commit 743d630705eb19d2162bed30a1979234c2976c4a
Author: Iain Arnell <iarnell@xxxxxxxxx>
Date: Fri Sep 23 11:51:42 2011 +0200
patch to resolve rhbz#736604 cve-2011-2766
(cherry picked from commit ac09f899550979e6e2e27b99e02d592d8563af5b)
Conflicts:
perl-FCGI.spec
cve-2011-2766.patch | 32 ++++++++++++++++++++++++++++++++
perl-FCGI.spec | 8 ++++++++
2 files changed, 40 insertions(+), 0 deletions(-)
---
diff --git a/cve-2011-2766.patch b/cve-2011-2766.patch
new file mode 100644
index 0000000..1933dd2
--- /dev/null
+++ b/cve-2011-2766.patch
@@ -0,0 +1,32 @@
+diff -up FCGI-0.71/FCGI.PL.orig FCGI-0.71/FCGI.PL
+--- FCGI-0.71/FCGI.PL.orig 2010-03-30 02:03:16.000000000 +0200
++++ FCGI-0.71/FCGI.PL 2011-09-23 12:02:51.000000000 +0200
+@@ -294,14 +294,14 @@ sub Request(;***$*$) {
+
+ sub accept() {
+ warn "accept called as a method; you probably wanted to call Accept" if @_;
+- if (%FCGI::ENV) {
+- %ENV = %FCGI::ENV;
++ if (defined $FCGI::ENV) {
++ %ENV = %$FCGI::ENV;
+ } else {
+- %FCGI::ENV = %ENV;
++ $FCGI::ENV = {%ENV};
+ }
+ my $rc = Accept($global_request);
+- for (keys %FCGI::ENV) {
+- $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++ for (keys %$FCGI::ENV) {
++ $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+ }
+
+ # not SFIO
+@@ -313,7 +313,7 @@ sub accept() {
+
+ sub finish() {
+ warn "finish called as a method; you probably wanted to call Finish" if @_;
+- %ENV = %FCGI::ENV if %FCGI::ENV;
++ %ENV = %$FCGI::ENV if (defined $FCGI::ENV);
+
+ # not SFIO
+ if (tied (*STDIN)) {
diff --git a/perl-FCGI.spec b/perl-FCGI.spec
index 5d86948..de55d75 100644
--- a/perl-FCGI.spec
+++ b/perl-FCGI.spec
@@ -8,6 +8,10 @@ Release: 3%{?dist}
License: OML
Group: Development/Libraries
Source0: http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/FCGI-%{version}.tar.gz
+# resolves rhbz #736604 cve-2011-2766
+# see https://rt.cpan.org/Public/Bug/Display.html?id=68380
+# https://rt.cpan.org/Ticket/Attachment/938983/488105/
+Patch0: cve-2011-2766.patch
URL: http://search.cpan.org/dist/FCGI
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
@@ -25,6 +29,7 @@ Obsoletes: fcgi-perl =< 2.4.0
%prep
%setup -q -n FCGI-%{version}
+%patch0 -p 1
find . -type f -exec chmod -c -x {} +
echo "test.pl" > .proverc
@@ -60,6 +65,9 @@ rm -rf %{buildroot}
%{_mandir}/man3/*.3*
%changelog
+* Fri Sep 23 2011 Iain Arnell <iarnell@xxxxxxxxx> 1:0.71-3
+- patch to resolve rhbz#736604 cve-2011-2766
+
* Sat May 15 2010 Chris Weyl <cweyl@xxxxxxxxxxxxxxx> 1:0.71-3
- and fix our tests subpackage included files
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
