[SCM] Debian packaging of libfcgi-perl branch, master, updated. 491e5d141a11c750d1213a947a8c2ecf424145ee

Sat Sep 17 19:01:24 UTC 2011

The following commit has been merged in the master branch:
commit 491e5d141a11c750d1213a947a8c2ecf424145ee
Author: Damyan Ivanov <dmn at debian.org>
Date:   Sat Sep 17 22:01:17 2011 +0300

    Add patch from upstream bug tracker fixing CVE-2011-2766
    
    Closes: #607479
    Thaks to Ferdinand for reporting, Russ Allbery for the analysis and chansen for
    the patch.

diff --git a/debian/changelog b/debian/changelog
index 2214972..19e9e46 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,11 @@ libfcgi-perl (0.73-2) UNRELEASED; urgency=low
   * debian/copyright: Replace DEP5 Format-Specification URL from
     svn.debian.org to anonscm.debian.org URL.
 
+  [ Damyan Ivanov ]
+  * Add patch from upstream bug tracker fixing CVE-2011-2766
+    Closes: #607479. Thaks to Ferdinand for reporting, Russ Allbery for the
+    analysis and chansen for the patch.
+
  -- Ansgar Burchardt <ansgar at debian.org>  Wed, 27 Jul 2011 18:43:44 +0200
 
 libfcgi-perl (0.73-1) unstable; urgency=low
diff --git a/debian/patches/cve-2011-2766.patch b/debian/patches/cve-2011-2766.patch
new file mode 100644
index 0000000..a63694e
--- /dev/null
+++ b/debian/patches/cve-2011-2766.patch
@@ -0,0 +1,42 @@
+Description: replace testing of hash value with hash reference
+ %hash is false if the hash hasn't been assigned to, *or* if the hash is simply
+ empty. This causes the environment from the *second* request (that is, the
+ environment produced by the first request) to be saved as default if the first
+ request had empty environment. This way, request after the first can get
+ access to credentials set up by the first request. badbadbad
+ This is CVE-2011-2766.
+Author: chansen at cpan.org
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=68380
+Bug-Debian: http://bugs.debian.org/607479
+
+--- a/FCGI.PL
++++ b/FCGI.PL
+@@ -295,14 +295,14 @@ sub Request(;***$*$) {
+ 
+ sub accept() {
+     warn "accept called as a method; you probably wanted to call Accept" if @_;
+-    if (%FCGI::ENV) {
+-        %ENV = %FCGI::ENV;
++    if ( defined($FCGI::ENV) ) {
++        %ENV = %$FCGI::ENV;
+     } else {
+-        %FCGI::ENV = %ENV;
++        $FCGI::ENV = {%ENV};
+     }
+     my $rc = Accept($global_request);
+-    for (keys %FCGI::ENV) {
+-        $ENV{$_} = $FCGI::ENV{$_} unless exists $ENV{$_};
++    for (keys %$FCGI::ENV) {
++        $ENV{$_} = $FCGI::ENV->{$_} unless exists $ENV{$_};
+     }
+ 
+     # not SFIO
+@@ -314,7 +314,7 @@ sub accept() {
+ 
+ sub finish() {
+     warn "finish called as a method; you probably wanted to call Finish" if @_;
+-    %ENV = %FCGI::ENV if %FCGI::ENV;
++    %ENV = %$FCGI::ENV if defined($FCGI::ENV);
+ 
+     # not SFIO
+     if (tied (*STDIN)) {
diff --git a/debian/patches/series b/debian/patches/series
index a6b8568..016c835 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
+cve-2011-2766.patch
 fix-pod-error.patch

-- 
Debian packaging of libfcgi-perl

