Your message dated Tue, 25 Oct 2011 13:55:07 +0000 with message-id <e1riht9-0007to...@franck.debian.org> and subject line Bug#607479: fixed in libfcgi-perl 0.71-1+squeeze1 has caused the Debian Bug report #607479, regarding libfcgi-perl: [CVE-2011-2766] After reloading some environment vars become constants, that will be used if not overruled by the headers of new requests. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 607479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607479 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libfcgi-perl Version: 0.71-1 Severity: normal Hi, I had some strange problems with cookies, it seems that sometimes username cookies were highjacked, but not always, even by search bots. I am using the Fast::CGI (libcgi-fast-perl 5.10.1-16) wrapper, but i think the problem lies in the FCGI code. I use apache (apache2 2.2.16-4) as webserver. This is wat hapens: I create a simple fpl file to show environment vars, and request that from 2 different locations (one with a proxy). Every request is handled fine, i do not have any problems with environment vars. But after i change the file, or simply touch it, the new version is compiled when a new request hapens, but some environment vars seems to get a default value from the request that triggers the recompile. So if that request has some cookies, all request without cookies will according to Fast::CGI module have the same cookies as the "recompile request". I did not check all the env vars, but X_FORWARDED_FOR had the same problem. The problem vanished when i clear the %ENV just before i ask for the CGI object. Example code (with ENV cleaning): #! /usr/bin/perl -w use CGI::Fast qw(:standard :cgi-lib); use Data::Dumper; use strict; while ( my $cgi = getRequest() ) { print $cgi->header(); print "<pre>========= ID:$$ =========\n"; while (my ($key,$value) = each %ENV) { print "$key=$value\n"; } print "========= VARS =========\n"; print Dumper($cgi->Vars()); print "========= COOKIE =========\n"; print Dumper($cgi->cookie()); print ".</pre>"; #%ENV = undef; } sub getRequest { %ENV = () if $main::clearENV; # Clear the ENV $main::clearENV = 1; # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore return new CGI::Fast; } I used 2 wget together to examine it: (posted to the proxy server to disable caching) $ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi' $ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi' After a apache restart, both requests will output only there own env vars, but after a touch of the scriptfile, you get a 50% chance both request will show the same cookie, postdata and x_forwarded_for headers. A restart fixes that allways. I tried to look at the FCGI library, found out that they do some stuff with the %ENV, but could not figure out what exectly caused the problem. Regards, Ferdinand -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-vserver-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libfcgi-perl depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii perl 5.10.1-16 Larry Wall's Practical Extraction ii perl-base [perlapi-5.10.1] 5.10.1-16 minimal Perl system libfcgi-perl recommends no packages. libfcgi-perl suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: libfcgi-perl Source-Version: 0.71-1+squeeze1 We believe that the bug you reported is fixed in the latest version of libfcgi-perl, which is due to be installed in the Debian FTP archive: libfcgi-perl_0.71-1+squeeze1.debian.tar.gz to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1.debian.tar.gz libfcgi-perl_0.71-1+squeeze1.dsc to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1.dsc libfcgi-perl_0.71-1+squeeze1_amd64.deb to main/libf/libfcgi-perl/libfcgi-perl_0.71-1+squeeze1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 607...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Damyan Ivanov <d...@debian.org> (supplier of updated libfcgi-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 24 Oct 2011 13:06:17 +0300 Source: libfcgi-perl Binary: libfcgi-perl Architecture: source amd64 Version: 0.71-1+squeeze1 Distribution: stable-security Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Damyan Ivanov <d...@debian.org> Description: libfcgi-perl - helper module for FastCGI Closes: 607479 Changes: libfcgi-perl (0.71-1+squeeze1) stable-security; urgency=high . * Team upload . * Add patch from upstream bug tracker fixing CVE-2011-2766 Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for the patch. * control: update Vcs-* fields to point to Git Checksums-Sha1: 5ee03927c922c89960e56447bfc6d86d1ba338e2 2033 libfcgi-perl_0.71-1+squeeze1.dsc bac067b4a5e7880f4bb336d8a647a6cafd26c2ba 93995 libfcgi-perl_0.71.orig.tar.gz 3a6210345d361805003b63fd4bf544dae8471c8a 5243 libfcgi-perl_0.71-1+squeeze1.debian.tar.gz 101318fe03e9d6e918dc465126cceed255d25a9d 42324 libfcgi-perl_0.71-1+squeeze1_amd64.deb Checksums-Sha256: a985b58f4ea7c0cf4c06676a80a625b9078e3e4568e93c2a1a67a3756b8e6236 2033 libfcgi-perl_0.71-1+squeeze1.dsc 9b5b8c1ab62da938c82405cddd0ee4173b257597bf9d567fb81c0dfcc060c64e 93995 libfcgi-perl_0.71.orig.tar.gz 0ff2f13d4ae9a3094508b3bd8c5185c8676aa2d3c0756b1575ac566fd9ecac39 5243 libfcgi-perl_0.71-1+squeeze1.debian.tar.gz 45b98eec0ae50bde0b46478f57fcd7cfccc4d79df8c864b1308cfefb0225cd7b 42324 libfcgi-perl_0.71-1+squeeze1_amd64.deb Files: 2918bbe9ca20208f719a2eeaf6e29172 2033 perl optional libfcgi-perl_0.71-1+squeeze1.dsc 26bc4ea53ccc9c9c16695e88e46a1cfb 93995 perl optional libfcgi-perl_0.71.orig.tar.gz 39b0f3a6e5173b7afa337b9a5beec27e 5243 perl optional libfcgi-perl_0.71-1+squeeze1.debian.tar.gz ff0171df5e84fd2b9a802aa6dca7dea9 42324 perl optional libfcgi-perl_0.71-1+squeeze1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOpTuBAAoJENu+nU2Z0qAESiAP/j0t7R7CYD4u69mwesJ6JnHD 8xYDEFB+D6IOwkPRbMw/9mfVX3Y/AGAowyCa9T0Pfrau/KEkAtpe1jCp7huqj+vF oYgCDwaXiiQHkNt4XS1skz6UNEGX/apNoP+KbvZzJF6zILS26AVnSeIaVZUwwFHI x5y1bnUjhX3tcKQNYZC79uKoACjY1ittVLOS8xao/Pea5PVVX+MYltfUJivx3ijn 18/2dnSlA89BGc6FFpR+AwyRTe9LXcW6lgn66YbjVKWKaSvTwXqPROMr1qBGJTe3 HpfB/p6lcUgfGLFfi0s2wm3vi119n7awiHZOnC/U2iDnPHH29QDIkv4IMf6unUbO UbiTBRZIiMXz89V+VRaYlq+hLq9RAs4PyDRMV89GJeJqiRjOlmfpvwH/owZWswaV KG+//dIBE7C1mFhTv+iuJV2AWNtx+yWSeCVP9GUcgD1Iq0dGdvzNM49mNB9pMZ8H uCIZDxHru03C8DGsXmzortvp+nwUn9rHAzmqPw1j9CsS8rMP0od4kUSsRxYH3Fym bLOLrMEBIiwm/b4jM/6z7vcB8LxAKrFXc5GtxsfTXL6yMvEh1GLzoMcQqyr1K0tv OIYMKCEESoq3MXtRPm4p1rDin/Q45P2SKKRHXqMlGPn9fot2Po8TXplnEAbv1u5p CKT/jV/kbg4jFumLACNY =WRVC -----END PGP SIGNATURE-----
--- End Message ---
