Bug 736604 (CVE-2011-2766)
| Summary: | CVE-2011-2766 perl-FCGI, fcgi: Certain environment variables shared between first and subsequent HTTP requests | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | cweyl, iarnell, opensource, perl-devel, tremble |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-10 07:58:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 736608, 736609 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2011-09-08 08:23:17 UTC
This issue affects the versions of the perl-FCGI package, as shipped with Fedora release of 14 and 15. Please schedule an update once final upstream patch known. -- This issue affects the version of the perl-FCGI package, as present within EPEL-6 repository. Please schedule an update once final upstream patch known. -- This issue did NOT affect the versions of the fcgi package, as shipped with Fedora release of 14 and 15. Though the fcgi package in those releases contains embedded copy of the perl-FCGI package, the code in question does not contain the regression in FCGI's accept() routine yet. -- This issue did NOT affect the versions of the fcgi package, as present within EPEL-5 and EPEL-6 repositories. Though the fcgi package in those releases contains embedded copy of the perl-FCGI package, the code in question does not contain the regression in FCGI's accept() routine yet. CVE Request: [2] http://www.openwall.com/lists/oss-security/2011/09/08/1 Created perl-FCGI tracking bugs for this issue Affects: fedora-all [bug 736608] Affects: epel-6 [bug 736609] Sample code snippet (from Debian bug report [1]) to demonstrate the deficiency:
<quote>
#! /usr/bin/perl -w
use CGI::Fast qw(:standard :cgi-lib);
use Data::Dumper;
use strict;
while ( my $cgi = getRequest() ) {
print $cgi->header();
print "<pre>========= ID:$$ =========\n";
while (my ($key,$value) = each %ENV) {
print "$key=$value\n";
}
print "========= VARS =========\n";
print Dumper($cgi->Vars());
print "========= COOKIE =========\n";
print Dumper($cgi->cookie());
print ".</pre>";
#%ENV = undef;
}
sub getRequest {
%ENV = () if $main::clearENV; # Clear the ENV
$main::clearENV = 1; # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore
return new CGI::Fast;
}
I used 2 wget together to examine it:
(posted to the proxy server to disable caching)
$ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi'
$ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi'
</quote>
The CVE identifier of CVE-2011-2766 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/09/08/2 Is fcgi-perl from EPEL5 affected by this bug as well? (In reply to comment #6) > Is fcgi-perl from EPEL5 affected by this bug as well? No, fcgi in EPEL-5 contains CPAN v0.67 version of the FCGI module (thus is not yet affected by this). perl-FCGI-0.71-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following updates: 1) perl-FCGI-0.74-1.fc16, 2) perl-FCGI-0.74-1.fc15, 3) perl-FCGI-0.74-1.fc14, 4) perl-FCGI-0.71-4.el6. |