[perl-FCGI/el6] patch to resolve rhbz#736604 cve-2011-2766

Fri Sep 23 10:14:06 UTC 2011

commit 743d630705eb19d2162bed30a1979234c2976c4a
Author: Iain Arnell <iarnell at gmail.com>
Date:   Fri Sep 23 11:51:42 2011 +0200

    patch to resolve rhbz#736604 cve-2011-2766
    
    (cherry picked from commit ac09f899550979e6e2e27b99e02d592d8563af5b)
    
    Conflicts:
    
    	perl-FCGI.spec

 cve-2011-2766.patch |   32 ++++++++++++++++++++++++++++++++
 perl-FCGI.spec      |    8 ++++++++
 2 files changed, 40 insertions(+), 0 deletions(-)
---

diff --git a/cve-2011-2766.patch b/cve-2011-2766.patch
new file mode 100644
index 0000000..1933dd2
--- /dev/null
+++ b/cve-2011-2766.patch
@@ -0,0 +1,32 @@
+diff -up FCGI-0.71/FCGI.PL.orig FCGI-0.71/FCGI.PL
+--- FCGI-0.71/FCGI.PL.orig	2010-03-30 02:03:16.000000000 +0200
++++ FCGI-0.71/FCGI.PL	2011-09-23 12:02:51.000000000 +0200
+@@ -294,14 +294,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (%FCGI::ENV) {
+-	%ENV = %FCGI::ENV;
++    if (defined $FCGI::ENV) {
++        %ENV = %$FCGI::ENV;
+     } else {
+-	%FCGI::ENV = %ENV;
++        $FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-	$ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++    for (keys %$FCGI::ENV) {
++        $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -313,7 +313,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if %FCGI::ENV;
++    %ENV = %$FCGI::ENV if (defined $FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
diff --git a/perl-FCGI.spec b/perl-FCGI.spec
index 5d86948..de55d75 100644
--- a/perl-FCGI.spec
+++ b/perl-FCGI.spec
@@ -8,6 +8,10 @@ Release:        3%{?dist}
 License:        OML
 Group:          Development/Libraries
 Source0:        http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/FCGI-%{version}.tar.gz 
+# resolves rhbz #736604 cve-2011-2766
+# see https://rt.cpan.org/Public/Bug/Display.html?id=68380
+# https://rt.cpan.org/Ticket/Attachment/938983/488105/
+Patch0:         cve-2011-2766.patch
 URL:            http://search.cpan.org/dist/FCGI
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires:       perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
@@ -25,6 +29,7 @@ Obsoletes:      fcgi-perl =< 2.4.0
 
 %prep
 %setup -q -n FCGI-%{version}
+%patch0 -p 1
 find . -type f -exec chmod -c -x {} +
 
 echo "test.pl" > .proverc
@@ -60,6 +65,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/*.3*
 
 %changelog
+* Fri Sep 23 2011 Iain Arnell <iarnell at gmail.com> 1:0.71-3
+- patch to resolve rhbz#736604 cve-2011-2766
+
 * Sat May 15 2010 Chris Weyl <cweyl at alumni.drew.edu> 1:0.71-3
 - and fix our tests subpackage included files
 

