[perl-FCGI] patch to resolve rhbz#736604 cve-2011-2766
Iain Arnell
iarnell at fedoraproject.org
Fri Sep 23 09:55:52 UTC 2011
commit ac09f899550979e6e2e27b99e02d592d8563af5b
Author: Iain Arnell <iarnell at gmail.com>
Date: Fri Sep 23 11:51:42 2011 +0200
patch to resolve rhbz#736604 cve-2011-2766
cve-2011-2766.patch | 36 ++++++++++++++++++++++++++++++++++++
perl-FCGI.spec | 10 +++++++++-
2 files changed, 45 insertions(+), 1 deletions(-)
---
diff --git a/cve-2011-2766.patch b/cve-2011-2766.patch
new file mode 100644
index 0000000..7638166
--- /dev/null
+++ b/cve-2011-2766.patch
@@ -0,0 +1,36 @@
+For some reason the global hash was not working as expected. This patch
+replaces it with a global hashref. Tests show behavior as expected:
+
+diff --git a/perl/FCGI.PL b/perl/FCGI.PL
+index 746aaf3..ce0d70b 100644
+--- a/perl/FCGI.PL
++++ b/perl/FCGI.PL
+@@ -295,14 +295,14 @@ sub Request(;***$*$) {
+
+ sub accept() {
+ warn "accept called as a method; you probably wanted to call Accept" if @_;
+- if (%FCGI::ENV) {
+- %ENV = %FCGI::ENV;
++ if (defined $FCGI::ENV) {
++ %ENV = %$FCGI::ENV;
+ } else {
+- %FCGI::ENV = %ENV;
++ $FCGI::ENV = {%ENV};
+ }
+ my $rc = Accept($global_request);
+- for (keys %FCGI::ENV) {
+- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++ for (keys %$FCGI::ENV) {
++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+ }
+
+ # not SFIO
+@@ -314,7 +314,7 @@ sub accept() {
+
+ sub finish() {
+ warn "finish called as a method; you probably wanted to call Finish" if @_;
+- %ENV = %FCGI::ENV if %FCGI::ENV;
++ %ENV = %$FCGI::ENV if (defined $FCGI::ENV);
+
+ # not SFIO
+ if (tied (*STDIN)) {
diff --git a/perl-FCGI.spec b/perl-FCGI.spec
index 686d07a..d3e0b07 100644
--- a/perl-FCGI.spec
+++ b/perl-FCGI.spec
@@ -3,11 +3,15 @@ Summary: FastCGI Perl bindings
# needed to properly replace/obsolete fcgi-perl
Epoch: 1
Version: 0.73
-Release: 2%{?dist}
+Release: 3%{?dist}
# same as fcgi
License: OML
Group: Development/Libraries
Source0: http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/FCGI-%{version}.tar.gz
+# resolves rhbz #736604 cve-2011-2766
+# see https://rt.cpan.org/Public/Bug/Display.html?id=68380
+# https://rt.cpan.org/Ticket/Attachment/938983/488105/
+Patch0: cve-2011-2766.patch
URL: http://search.cpan.org/dist/FCGI
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
@@ -24,6 +28,7 @@ Obsoletes: fcgi-perl =< 2.4.0
%prep
%setup -q -n FCGI-%{version}
+%patch0 -p 2
find . -type f -exec chmod -c -x {} +
echo "test.pl" > .proverc
@@ -52,6 +57,9 @@ make test
%{_mandir}/man3/*.3*
%changelog
+* Fri Sep 23 2011 Iain Arnell <iarnell at gmail.com> 1:0.73-3
+- patch to resolve rhbz#736604 cve-2011-2766
+
* Fri Jun 17 2011 Marcela Mašláňová <mmaslano at redhat.com> - 1:0.73-2
- Perl mass rebuild
More information about the perl-devel
mailing list