import UBI perl-FCGI-0.79-8.1.el9_6

2025-06-09 02:58:53 +00:00 · 2025-06-09 02:58:53 +00:00 · 62eb6ebf59
commit 62eb6ebf59
parent 24d237f276
3 changed files with 172 additions and 6 deletions
--- a/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
+++ b/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
@ -0,0 +1,83 @@
+From 7c476394e799f39f749d7a7a50f62e5d3ec8db61 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 19 May 2025 13:49:32 +0200
+Subject: [PATCH] Fix size_t overflow in Malloc() argument in ReadParams()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were still two issues after commit
+b0eabcaf4d4f371514891a52115c746815c2ff15 (Update fcgiapp.c, Fixing an
+integer overflow (CVE-2025-23016)):
+
+* Signed int overflow in "nameLen + valueLen + 2" expression.
+
+* Sizes of size_t and int types are in general unrelated.
+
+This fix resolves both of the issues.
+
+Related to CVE-2025-23016.
+Resolve #67.
+<https://github.com/FastCGI-Archives/fcgi2/pull/77>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libfcgi/fcgiapp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 99c3630..0cd3dd1 100644
+--- a/fcgiapp.c
+++ b/fcgiapp.c
+@@ -18,6 +18,7 @@
+ #include <memory.h>     /* for memchr() */
+ #include <stdarg.h>
+ #include <stdio.h>
+#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
+@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp)
+ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ {
+     int nameLen, valueLen;
+    size_t totalLen;
+     unsigned char lenBuff[3];
+     char *nameValue;
+ 
+@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (nameLen >= INT_MAX) {
+	    if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (valueLen >= INT_MAX) {
+	    if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+         }
+        totalLen = (size_t)nameLen + (size_t)valueLen + 2u;
+        if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) {
+            SetError(stream, FCGX_PARAMS_ERROR);
+            return -1;
+        }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+          * from stream and construct a standard environment entry.
+          */
+-        nameValue = (char *)Malloc(nameLen + valueLen + 2);
+        nameValue = (char *)Malloc(totalLen);
+         if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+             free(nameValue);
+-- 
+2.49.0
+
--- a/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
+++ b/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
@ -0,0 +1,46 @@
+From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
+From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: [PATCH] Update fcgiapp.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixing an integer overflow (CVE-2025-23016)
+
+<https://github.com/FastCGI-Archives/fcgi2/pull/74>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libfcgi/fcgiapp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 4ffe318..99c3630 100644
+--- a/fcgiapp.c
+++ b/fcgiapp.c
+@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+	    if (nameLen >= INT_MAX) {
+                SetError(stream, FCGX_PARAMS_ERROR);
+                return -1;
+	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+	    if (valueLen >= INT_MAX) {
+                SetError(stream, FCGX_PARAMS_ERROR);
+                return -1;
+	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+-- 
+2.49.0
+
--- a/SPECS/perl-FCGI.spec
+++ b/SPECS/perl-FCGI.spec
@ -3,7 +3,7 @@ Summary:        FastCGI Perl bindings
 # needed to properly replace/obsolete fcgi-perl
 Epoch:          1
 Version:        0.79
-Release:        8%{?dist}
+Release:        8.1%{?dist}
 # same as fcgi
 License:        OML

@ -11,6 +11,14 @@ Source0:        https://cpan.metacpan.org/authors/id/E/ET/ETHER/FCGI-%{version}.
 # Fix CVE-2012-6687 in the bundled fcgi library, bug #1190294, CPAN RT#118405,
 # patch copied from Debian's libfcgi-perl.
 Patch0:         FCGI-0.78-CVE-2012-6687.patch
+# 1/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
+# <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
+# <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
+Patch1:         FCGI-0.82-Update-fcgiapp.c.patch
+# 2/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
+# <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
+# <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
+Patch2:         FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
 URL:            https://metacpan.org/release/FCGI
 BuildRequires:  coreutils
 BuildRequires:  findutils
@ -45,10 +53,24 @@ Provides:       bundled(fcgi)
 %description
 %{summary}.

+%package tests
+Summary:        Tests for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
+Requires:       perl-Test-Harness
+
+%description tests
+Tests from %{name}. Execute them
+with "%{_libexecdir}/%{name}/test".
+
 %prep
-%setup -q -n FCGI-%{version}
-%patch0 -p1
+%autosetup -p1 -n FCGI-%{version}
 find . -type f -exec chmod -c -x {} +
+# Help generators to recognize Perl scripts
+for F in test.pl; do
+    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F"
+    chmod +x "$F"
+done

 %build
 perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \
@ -58,18 +80,33 @@ perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \
 %install
 %make_install
 %{_fixperms} %{buildroot}/*
+# Install tests
+mkdir -p %{buildroot}%{_libexecdir}/%{name}/t
+cp -a test.pl %{buildroot}%{_libexecdir}/%{name}/t/test.t
+cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
+#!/bin/sh
+cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
+EOF
+chmod +x %{buildroot}%{_libexecdir}/%{name}/test

 %check
+export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test

 %files
 %license LICENSE
 %doc ChangeLog README
-%{perl_vendorarch}/*
-%exclude %dir %{perl_vendorarch}/auto
-%{_mandir}/man3/*.3*
+%{perl_vendorarch}/auto/FCGI
+%{perl_vendorarch}/FCGI.pm
+%{_mandir}/man3/FCGI.3*
+
+%files tests
+%{_libexecdir}/%{name}

 %changelog
+* Thu May 29 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-8.1
+- Fix CVE-2025-40907 (integer overflow when parsing FastCGI parameters)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.79-8
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688