[perl-FCGI] patch to resolve rhbz#736604 cve-2011-2766

[Iain Arnell]

commit ac09f899550979e6e2e27b99e02d592d8563af5b
Author: Iain Arnell <iarnell at gmail.com>
Date:   Fri Sep 23 11:51:42 2011 +0200

    patch to resolve rhbz#736604 cve-2011-2766

 cve-2011-2766.patch |   36 ++++++++++++++++++++++++++++++++++++
 perl-FCGI.spec      |   10 +++++++++-
 2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/cve-2011-2766.patch b/cve-2011-2766.patch
new file mode 100644
index 0000000..7638166
--- /dev/null
+++ b/cve-2011-2766.patch
@@ -0,0 +1,36 @@
+For some reason the global hash was not working as expected. This patch
+replaces it with a global hashref. Tests show behavior as expected:
+
+diff --git a/perl/FCGI.PL b/perl/FCGI.PL
+index 746aaf3..ce0d70b 100644
+--- a/perl/FCGI.PL
++++ b/perl/FCGI.PL
+@@ -295,14 +295,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (%FCGI::ENV) {
+-        %ENV = %FCGI::ENV;
++    if (defined $FCGI::ENV) {
++        %ENV = %$FCGI::ENV;
+     } else {
+-        %FCGI::ENV = %ENV;
++        $FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-        $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++    for (keys %$FCGI::ENV) {
++        $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -314,7 +314,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if %FCGI::ENV;
++    %ENV = %$FCGI::ENV if (defined $FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
diff --git a/perl-FCGI.spec b/perl-FCGI.spec
index 686d07a..d3e0b07 100644
--- a/perl-FCGI.spec
+++ b/perl-FCGI.spec
@@ -3,11 +3,15 @@ Summary:        FastCGI Perl bindings
 # needed to properly replace/obsolete fcgi-perl
 Epoch:          1
 Version:        0.73
-Release:        2%{?dist}
+Release:        3%{?dist}
 # same as fcgi
 License:        OML
 Group:          Development/Libraries
 Source0:        http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/FCGI-%{version}.tar.gz 
+# resolves rhbz #736604 cve-2011-2766
+# see https://rt.cpan.org/Public/Bug/Display.html?id=68380
+# https://rt.cpan.org/Ticket/Attachment/938983/488105/
+Patch0:         cve-2011-2766.patch
 URL:            http://search.cpan.org/dist/FCGI
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 
@@ -24,6 +28,7 @@ Obsoletes:      fcgi-perl =< 2.4.0
 
 %prep
 %setup -q -n FCGI-%{version}
+%patch0 -p 2
 find . -type f -exec chmod -c -x {} +
 
 echo "test.pl" > .proverc
@@ -52,6 +57,9 @@ make test
 %{_mandir}/man3/*.3*
 
 %changelog
+* Fri Sep 23 2011 Iain Arnell <iarnell at gmail.com> 1:0.73-3
+- patch to resolve rhbz#736604 cve-2011-2766
+
 * Fri Jun 17 2011 Marcela Mašláňová <mmaslano at redhat.com> - 1:0.73-2
 - Perl mass rebuild