diff --git a/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch b/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch new file mode 100644 index 0000000..e1102f8 --- /dev/null +++ b/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch @@ -0,0 +1,83 @@ +From 7c476394e799f39f749d7a7a50f62e5d3ec8db61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 19 May 2025 13:49:32 +0200 +Subject: [PATCH] Fix size_t overflow in Malloc() argument in ReadParams() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There were still two issues after commit +b0eabcaf4d4f371514891a52115c746815c2ff15 (Update fcgiapp.c, Fixing an +integer overflow (CVE-2025-23016)): + +* Signed int overflow in "nameLen + valueLen + 2" expression. + +* Sizes of size_t and int types are in general unrelated. + +This fix resolves both of the issues. + +Related to CVE-2025-23016. +Resolve #67. + + +Signed-off-by: Petr Písař +--- + libfcgi/fcgiapp.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fcgiapp.c b/fcgiapp.c +index 99c3630..0cd3dd1 100644 +--- a/fcgiapp.c ++++ b/fcgiapp.c +@@ -18,6 +18,7 @@ + #include /* for memchr() */ + #include + #include ++#include + #include + #include + #include +@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp) + static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + { + int nameLen, valueLen; ++ size_t totalLen; + unsigned char lenBuff[3]; + char *nameValue; + +@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; +- if (nameLen >= INT_MAX) { ++ if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) { + SetError(stream, FCGX_PARAMS_ERROR); + return -1; + } +@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; +- if (valueLen >= INT_MAX) { ++ if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) { + SetError(stream, FCGX_PARAMS_ERROR); + return -1; + } + } ++ totalLen = (size_t)nameLen + (size_t)valueLen + 2u; ++ if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) { ++ SetError(stream, FCGX_PARAMS_ERROR); ++ return -1; ++ } + /* + * nameLen and valueLen are now valid; read the name and value + * from stream and construct a standard environment entry. + */ +- nameValue = (char *)Malloc(nameLen + valueLen + 2); ++ nameValue = (char *)Malloc(totalLen); + if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) { + SetError(stream, FCGX_PARAMS_ERROR); + free(nameValue); +-- +2.49.0 + diff --git a/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch b/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch new file mode 100644 index 0000000..4c12c12 --- /dev/null +++ b/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch @@ -0,0 +1,46 @@ +From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001 +From: Pycatchown <39068868+Pycatchown@users.noreply.github.com> +Date: Tue, 8 Apr 2025 17:39:30 +0200 +Subject: [PATCH] Update fcgiapp.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixing an integer overflow (CVE-2025-23016) + + + +Signed-off-by: Petr Písař +--- + libfcgi/fcgiapp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fcgiapp.c b/fcgiapp.c +index 4ffe318..99c3630 100644 +--- a/fcgiapp.c ++++ b/fcgiapp.c +@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; ++ if (nameLen >= INT_MAX) { ++ SetError(stream, FCGX_PARAMS_ERROR); ++ return -1; ++ } + } + if((valueLen = FCGX_GetChar(stream)) == EOF) { + SetError(stream, FCGX_PARAMS_ERROR); +@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; ++ if (valueLen >= INT_MAX) { ++ SetError(stream, FCGX_PARAMS_ERROR); ++ return -1; ++ } + } + /* + * nameLen and valueLen are now valid; read the name and value +-- +2.49.0 + diff --git a/SPECS/perl-FCGI.spec b/SPECS/perl-FCGI.spec index dea0187..9ed2f57 100644 --- a/SPECS/perl-FCGI.spec +++ b/SPECS/perl-FCGI.spec @@ -3,7 +3,7 @@ Summary: FastCGI Perl bindings # needed to properly replace/obsolete fcgi-perl Epoch: 1 Version: 0.79 -Release: 8%{?dist} +Release: 8.1%{?dist} # same as fcgi License: OML @@ -11,6 +11,14 @@ Source0: https://cpan.metacpan.org/authors/id/E/ET/ETHER/FCGI-%{version}. # Fix CVE-2012-6687 in the bundled fcgi library, bug #1190294, CPAN RT#118405, # patch copied from Debian's libfcgi-perl. Patch0: FCGI-0.78-CVE-2012-6687.patch +# 1/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847, +# , copied from fcgi2 library +# . +Patch1: FCGI-0.82-Update-fcgiapp.c.patch +# 2/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847, +# , copied from fcgi2 library +# . +Patch2: FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch URL: https://metacpan.org/release/FCGI BuildRequires: coreutils BuildRequires: findutils @@ -45,10 +53,24 @@ Provides: bundled(fcgi) %description %{summary}. +%package tests +Summary: Tests for %{name} +BuildArch: noarch +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: perl-Test-Harness + +%description tests +Tests from %{name}. Execute them +with "%{_libexecdir}/%{name}/test". + %prep -%setup -q -n FCGI-%{version} -%patch0 -p1 +%autosetup -p1 -n FCGI-%{version} find . -type f -exec chmod -c -x {} + +# Help generators to recognize Perl scripts +for F in test.pl; do + perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F" + chmod +x "$F" +done %build perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \ @@ -58,18 +80,33 @@ perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \ %install %make_install %{_fixperms} %{buildroot}/* +# Install tests +mkdir -p %{buildroot}%{_libexecdir}/%{name}/t +cp -a test.pl %{buildroot}%{_libexecdir}/%{name}/t/test.t +cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF' +#!/bin/sh +cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)" +EOF +chmod +x %{buildroot}%{_libexecdir}/%{name}/test %check +export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}') make test %files %license LICENSE %doc ChangeLog README -%{perl_vendorarch}/* -%exclude %dir %{perl_vendorarch}/auto -%{_mandir}/man3/*.3* +%{perl_vendorarch}/auto/FCGI +%{perl_vendorarch}/FCGI.pm +%{_mandir}/man3/FCGI.3* + +%files tests +%{_libexecdir}/%{name} %changelog +* Thu May 29 2025 Jitka Plesnikova - 1:0.79-8.1 +- Fix CVE-2025-40907 (integer overflow when parsing FastCGI parameters) + * Mon Aug 09 2021 Mohan Boddu - 1:0.79-8 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688