6 changed files with 310 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/FCGI-0.78.tar.gz
+SOURCES/FCGI-0.79.tar.gz
--- a/.perl-FCGI.metadata
+++ b/.perl-FCGI.metadata
@ -1 +1 @@
-dbc2c4180656bbce87d06d0a6f28e46d6fb71b30 SOURCES/FCGI-0.78.tar.gz
+2c6d7ec8481009c23028ac37086b3ddc2ddb177b SOURCES/FCGI-0.79.tar.gz
--- a/SOURCES/FCGI-0.78-CVE-2012-6687.patch
+++ b/SOURCES/FCGI-0.78-CVE-2012-6687.patch
@ -0,0 +1,84 @@
+Description: fix CVE-2012-6687 in bundled libfcgi
+Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815840
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
+
+--- a/os_unix.c
+++ b/os_unix.c
+@@ -36,6 +36,7 @@
+ #include <sys/time.h>
+ #include <sys/un.h>
+ #include <signal.h>
+#include <poll.h>
+ 
+ #ifdef HAVE_NETDB_H
+ #include <netdb.h>
+@@ -97,6 +98,9 @@
+ static int shutdownPending = FALSE;
+ static int shutdownNow = FALSE;
+ 
+static int libfcgiOsClosePollTimeout = 2000;
+static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
+
+ void OS_ShutdownPending()
+ {
+     shutdownPending = TRUE;
+@@ -162,6 +166,16 @@
+     if(libInitialized)
+         return 0;
+ 
+    char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
+    if(libfcgiOsClosePollTimeoutStr) {
+        libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
+    }
+
+    char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
+    if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
+        libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
+    }
+
+     asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
+     if(asyncIoTable == NULL) {
+         errno = ENOMEM;
+@@ -751,19 +765,16 @@
+     {
+         if (shutdown(fd, 1) == 0)
+         {
+-            struct timeval tv;
+-            fd_set rfds;
+            struct pollfd pfd;
+             int rv;
+             char trash[1024];
+ 
+-            FD_ZERO(&rfds);
+            pfd.fd = fd;
+            pfd.events = POLLIN;
+ 
+             do 
+             {
+-                FD_SET(fd, &rfds);
+-                tv.tv_sec = 2;
+-                tv.tv_usec = 0;
+-                rv = select(fd + 1, &rfds, NULL, NULL, &tv);
+                rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
+             }
+             while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
+         }
+@@ -1113,13 +1124,11 @@
+  */
+ static int is_af_unix_keeper(const int fd)
+ {
+-    struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
+-    fd_set read_fds;
+-
+-    FD_ZERO(&read_fds);
+-    FD_SET(fd, &read_fds);
+    struct pollfd pfd;
+    pfd.fd = fd;
+    pfd.events = POLLIN;
+ 
+-    return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
+    return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
+ }
+ 
+ /*
--- a/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
+++ b/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
@ -0,0 +1,83 @@
+From 7c476394e799f39f749d7a7a50f62e5d3ec8db61 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 19 May 2025 13:49:32 +0200
+Subject: [PATCH] Fix size_t overflow in Malloc() argument in ReadParams()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There were still two issues after commit
+b0eabcaf4d4f371514891a52115c746815c2ff15 (Update fcgiapp.c, Fixing an
+integer overflow (CVE-2025-23016)):
+
+* Signed int overflow in "nameLen + valueLen + 2" expression.
+
+* Sizes of size_t and int types are in general unrelated.
+
+This fix resolves both of the issues.
+
+Related to CVE-2025-23016.
+Resolve #67.
+<https://github.com/FastCGI-Archives/fcgi2/pull/77>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libfcgi/fcgiapp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 99c3630..0cd3dd1 100644
+--- a/fcgiapp.c
+++ b/fcgiapp.c
+@@ -18,6 +18,7 @@
+ #include <memory.h>     /* for memchr() */
+ #include <stdarg.h>
+ #include <stdio.h>
+#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/types.h>
+@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp)
+ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ {
+     int nameLen, valueLen;
+    size_t totalLen;
+     unsigned char lenBuff[3];
+     char *nameValue;
+ 
+@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (nameLen >= INT_MAX) {
+	    if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+-	    if (valueLen >= INT_MAX) {
+	    if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) {
+                 SetError(stream, FCGX_PARAMS_ERROR);
+                 return -1;
+ 	    }
+         }
+        totalLen = (size_t)nameLen + (size_t)valueLen + 2u;
+        if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) {
+            SetError(stream, FCGX_PARAMS_ERROR);
+            return -1;
+        }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+          * from stream and construct a standard environment entry.
+          */
+-        nameValue = (char *)Malloc(nameLen + valueLen + 2);
+        nameValue = (char *)Malloc(totalLen);
+         if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+             free(nameValue);
+-- 
+2.49.0
+
--- a/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
+++ b/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
@ -0,0 +1,46 @@
+From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
+From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: [PATCH] Update fcgiapp.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixing an integer overflow (CVE-2025-23016)
+
+<https://github.com/FastCGI-Archives/fcgi2/pull/74>
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libfcgi/fcgiapp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fcgiapp.c b/fcgiapp.c
+index 4ffe318..99c3630 100644
+--- a/fcgiapp.c
+++ b/fcgiapp.c
+@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+	    if (nameLen >= INT_MAX) {
+                SetError(stream, FCGX_PARAMS_ERROR);
+                return -1;
+	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
+	    if (valueLen >= INT_MAX) {
+                SetError(stream, FCGX_PARAMS_ERROR);
+                return -1;
+	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
+-- 
+2.49.0
+
--- a/SPECS/perl-FCGI.spec
+++ b/SPECS/perl-FCGI.spec
@ -2,19 +2,31 @@ Name:           perl-FCGI
 Summary:        FastCGI Perl bindings
 # needed to properly replace/obsolete fcgi-perl
 Epoch:          1
-Version:        0.78
-Release:        11%{?dist}
+Version:        0.79
+Release:        8.1%{?dist}
 # same as fcgi
 License:        OML

 Source0:        https://cpan.metacpan.org/authors/id/E/ET/ETHER/FCGI-%{version}.tar.gz 
+# Fix CVE-2012-6687 in the bundled fcgi library, bug #1190294, CPAN RT#118405,
+# patch copied from Debian's libfcgi-perl.
+Patch0:         FCGI-0.78-CVE-2012-6687.patch
+# 1/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
+# <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
+# <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
+Patch1:         FCGI-0.82-Update-fcgiapp.c.patch
+# 2/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
+# <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
+# <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
+Patch2:         FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
 URL:            https://metacpan.org/release/FCGI
+BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  gcc
 BuildRequires:  make
-BuildRequires:  perl-interpreter
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
+BuildRequires:  perl-interpreter
 BuildRequires:  perl(Config)
 BuildRequires:  perl(Cwd)
 # ExtUtils::Liblist not used
@ -32,37 +44,108 @@ BuildRequires:  perl(Test)
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(Carp)
 Requires:       perl(XSLoader)
+# fcgiapp.c, os_unix.c, os_win32.c are copied and modified from FastCGI
+# Developer's Kit of an unknown version, bug #736612
+Provides:       bundled(fcgi)

 %{?perl_default_filter}

 %description
 %{summary}.

+%package tests
+Summary:        Tests for %{name}
+BuildArch:      noarch
+Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
+Requires:       perl-Test-Harness
+
+%description tests
+Tests from %{name}. Execute them
+with "%{_libexecdir}/%{name}/test".
+
 %prep
-%setup -q -n FCGI-%{version}
+%autosetup -p1 -n FCGI-%{version}
 find . -type f -exec chmod -c -x {} +
+# Help generators to recognize Perl scripts
+for F in test.pl; do
+    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F"
+    chmod +x "$F"
+done

 %build
-perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
-make %{?_smp_mflags}
+perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \
+                 NO_PERLLOCAL=1
+%make_build

 %install
-make pure_install DESTDIR=%{buildroot}
+%make_install
 %{_fixperms} %{buildroot}/*
+# Install tests
+mkdir -p %{buildroot}%{_libexecdir}/%{name}/t
+cp -a test.pl %{buildroot}%{_libexecdir}/%{name}/t/test.t
+cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
+#!/bin/sh
+cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
+EOF
+chmod +x %{buildroot}%{_libexecdir}/%{name}/test

 %check
+export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test

 %files
 %license LICENSE
 %doc ChangeLog README
-%{perl_vendorarch}/*
-%exclude %dir %{perl_vendorarch}/auto
-%{_mandir}/man3/*.3*
+%{perl_vendorarch}/auto/FCGI
+%{perl_vendorarch}/FCGI.pm
+%{_mandir}/man3/FCGI.3*
+
+%files tests
+%{_libexecdir}/%{name}

 %changelog
-* Fri Mar 29 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-11
- Rebuild with enable hardening (bug #1636329)
+* Thu May 29 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-8.1
+- Fix CVE-2025-40907 (integer overflow when parsing FastCGI parameters)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.79-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.79-7
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-4
+- Perl 5.32 rebuild
+
+* Tue Feb 04 2020 Tom Stellard <tstellar@redhat.com> - 1:0.79-3
+- Spec file cleanups: Use make_build and make_install macros
+- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
+- https://fedoraproject.org/wiki/Perl/Tips#ExtUtils::MakeMake
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sun Dec 15 2019 Emmanuel Seyman <emmanuel@seyman.fr> - 1:0.79-1
+- Update to 0.79
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-13
+- Perl 5.30 rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Jan 15 2019 Petr Pisar <ppisar@redhat.com> - 1:0.78-11
+- Document an fcgi library is bundled (bug #736612)
+- Fix CVE-2012-6687 in the bundled fcgi library (bug #1190294)

 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild