Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1

2017-01-02 Thread Adam D. Barratt 
Control: tags -1 + pending

Hi,

On Sat, 2016-12-31 at 19:53 +0100, Salvatore Bonaccorso wrote:
> Hi Adam,
> 
> On Sat, Dec 31, 2016 at 05:11:25PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Tue, 2016-12-27 at 08:17 +0100, Salvatore Bonaccorso wrote:
> > > Moritz Mühlenhoff suggested to fix CVE-2012-6687 for libfcgi-perl via
> > > a point release (since it does not warrant a DSA). Attached is a
> > > debdiff for libfcgi-perl as in stable.
> > > 
> > > Could you consider to have it included in the upcoming point release?
> > 
> > Please go ahead.
> 
> Thank you, uploaded.

Flagged for acceptance, thanks.

Regards,

Adam

Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1

2016-12-31 Thread Salvatore Bonaccorso 
Hi Adam,

On Sat, Dec 31, 2016 at 05:11:25PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2016-12-27 at 08:17 +0100, Salvatore Bonaccorso wrote:
> > Moritz Mühlenhoff suggested to fix CVE-2012-6687 for libfcgi-perl via
> > a point release (since it does not warrant a DSA). Attached is a
> > debdiff for libfcgi-perl as in stable.
> > 
> > Could you consider to have it included in the upcoming point release?
> 
> Please go ahead.

Thank you, uploaded.

Regards,
Salvatore

Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1

2016-12-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2016-12-27 at 08:17 +0100, Salvatore Bonaccorso wrote:
> Moritz Mühlenhoff suggested to fix CVE-2012-6687 for libfcgi-perl via
> a point release (since it does not warrant a DSA). Attached is a
> debdiff for libfcgi-perl as in stable.
> 
> Could you consider to have it included in the upcoming point release?

Please go ahead.

Regards,

Adam

Bug#849438: jessie-pu: package libfcgi-perl/0.77-1+deb8u1

2016-12-26 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi SRM

Moritz Mühlenhoff suggested to fix CVE-2012-6687 for libfcgi-perl via
a point release (since it does not warrant a DSA). Attached is a
debdiff for libfcgi-perl as in stable.

Could you consider to have it included in the upcoming point release?

Regards,
Salvatore
diff -Nru libfcgi-perl-0.77/debian/changelog libfcgi-perl-0.77/debian/changelog
--- libfcgi-perl-0.77/debian/changelog	2014-08-12 23:13:41.0 +0200
+++ libfcgi-perl-0.77/debian/changelog	2016-12-27 08:06:30.0 +0100
@@ -1,3 +1,10 @@
+libfcgi-perl (0.77-1+deb8u1) jessie; urgency=medium
+
+  * Team upload.
+  * CVE-2012-6687: numerous connections cause segfault DoS (Closes: #815840)
+
+ -- Salvatore Bonaccorso   Tue, 27 Dec 2016 08:06:30 +0100
+
 libfcgi-perl (0.77-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch
--- libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch	1970-01-01 01:00:00.0 +0100
+++ libfcgi-perl-0.77/debian/patches/CVE-2012-6687.patch	2016-12-27 08:06:30.0 +0100
@@ -0,0 +1,85 @@
+Description: fix CVE-2012-6687 in bundled libfcgi
+Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
+Bug-Debian: https://bugs.debian.org/815840
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
+Last-Update: 2016-12-27
+
+--- a/os_unix.c
 b/os_unix.c
+@@ -36,6 +36,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ #ifdef HAVE_NETDB_H
+ #include 
+@@ -97,6 +98,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+ 
++static int libfcgiOsClosePollTimeout = 2000;
++static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
++
+ void OS_ShutdownPending()
+ {
+ shutdownPending = TRUE;
+@@ -162,6 +166,16 @@
+ if(libInitialized)
+ return 0;
+ 
++char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
++if(libfcgiOsClosePollTimeoutStr) {
++libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
++}
++
++char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
++if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
++libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
++}
++
+ asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+ if(asyncIoTable == NULL) {
+ errno = ENOMEM;
+@@ -751,19 +765,16 @@
+ {
+ if (shutdown(fd, 1) == 0)
+ {
+-struct timeval tv;
+-fd_set rfds;
++struct pollfd pfd;
+ int rv;
+ char trash[1024];
+ 
+-FD_ZERO(&rfds);
++pfd.fd = fd;
++pfd.events = POLLIN;
+ 
+ do 
+ {
+-FD_SET(fd, &rfds);
+-tv.tv_sec = 2;
+-tv.tv_usec = 0;
+-rv = select(fd + 1, &rfds, NULL, NULL, &tv);
++rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+ }
+ while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+ }
+@@ -1113,13 +1124,11 @@
+  */
+ static int is_af_unix_keeper(const int fd)
+ {
+-struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+-fd_set read_fds;
+-
+-FD_ZERO(&read_fds);
+-FD_SET(fd, &read_fds);
++struct pollfd pfd;
++pfd.fd = fd;
++pfd.events = POLLIN;
+ 
+-return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
++return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+ 
+ /*
diff -Nru libfcgi-perl-0.77/debian/patches/series libfcgi-perl-0.77/debian/patches/series
--- libfcgi-perl-0.77/debian/patches/series	1970-01-01 01:00:00.0 +0100
+++ libfcgi-perl-0.77/debian/patches/series	2016-12-27 08:06:30.0 +0100
@@ -0,0 +1 @@
+CVE-2012-6687.patch