FCGI information leak

Date: Wed, 07 Sep 2011 20:24:00 -0700

Package: libfcgi-perl
Version: 0.73-1
Followup-For: Bug #607479

This bug just caused a serious security incident for us, and I was able
to work through the cause and the reason why not everyone sees it.  The
problem was introduced in 0.70 and is still present in 0.73.

The following change was added in 0.70:

 sub accept() {
     warn "accept called as a method; you probably wanted to call Accept" if @_;
-    if (defined %FCGI::ENV) {
-       %ENV = %FCGI::ENV;
+    if (%FCGI::ENV) {
+        %ENV = %FCGI::ENV;
     } else {
-       %FCGI::ENV = %ENV;
+        %FCGI::ENV = %ENV;
     }
                
The goal of this code is to save the original environment the first time
into accept() and then restore the environment to the original environment
each time before calling accept() again.  It uses %FCGI::ENV to hold a
copy of the original environment.

The problem is the change to remove defined().  defined() on a hash
returned true if the hash had ever been set, so it could be used as a
sentinel to figure out whether the environment had already been saved.
However, this is deprecated in Perl, so the module was patched to just
check the truth value of the hash.

The problem is that the truth value of the hash is false if the hash has
never been set *or* if the hash has no members, which is not the same
as defined, which was returning true if the assignment from %ENV had
happened, even if it was empty.  So if the environment was completely
empty when accept() was first called, which is the case by default for
an Apache-spawned FCGI process (at least with mod_fastcgi), then the
environment in place the *second* time accept() is called will be saved as
the default environment.  This is the environment produced by the first
request to the server.

Then, later, accept() does:

     for (keys %FCGI::ENV) {
        $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
     }
          
so any keys in the environment that are not set in the new incoming
request will be copied over into the new request environment.

The practical effect of this is that any environment variable set in the
first pass through the code by the first processed request that isn't set
in some subsequent request will be added to that subsequent request.
Most notably, this includes the HTTP_COOKIE variable.  This can (and did
for us) constitute a serious security breach, since the HTTP_COOKIE header
may be carrying authentication credentials and the absence of that header
may indicate an unauthenticated access.  The practical effect is that
any unauthenticated user would receive the authentication credentials of
the first user processed after spawning the script.

Thankfully, there is a trivial workaround: set any environment variable
before the first call to accept(), and you will not see this bug.  So
any method of spawning FastCGI processes that doesn't clear the environment
will also not manifest this bug.

I can probably provide a patch in a day or two, but the fix is fairly
obvious: the code needs to stop using the truth value of %FCGI::ENV as
a proxy for whether this is the first or subsequent pass through
accept and instead set a separate scalar variable to true once the
initial environment has been saved into %FCGI::ENV.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.39-2-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libfcgi-perl depends on:
ii  libc6                         2.13-16    Embedded GNU C Library: Shared lib
ii  perl                          5.12.4-4   Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.12.3]    5.12.4-4   minimal Perl system

libfcgi-perl recommends no packages.

libfcgi-perl suggests no packages.

-- no debconf information

Message #19 received at 607479@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Russ Allbery" <rra@debian.org>

Cc: team@security.debian.org, 607479@bugs.debian.org

Subject: Re: tagging 607479, severity of 607479 is grave

Date: Thu, 8 Sep 2011 14:05:54 +0200

> This bug just caused a serious security incident for us, and I was able
> to work through the cause and the reason why not everyone sees it.  The
> problem was introduced in 0.70 and is still present in 0.73.

>The following change was added in 0.70:

> sub accept() {
>     warn "accept called as a method; you probably wanted to call Accept"
if @_;
> -    if (defined %FCGI::ENV) {
> -       %ENV = %FCGI::ENV;
> +    if (%FCGI::ENV) {
> +        %ENV = %FCGI::ENV;
>      } else {
> -        %FCGI::ENV = %ENV;
> +        %FCGI::ENV = %ENV;
>     }

Please use CVE-2011-2766 to refer to this issue.


Thanks,
Thijs

Message #26 received at 607479@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 607479@bugs.debian.org, 607479-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the libfcgi-perl package

Date: Sat, 17 Sep 2011 19:01:23 +0000

tag 607479 + pending
thanks

Some bugs in the libfcgi-perl package are closed in revision
491e5d141a11c750d1213a947a8c2ecf424145ee in branch 'master' by Damyan
Ivanov

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=commitdiff;h=491e5d1

Commit message:

    Add patch from upstream bug tracker fixing CVE-2011-2766
    
    Closes: #607479
    Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for
    the patch.

Message #36 received at 607479-close@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: 607479-close@bugs.debian.org

Subject: Bug#607479: fixed in libfcgi-perl 0.73-2

Date: Sat, 17 Sep 2011 19:19:10 +0000

Source: libfcgi-perl
Source-Version: 0.73-2

We believe that the bug you reported is fixed in the latest version of
libfcgi-perl, which is due to be installed in the Debian FTP archive:

libfcgi-perl_0.73-2.debian.tar.gz
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2.debian.tar.gz
libfcgi-perl_0.73-2.dsc
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2.dsc
libfcgi-perl_0.73-2_amd64.deb
  to main/libf/libfcgi-perl/libfcgi-perl_0.73-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libfcgi-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Sep 2011 22:09:53 +0300
Source: libfcgi-perl
Binary: libfcgi-perl
Architecture: source amd64
Version: 0.73-2
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description: 
 libfcgi-perl - helper module for FastCGI
Closes: 607479
Changes: 
 libfcgi-perl (0.73-2) unstable; urgency=high
 .
   * Team upload
    + High urgency for fixing a security bug
 .
   [ Ansgar Burchardt ]
   * debian/control: Convert Vcs-* fields to Git.
 .
   [ Salvatore Bonaccorso ]
   * debian/copyright: Replace DEP5 Format-Specification URL from
     svn.debian.org to anonscm.debian.org URL.
 .
   [ Damyan Ivanov ]
   * Add patch from upstream bug tracker fixing CVE-2011-2766
     Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
     analysis and chansen for the patch.
Checksums-Sha1: 
 95339ec9d86d68352f76810ee6fe85ccfbefd23d 2035 libfcgi-perl_0.73-2.dsc
 6750e0b7c2c374fa5dae56449206e41640ea15f2 5355 libfcgi-perl_0.73-2.debian.tar.gz
 05b5ddb5f142c269f72241f8b77f399aa42f3688 45584 libfcgi-perl_0.73-2_amd64.deb
Checksums-Sha256: 
 ae3e1a41863d3cd273515227ea4d552e9d384586b42af4e9fb60570f60971572 2035 libfcgi-perl_0.73-2.dsc
 c2227ad05e59c03db04943e7164680f975e900f0a93aaa8c393ee1fd2f0211f6 5355 libfcgi-perl_0.73-2.debian.tar.gz
 085055adb606ddbc8a6129cb9da229194dab0dae04d9f2412a6f354a8265e1e0 45584 libfcgi-perl_0.73-2_amd64.deb
Files: 
 4dc35b7f035a3f0929b464305ba83d1d 2035 perl optional libfcgi-perl_0.73-2.dsc
 35cb368a4da78e4f3f76a145b4fc551d 5355 perl optional libfcgi-perl_0.73-2.debian.tar.gz
 6a64fa3351c25d7c42f24747dd0b8a40 45584 perl optional libfcgi-perl_0.73-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOdPDzAAoJENu+nU2Z0qAE0usP/2Ui6Ju/NT7gYNgKVdRiJxuq
YBN7lz4y81x1e3FwCCHK8mHun+xMEPreHNBvHrCeRvbnhyyobtOzYoF+tPCk2X+o
CXudy16F0TEKizzWxr01nNZyxk7AhESx676w86EXkJdzTkKck8zOSljqitF603MB
h7hJBtzOL208QIx2sylAI6xJKkR7H7IBGQiTjfalq+ympJguxTKOGPuXkmFtKX5G
Y3+P6MMXVelsrufI37S9ux40axyyu2LNRhSxDeknR6opF5lR2bqu2gdjOJzzf6DD
P6VsY8sZgTXh4MN3PcFaWd+hDvK2BXk8Yuhk6pk9BMv9iADL8XfmattJAJHovwqg
prl+raNTvarOw7jJSfNI7J3HjgVsdWQYvBHG1Q51brxxnrvAYz1s3zUtcP3e1Oae
vn70k+PA6ieJQx84In+mHZLe7pqXyJxVm2Qumna8WlgZbeiRw1EMwl+lzqzGW6gY
IoGHKL9ZbO64FE09SWcekYUJGRRhYmiMUnWmIf94Ihfa2b95eo90noJg4783s8vN
e2y8qW6GkRZngskbscCIb6XVdyiHYHZqG3+P4zMp6qcKT/BoU/u5L1PHVGlm8Ccc
9OTmIXS3xPKrEpuQK/b976MSxiFVNkzuDHSzMdQCaVD+8mVvwY9aeWjPOkO4FKtq
n3zIDxZM5CpQzVZyegww
=+365
-----END PGP SIGNATURE-----

Message #41 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 607479@bugs.debian.org, team@security.debian.org

Cc: control@bugs.debian.org

Subject: Bug#607479/CVE-2011-2766 authentication bypass

Date: Fri, 30 Sep 2011 18:26:41 +0100

reopen 607479
thanks

On Sat, Sep 17, 2011 at 07:01:23PM +0000, pkg-perl-maintainers@lists.alioth.debian.org wrote:
> Some bugs in the libfcgi-perl package are closed in revision
> 491e5d141a11c750d1213a947a8c2ecf424145ee in branch 'master' by Damyan
> Ivanov
> 
> The full diff can be seen at
> http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=commitdiff;h=491e5d1
> 
> Commit message:
> 
>     Add patch from upstream bug tracker fixing CVE-2011-2766
>     
>     Closes: #607479
>     Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for
>     the patch.

Damyan, thanks for fixing this in unstable. I'm reopening the bug,
because I believe this fix applies to squeeze, and should be fixed there.

Has anyone yet contacted the security team about this/is anyone working
on packages for squeeze?

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #48 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 607479@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Sat, 1 Oct 2011 08:12:18 +0300

[Message part 1 (text/plain, inline)]

-=| Dominic Hargreaves, 30.09.2011 18:26:41 +0100 |=-
> I'm reopening the bug, because I believe this fix applies to 
> squeeze, and should be fixed there.

Agreed.

> Has anyone yet contacted the security team about this/is anyone 
> working on packages for squeeze?

I don't think so.

Porting the patch (for some reason it doesn't apply cleanly) is 
trivial. Attached is a patch that does exactly that (to be git 
apply'ed to the debian/0.71-1 tag, which is the squeeze version).


HTH,
    dam

[0001-Add-patch-from-upstream-bug-tracker-fixing-CVE-2011-.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #53 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Damyan Ivanov <dmn@debian.org>, Dominic Hargreaves <dom@earth.li>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Sat, 1 Oct 2011 12:44:33 +0200

On Sat, Oct 01, 2011 at 08:12:18AM +0300, Damyan Ivanov wrote:
> -=| Dominic Hargreaves, 30.09.2011 18:26:41 +0100 |=-
> > I'm reopening the bug, because I believe this fix applies to 
> > squeeze, and should be fixed there.
> 
> Agreed.
> 
> > Has anyone yet contacted the security team about this/is anyone 
> > working on packages for squeeze?
> 
> I don't think so.
> 
> Porting the patch (for some reason it doesn't apply cleanly) is 
> trivial. Attached is a patch that does exactly that (to be git 
> apply'ed to the debian/0.71-1 tag, which is the squeeze version).

Did update this receive testing?

distribution needs to point to stable-security, not unstable. And
while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
for consistency.

Cheers,
        Moritz

Message #60 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Damyan Ivanov <dmn@debian.org>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Wed, 5 Oct 2011 19:02:47 +0100

On Sat, Oct 01, 2011 at 08:12:18AM +0300, Damyan Ivanov wrote:
> -=| Dominic Hargreaves, 30.09.2011 18:26:41 +0100 |=-
> > I'm reopening the bug, because I believe this fix applies to 
> > squeeze, and should be fixed there.
> 
> Agreed.
> 
> > Has anyone yet contacted the security team about this/is anyone 
> > working on packages for squeeze?
> 
> I don't think so.
> 
> Porting the patch (for some reason it doesn't apply cleanly) is 
> trivial. Attached is a patch that does exactly that (to be git 
> apply'ed to the debian/0.71-1 tag, which is the squeeze version).

As now publicly announced, this affects Request Tracker on squeeze:

<http://lists.bestpractical.com/pipermail/rt-announce/2011-October/000196.html>.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #65 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: Damyan Ivanov <dmn@debian.org>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Wed, 5 Oct 2011 19:14:33 +0100

On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Oct 01, 2011 at 08:12:18AM +0300, Damyan Ivanov wrote:

> > Porting the patch (for some reason it doesn't apply cleanly) is 
> > trivial. Attached is a patch that does exactly that (to be git 
> > apply'ed to the debian/0.71-1 tag, which is the squeeze version).
> 
> Did update this receive testing?

I've just tested RT 3.8 + squeeze + mod_fcgid, and I can't spot any
breakage.
 
> distribution needs to point to stable-security, not unstable. And
> while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
> for consistency.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #70 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Moritz Mühlenhoff <jmm@inutil.org>, 607479@bugs.debian.org

Cc: Damyan Ivanov <dmn@debian.org>, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Tue, 11 Oct 2011 14:33:42 +0100

On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> On Sat, Oct 01, 2011 at 08:12:18AM +0300, Damyan Ivanov wrote:
> > -=| Dominic Hargreaves, 30.09.2011 18:26:41 +0100 |=-
> > > I'm reopening the bug, because I believe this fix applies to 
> > > squeeze, and should be fixed there.
> > 
> > Agreed.
> > 
> > > Has anyone yet contacted the security team about this/is anyone 
> > > working on packages for squeeze?
> > 
> > I don't think so.
> > 
> > Porting the patch (for some reason it doesn't apply cleanly) is 
> > trivial. Attached is a patch that does exactly that (to be git 
> > apply'ed to the debian/0.71-1 tag, which is the squeeze version).
> 
> Did update this receive testing?
> 
> distribution needs to point to stable-security, not unstable. And
> while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
> for consistency.

Hello Damyan, are you planning to do this or do you need someone else
to take over? IMO this one warrants a DSA.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #73 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Dominic Hargreaves <dom@earth.li>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Wed, 12 Oct 2011 12:03:50 +0300

[Message part 1 (text/plain, inline)]

-=| Dominic Hargreaves, 11.10.2011 14:33:42 +0100 |=-
> On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> > Did update this receive testing?

The changes look sane "in theory". They address all mentions of 
FCGI::ENV in the source.

The RT testing by Dominic seems sufficient additional assurance to me.

> > distribution needs to point to stable-security, not unstable. And
> > while you're at it, please modify 0.71-1+squeeze.1 to 0.71-1+squeeze1
> > for consistency.

Right. Thanks!

> Hello Damyan, are you planning to do this or do you need someone 
> else to take over? IMO this one warrants a DSA.

Thanks for the nudge. I have pushed the squeeze branch of 
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
with the changes so others can take over for the actual uploading if I am away.

The squeeze version still has Vcs-Svn in its control file. Would it be 
acceptable to change that too?

Current changelog:

libfcgi-perl (0.71-1+squeezei1) stable-security; urgency=high

  * Add patch from upstream bug tracker fixing CVE-2011-2766
    Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
    analysis and chansen for the patch.

 -- Damyan Ivanov <dmn@debian.org>  Wed, 12 Oct 2011 11:50:21 +0300

[signature.asc (application/pgp-signature, inline)]

Message #78 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: rra@debian.org

Cc: Damyan Ivanov <dmn@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Wed, 12 Oct 2011 10:30:51 +0100

On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
> -=| Dominic Hargreaves, 11.10.2011 14:33:42 +0100 |=-
> > On Sat, Oct 01, 2011 at 12:44:33PM +0200, Moritz Mühlenhoff wrote:
> > > Did update this receive testing?
> 
> The changes look sane "in theory". They address all mentions of 
> FCGI::ENV in the source.
> 
> The RT testing by Dominic seems sufficient additional assurance to me.

Russ, I guess you've been involved in fixing this locally; are you able
to make any comments on the soundness of the patch at

<http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=blob;f=debian/patches/cve-2011-2766.patch;h=62ca4ac0aff279faba37ce2168fccd248e5c45a6;hb=48b6294e73f73323310250fde667b2a2b7032df2> ?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Message #83 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>

To: Dominic Hargreaves <dom@earth.li>

Cc: Damyan Ivanov <dmn@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Wed, 12 Oct 2011 13:13:17 -0700

Dominic Hargreaves <dom@earth.li> writes:
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:

>> The changes look sane "in theory". They address all mentions of 
>> FCGI::ENV in the source.

>> The RT testing by Dominic seems sufficient additional assurance to me.

> Russ, I guess you've been involved in fixing this locally; are you able
> to make any comments on the soundness of the patch at

> <http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=blob;f=debian/patches/cve-2011-2766.patch;h=62ca4ac0aff279faba37ce2168fccd248e5c45a6;hb=48b6294e73f73323310250fde667b2a2b7032df2> ?

Yeah, that should be fine.  Personally, I would have just added a second
variable that's set to true if the environment was stored, since I think
it's easier to read and more comprehensible, but this is equivalent.

I haven't actually tested it since we worked around the problem in our
application instead (by ensuring that some environment variable was always
set), but I'm pretty sure that will work.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Message #88 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Damyan Ivanov <dmn@debian.org>

Cc: Dominic Hargreaves <dom@earth.li>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Fri, 14 Oct 2011 17:54:44 +0200

On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:

> > Hello Damyan, are you planning to do this or do you need someone 
> > else to take over? IMO this one warrants a DSA.
> 
> Thanks for the nudge. I have pushed the squeeze branch of 
> http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
> with the changes so others can take over for the actual uploading if I am away.
> 
> The squeeze version still has Vcs-Svn in its control file. Would it be 
> acceptable to change that too?

Yes. Please upload to security-master. Note that it needs to be build
with "-sa", since libfcgi-perl is new in stable-security.

Cheers,
        Moritz

Message #93 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Damyan Ivanov <dmn@debian.org>, Dominic Hargreaves <dom@earth.li>, 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Thu, 20 Oct 2011 22:22:41 +0200

On Fri, Oct 14, 2011 at 05:54:44PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
> 
> > > Hello Damyan, are you planning to do this or do you need someone 
> > > else to take over? IMO this one warrants a DSA.
> > 
> > Thanks for the nudge. I have pushed the squeeze branch of 
> > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
> > with the changes so others can take over for the actual uploading if I am away.
> > 
> > The squeeze version still has Vcs-Svn in its control file. Would it be 
> > acceptable to change that too?
> 
> Yes. Please upload to security-master. Note that it needs to be build
> with "-sa", since libfcgi-perl is new in stable-security.

*ping*

Cheers,
        Moritz
 

Message #96 received at 607479@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 607479@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#607479: libfcgi-perl/CVE-2011-2766 authentication bypass

Date: Mon, 24 Oct 2011 13:23:59 +0300

[Message part 1 (text/plain, inline)]

-=| Moritz Muehlenhoff, 14.10.2011 17:54:44 +0200 |=-
> On Wed, Oct 12, 2011 at 12:03:50PM +0300, Damyan Ivanov wrote:
> 
> > > Hello Damyan, are you planning to do this or do you need someone 
> > > else to take over? IMO this one warrants a DSA.
> > 
> > Thanks for the nudge. I have pushed the squeeze branch of 
> > http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git;a=summary
> > with the changes so others can take over for the actual uploading if I am away.
> > 
> > The squeeze version still has Vcs-Svn in its control file. Would it be 
> > acceptable to change that too?
> 
> Yes. Please upload to security-master. Note that it needs to be build
> with "-sa", since libfcgi-perl is new in stable-security.

Done. Sorry about the delay. Interdiff and debdiff follow:

========== interdiff ============
diff -Nru libfcgi-perl-0.71/debian/changelog libfcgi-perl-0.71/debian/changelog
--- libfcgi-perl-0.71/debian/changelog	2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/changelog	2011-10-24 13:06:30.000000000 +0300
@@ -1,3 +1,14 @@
+libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high
+
+  * Team upload
+
+  * Add patch from upstream bug tracker fixing CVE-2011-2766
+    Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
+    analysis and chansen for the patch.
+  * control: update Vcs-* fields to point to Git
+
+ -- Damyan Ivanov <dmn@debian.org>  Mon, 24 Oct 2011 13:06:17 +0300
+
 libfcgi-perl (0.71-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libfcgi-perl-0.71/debian/control libfcgi-perl-0.71/debian/control
--- libfcgi-perl-0.71/debian/control	2010-04-01 20:30:50.000000000 +0300
+++ libfcgi-perl-0.71/debian/control	2011-10-24 12:59:14.000000000 +0300
@@ -8,8 +8,8 @@
  Krzysztof Krzyżaniak (eloy) <eloy@debian.org>
 Standards-Version: 3.8.4
 Homepage: http://search.cpan.org/dist/FCGI/
-Vcs-Svn: svn://svn.debian.org/pkg-perl/trunk/libfcgi-perl/
-Vcs-Browser: http://svn.debian.org/viewsvn/pkg-perl/trunk/libfcgi-perl/
+Vcs-Git: git://git.debian.org/pkg-perl/packages/libfcgi-perl.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libfcgi-perl.git
 
 Package: libfcgi-perl
 Architecture: any
diff -Nru libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch
--- libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch	1970-01-01 02:00:00.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/cve-2011-2766.patch	2011-10-24 13:02:33.000000000 +0300
@@ -0,0 +1,42 @@
+Description: replace testing of hash value with hash reference
+ %hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+ empty. This causes the environment from the *second* request (that is, the
+ environment produced by the first request) to be saved as default if the first
+ request had empty environment. This way, request after the first can get
+ access to credentials set up by the first request. badbadbad
+ This is CVE-2011-2766.
+Author: chansen@cpan.org
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380
+Bug-Debian: http://bugs.debian.org/607479
+
+--- a/FCGI.PL
++++ b/FCGI.PL
+@@ -294,14 +294,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (%FCGI::ENV) {
+-	%ENV = %FCGI::ENV;
++    if ( defined($FCGI::ENV) ) {
++	%ENV = %$FCGI::ENV;
+     } else {
+-	%FCGI::ENV = %ENV;
++	$FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-	$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++    for (keys %$FCGI::ENV) {
++	$ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -313,7 +313,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if %FCGI::ENV;
++    %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
diff -Nru libfcgi-perl-0.71/debian/patches/series libfcgi-perl-0.71/debian/patches/series
--- libfcgi-perl-0.71/debian/patches/series	2010-01-15 23:05:14.000000000 +0200
+++ libfcgi-perl-0.71/debian/patches/series	2011-10-12 11:49:36.000000000 +0300
@@ -1 +1,2 @@
 fix-pod-spelling.patch
+cve-2011-2766.patch


========== debdiff =========
$ debdiff libfcgi-perl_0.71-1_amd64.deb libfcgi-perl_0.71-1+squeeze1_amd64.deb     
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: perl (>= [-5.10.1-11),-] {+5.10.1-17squeeze2),+} perlapi-5.10.1, libc6 (>= 2.4)
Version: [-0.71-1-] {+0.71-1+squeeze1+}

[signature.asc (application/pgp-signature, inline)]

Message #101 received at 607479-close@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: 607479-close@bugs.debian.org

Subject: Bug#607479: fixed in libfcgi-perl 0.71-1+squeeze1

Date: Tue, 25 Oct 2011 13:55:07 +0000

Source: libfcgi-perl
Source-Version: 0.71-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
libfcgi-perl, which is due to be installed in the Debian FTP archive:

libfcgi-perl_0.71-1+squeeze1.debian.tar.gz
  to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1.debian.tar.gz
libfcgi-perl_0.71-1+squeeze1.dsc
  to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1.dsc
libfcgi-perl_0.71-1+squeeze1_amd64.deb
  to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 607479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Damyan Ivanov <dmn@debian.org> (supplier of updated libfcgi-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 24 Oct 2011 13:06:17 +0300
Source: libfcgi-perl
Binary: libfcgi-perl
Architecture: source amd64
Version: 0.71-1+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Damyan Ivanov <dmn@debian.org>
Description: 
 libfcgi-perl - helper module for FastCGI
Closes: 607479
Changes: 
 libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high
 .
   * Team upload
 .
   * Add patch from upstream bug tracker fixing CVE-2011-2766
     Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
     analysis and chansen for the patch.
   * control: update Vcs-* fields to point to Git
Checksums-Sha1: 
 5ee03927c922c89960e56447bfc6d86d1ba338e2 2033 libfcgi-perl_0.71-1+squeeze1.dsc
 bac067b4a5e7880f4bb336d8a647a6cafd26c2ba 93995 libfcgi-perl_0.71.orig.tar.gz
 3a6210345d361805003b63fd4bf544dae8471c8a 5243 libfcgi-perl_0.71-1+squeeze1.debian.tar.gz
 101318fe03e9d6e918dc465126cceed255d25a9d 42324 libfcgi-perl_0.71-1+squeeze1_amd64.deb
Checksums-Sha256: 
 a985b58f4ea7c0cf4c06676a80a625b9078e3e4568e93c2a1a67a3756b8e6236 2033 libfcgi-perl_0.71-1+squeeze1.dsc
 9b5b8c1ab62da938c82405cddd0ee4173b257597bf9d567fb81c0dfcc060c64e 93995 libfcgi-perl_0.71.orig.tar.gz
 0ff2f13d4ae9a3094508b3bd8c5185c8676aa2d3c0756b1575ac566fd9ecac39 5243 libfcgi-perl_0.71-1+squeeze1.debian.tar.gz
 45b98eec0ae50bde0b46478f57fcd7cfccc4d79df8c864b1308cfefb0225cd7b 42324 libfcgi-perl_0.71-1+squeeze1_amd64.deb
Files: 
 2918bbe9ca20208f719a2eeaf6e29172 2033 perl optional libfcgi-perl_0.71-1+squeeze1.dsc
 26bc4ea53ccc9c9c16695e88e46a1cfb 93995 perl optional libfcgi-perl_0.71.orig.tar.gz
 39b0f3a6e5173b7afa337b9a5beec27e 5243 perl optional libfcgi-perl_0.71-1+squeeze1.debian.tar.gz
 ff0171df5e84fd2b9a802aa6dca7dea9 42324 perl optional libfcgi-perl_0.71-1+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOpTuBAAoJENu+nU2Z0qAESiAP/j0t7R7CYD4u69mwesJ6JnHD
8xYDEFB+D6IOwkPRbMw/9mfVX3Y/AGAowyCa9T0Pfrau/KEkAtpe1jCp7huqj+vF
oYgCDwaXiiQHkNt4XS1skz6UNEGX/apNoP+KbvZzJF6zILS26AVnSeIaVZUwwFHI
x5y1bnUjhX3tcKQNYZC79uKoACjY1ittVLOS8xao/Pea5PVVX+MYltfUJivx3ijn
18/2dnSlA89BGc6FFpR+AwyRTe9LXcW6lgn66YbjVKWKaSvTwXqPROMr1qBGJTe3
HpfB/p6lcUgfGLFfi0s2wm3vi119n7awiHZOnC/U2iDnPHH29QDIkv4IMf6unUbO
UbiTBRZIiMXz89V+VRaYlq+hLq9RAs4PyDRMV89GJeJqiRjOlmfpvwH/owZWswaV
KG+//dIBE7C1mFhTv+iuJV2AWNtx+yWSeCVP9GUcgD1Iq0dGdvzNM49mNB9pMZ8H
uCIZDxHru03C8DGsXmzortvp+nwUn9rHAzmqPw1j9CsS8rMP0od4kUSsRxYH3Fym
bLOLrMEBIiwm/b4jM/6z7vcB8LxAKrFXc5GtxsfTXL6yMvEh4GLzoMcQqyr1K0tv
OIYMKCEESoq3MXtRPm4p1rDin/Q45P2SKKRHXqMlGPn9fot2Po8TXplnEAbv1u5p
CKT/jV/kbg4jFumLACNY
=WRVC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.