6 changed files with 310 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/FCGI-0.78.tar.gz
+SOURCES/FCGI-0.79.tar.gz
--- a/.perl-FCGI.metadata
+++ b/.perl-FCGI.metadata
@ -1 +1 @@
-dbc2c4180656bbce87d06d0a6f28e46d6fb71b30 SOURCES/FCGI-0.78.tar.gz
+2c6d7ec8481009c23028ac37086b3ddc2ddb177b SOURCES/FCGI-0.79.tar.gz
--- a/SOURCES/FCGI-0.78-CVE-2012-6687.patch
+++ b/SOURCES/FCGI-0.78-CVE-2012-6687.patch
@ -0,0 +1,84 @@
 Description: fix CVE-2012-6687 in bundled libfcgi
 Origin: https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815840
 Forwarded: https://rt.cpan.org/Ticket/Display.html?id=118405
 --- a/os_unix.c
 +++ b/os_unix.c
@@ -36,6 +36,7 @@
 #include <sys/time.h>
 #include <sys/un.h>
 #include <signal.h>
 +#include <poll.h>
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
@@ -97,6 +98,9 @@
 static int shutdownPending = FALSE;
 static int shutdownNow = FALSE;
 +static int libfcgiOsClosePollTimeout = 2000;
 +static int libfcgiIsAfUnixKeeperPollTimeout = 2000;
 +
 void OS_ShutdownPending()
 {
     shutdownPending = TRUE;
@@ -162,6 +166,16 @@
     if(libInitialized)
         return 0;
 +    char *libfcgiOsClosePollTimeoutStr = getenv( "LIBFCGI_OS_CLOSE_POLL_TIMEOUT" );
 +    if(libfcgiOsClosePollTimeoutStr) {
 +        libfcgiOsClosePollTimeout = atoi(libfcgiOsClosePollTimeoutStr);
 +    }
 +
 +    char *libfcgiIsAfUnixKeeperPollTimeoutStr = getenv( "LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT" );
 +    if(libfcgiIsAfUnixKeeperPollTimeoutStr) {
 +        libfcgiIsAfUnixKeeperPollTimeout = atoi(libfcgiIsAfUnixKeeperPollTimeoutStr);
 +    }
 +
     asyncIoTable = (AioInfo *)malloc(asyncIoTableSize * sizeof(AioInfo));
     if(asyncIoTable == NULL) {
         errno = ENOMEM;
@@ -751,19 +765,16 @@
     {
         if (shutdown(fd, 1) == 0)
         {
 -            struct timeval tv;
 -            fd_set rfds;
 +            struct pollfd pfd;
             int rv;
             char trash[1024];
 -            FD_ZERO(&rfds);
 +            pfd.fd = fd;
 +            pfd.events = POLLIN;
             do 
             {
 -                FD_SET(fd, &rfds);
 -                tv.tv_sec = 2;
 -                tv.tv_usec = 0;
 -                rv = select(fd + 1, &rfds, NULL, NULL, &tv);
 +                rv = poll(&pfd, 1, libfcgiOsClosePollTimeout);
             }
             while (rv > 0 && read(fd, trash, sizeof(trash)) > 0);
         }
@@ -1113,13 +1124,11 @@
  */
 static int is_af_unix_keeper(const int fd)
 {
 -    struct timeval tval = { READABLE_UNIX_FD_DROP_DEAD_TIMEVAL };
 -    fd_set read_fds;
 -
 -    FD_ZERO(&read_fds);
 -    FD_SET(fd, &read_fds);
 +    struct pollfd pfd;
 +    pfd.fd = fd;
 +    pfd.events = POLLIN;
 -    return select(fd + 1, &read_fds, NULL, NULL, &tval) >= 0 && FD_ISSET(fd, &read_fds);
 +    return poll(&pfd, 1, libfcgiIsAfUnixKeeperPollTimeout) >= 0 && (pfd.revents & POLLIN);
 }
 /*
--- a/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
+++ b/SOURCES/FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
@ -0,0 +1,83 @@
 From 7c476394e799f39f749d7a7a50f62e5d3ec8db61 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 19 May 2025 13:49:32 +0200
 Subject: [PATCH] Fix size_t overflow in Malloc() argument in ReadParams()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 There were still two issues after commit
 b0eabcaf4d4f371514891a52115c746815c2ff15 (Update fcgiapp.c, Fixing an
 integer overflow (CVE-2025-23016)):
 * Signed int overflow in "nameLen + valueLen + 2" expression.
 * Sizes of size_t and int types are in general unrelated.
 This fix resolves both of the issues.
 Related to CVE-2025-23016.
 Resolve #67.
 <https://github.com/FastCGI-Archives/fcgi2/pull/77>
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 libfcgi/fcgiapp.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
 diff --git a/fcgiapp.c b/fcgiapp.c
 index 99c3630..0cd3dd1 100644
 --- a/fcgiapp.c
 +++ b/fcgiapp.c
@@ -18,6 +18,7 @@
 #include <memory.h>     /* for memchr() */
 #include <stdarg.h>
 #include <stdio.h>
 +#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
@@ -1160,6 +1161,7 @@ char *FCGX_GetParam(const char *name, FCGX_ParamArray envp)
 static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
 {
     int nameLen, valueLen;
 +    size_t totalLen;
     unsigned char lenBuff[3];
     char *nameValue;
@@ -1175,7 +1177,7 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
 	    }
             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
                     + (lenBuff[1] << 8) + lenBuff[2];
 -	    if (nameLen >= INT_MAX) {
 +	    if (nameLen >= INT_MAX || nameLen >= SIZE_MAX) {
                 SetError(stream, FCGX_PARAMS_ERROR);
                 return -1;
 	    }
@@ -1191,16 +1193,21 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
 	    }
             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
                     + (lenBuff[1] << 8) + lenBuff[2];
 -	    if (valueLen >= INT_MAX) {
 +	    if (valueLen >= INT_MAX || valueLen >= SIZE_MAX) {
                 SetError(stream, FCGX_PARAMS_ERROR);
                 return -1;
 	    }
         }
 +        totalLen = (size_t)nameLen + (size_t)valueLen + 2u;
 +        if (totalLen < (size_t)nameLen || totalLen < (size_t)valueLen) {
 +            SetError(stream, FCGX_PARAMS_ERROR);
 +            return -1;
 +        }
         /*
          * nameLen and valueLen are now valid; read the name and value
          * from stream and construct a standard environment entry.
          */
 -        nameValue = (char *)Malloc(nameLen + valueLen + 2);
 +        nameValue = (char *)Malloc(totalLen);
         if(FCGX_GetStr(nameValue, nameLen, stream) != nameLen) {
             SetError(stream, FCGX_PARAMS_ERROR);
             free(nameValue);
 -- 
 2.49.0
--- a/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
+++ b/SOURCES/FCGI-0.82-Update-fcgiapp.c.patch
@ -0,0 +1,46 @@
 From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
 From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
 Date: Tue, 8 Apr 2025 17:39:30 +0200
 Subject: [PATCH] Update fcgiapp.c
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Fixing an integer overflow (CVE-2025-23016)
 <https://github.com/FastCGI-Archives/fcgi2/pull/74>
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 libfcgi/fcgiapp.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/fcgiapp.c b/fcgiapp.c
 index 4ffe318..99c3630 100644
 --- a/fcgiapp.c
 +++ b/fcgiapp.c
@@ -1175,6 +1175,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
 	    }
             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
                     + (lenBuff[1] << 8) + lenBuff[2];
 +	    if (nameLen >= INT_MAX) {
 +                SetError(stream, FCGX_PARAMS_ERROR);
 +                return -1;
 +	    }
         }
         if((valueLen = FCGX_GetChar(stream)) == EOF) {
             SetError(stream, FCGX_PARAMS_ERROR);
@@ -1187,6 +1191,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream)
 	    }
             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
                     + (lenBuff[1] << 8) + lenBuff[2];
 +	    if (valueLen >= INT_MAX) {
 +                SetError(stream, FCGX_PARAMS_ERROR);
 +                return -1;
 +	    }
         }
         /*
          * nameLen and valueLen are now valid; read the name and value
 -- 
 2.49.0
--- a/SPECS/perl-FCGI.spec
+++ b/SPECS/perl-FCGI.spec
@ -2,19 +2,31 @@ Name:           perl-FCGI
 Summary:        FastCGI Perl bindings
 # needed to properly replace/obsolete fcgi-perl
 Epoch:          1
-Version:        0.78
+Version:        0.79
-Release:        11%{?dist}
+Release:        8.1%{?dist}
 # same as fcgi
 License:        OML
 Source0:        https://cpan.metacpan.org/authors/id/E/ET/ETHER/FCGI-%{version}.tar.gz 
 # Fix CVE-2012-6687 in the bundled fcgi library, bug #1190294, CPAN RT#118405,
 # patch copied from Debian's libfcgi-perl.
 Patch0:         FCGI-0.78-CVE-2012-6687.patch
 # 1/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
 # <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
 # <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
 Patch1:         FCGI-0.82-Update-fcgiapp.c.patch
 # 2/2 Fix CVE-2025-40907 in the bundled fcgi library, bug #2366847,
 # <https://github.com/perl-catalyst/FCGI/issues/14>, copied from fcgi2 library
 # <https://github.com/FastCGI-Archives/fcgi2/issues/67>.
 Patch2:         FCGI-0.82-Fix-size_t-overflow-in-Malloc-argument-in-ReadParams.patch
 URL:            https://metacpan.org/release/FCGI
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  perl-interpreter
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
 BuildRequires:  perl(Config)
 BuildRequires:  perl(Cwd)
 # ExtUtils::Liblist not used
@ -32,37 +44,108 @@ BuildRequires:  perl(Test)
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(Carp)
 Requires:       perl(XSLoader)
 # fcgiapp.c, os_unix.c, os_win32.c are copied and modified from FastCGI
 # Developer's Kit of an unknown version, bug #736612
 Provides:       bundled(fcgi)
 %{?perl_default_filter}
 %description
 %{summary}.
 %package tests
 Summary:        Tests for %{name}
 BuildArch:      noarch
 Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
 Requires:       perl-Test-Harness
 %description tests
 Tests from %{name}. Execute them
 with "%{_libexecdir}/%{name}/test".
 %prep
-%setup -q -n FCGI-%{version}
+%autosetup -p1 -n FCGI-%{version}
 find . -type f -exec chmod -c -x {} +
 # Help generators to recognize Perl scripts
 for F in test.pl; do
    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!\s*perl}{$Config{startperl}}' "$F"
    chmod +x "$F"
 done
 %build
-perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
+perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 \
-make %{?_smp_mflags}
+                 NO_PERLLOCAL=1
 %make_build
 %install
-make pure_install DESTDIR=%{buildroot}
+%make_install
 %{_fixperms} %{buildroot}/*
 # Install tests
 mkdir -p %{buildroot}%{_libexecdir}/%{name}/t
 cp -a test.pl %{buildroot}%{_libexecdir}/%{name}/t/test.t
 cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
 #!/bin/sh
 cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)"
 EOF
 chmod +x %{buildroot}%{_libexecdir}/%{name}/test
 %check
 export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test
 %files
 %license LICENSE
 %doc ChangeLog README
-%{perl_vendorarch}/*
+%{perl_vendorarch}/auto/FCGI
-%exclude %dir %{perl_vendorarch}/auto
+%{perl_vendorarch}/FCGI.pm
-%{_mandir}/man3/*.3*
+%{_mandir}/man3/FCGI.3*
 %files tests
 %{_libexecdir}/%{name}
 %changelog
-* Fri Mar 29 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-11
+* Thu May 29 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-8.1
- Rebuild with enable hardening (bug #1636329)
+- Fix CVE-2025-40907 (integer overflow when parsing FastCGI parameters)
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.79-8
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.79-7
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-4
 - Perl 5.32 rebuild
 * Tue Feb 04 2020 Tom Stellard <tstellar@redhat.com> - 1:0.79-3
 - Spec file cleanups: Use make_build and make_install macros
 - https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
 - https://fedoraproject.org/wiki/Perl/Tips#ExtUtils::MakeMake
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Sun Dec 15 2019 Emmanuel Seyman <emmanuel@seyman.fr> - 1:0.79-1
 - Update to 0.79
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-13
 - Perl 5.30 rebuild
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Tue Jan 15 2019 Petr Pisar <ppisar@redhat.com> - 1:0.78-11
 - Document an fcgi library is bundled (bug #736612)
 - Fix CVE-2012-6687 in the bundled fcgi library (bug #1190294)
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.78-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
`@ -1 +1 @@`
	`SOURCES/FCGI-0.78.tar.gz`	`SOURCES/FCGI-0.79.tar.gz`
`@ -1 +1 @@`
	`dbc2c4180656bbce87d06d0a6f28e46d6fb71b30 SOURCES/FCGI-0.78.tar.gz`	`2c6d7ec8481009c23028ac37086b3ddc2ddb177b SOURCES/FCGI-0.79.tar.gz`