It was found that the perl Fast CGI module did not properly clean up certain environment variables, related to a particular HTTP request, between subsequent incoming requests. Any environment variable set in the first pass through the code by processing the first request, that wasn't set in some subsequent request, has been added to the hash containing environment variables for that subsequent request. A remote attacker could use this flaw to bypass the authentication process and obtain access to resources, which would be otherwise protected by authentication. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607479
This issue affects the versions of the perl-FCGI package, as shipped with Fedora release of 14 and 15. Please schedule an update once final upstream patch known. -- This issue affects the version of the perl-FCGI package, as present within EPEL-6 repository. Please schedule an update once final upstream patch known. -- This issue did NOT affect the versions of the fcgi package, as shipped with Fedora release of 14 and 15. Though the fcgi package in those releases contains embedded copy of the perl-FCGI package, the code in question does not contain the regression in FCGI's accept() routine yet. -- This issue did NOT affect the versions of the fcgi package, as present within EPEL-5 and EPEL-6 repositories. Though the fcgi package in those releases contains embedded copy of the perl-FCGI package, the code in question does not contain the regression in FCGI's accept() routine yet.
CVE Request: [2] http://www.openwall.com/lists/oss-security/2011/09/08/1
Created perl-FCGI tracking bugs for this issue Affects: fedora-all [bug 736608] Affects: epel-6 [bug 736609]
Sample code snippet (from Debian bug report [1]) to demonstrate the deficiency: <quote> #! /usr/bin/perl -w use CGI::Fast qw(:standard :cgi-lib); use Data::Dumper; use strict; while ( my $cgi = getRequest() ) { print $cgi->header(); print "<pre>========= ID:$$ =========\n"; while (my ($key,$value) = each %ENV) { print "$key=$value\n"; } print "========= VARS =========\n"; print Dumper($cgi->Vars()); print "========= COOKIE =========\n"; print Dumper($cgi->cookie()); print ".</pre>"; #%ENV = undef; } sub getRequest { %ENV = () if $main::clearENV; # Clear the ENV $main::clearENV = 1; # Do not clear the ENV the first time otherwise the Fast::CGI "slow mode" will not work anymore return new CGI::Fast; } I used 2 wget together to examine it: (posted to the proxy server to disable caching) $ http_proxy=http://proxy:8080 watch -d 'wget -qO - --post-data='xxx' --header "Cookie: usernaam=test" http://www.myserver.nl/env.fcgi' $ watch -d 'wget -qO - http://www.myserver.nl/env.fcgi' </quote>
The CVE identifier of CVE-2011-2766 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/09/08/2
Is fcgi-perl from EPEL5 affected by this bug as well?
(In reply to comment #6) > Is fcgi-perl from EPEL5 affected by this bug as well? No, fcgi in EPEL-5 contains CPAN v0.67 version of the FCGI module (thus is not yet affected by this).
perl-FCGI-0.71-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following updates: 1) perl-FCGI-0.74-1.fc16, 2) perl-FCGI-0.74-1.fc15, 3) perl-FCGI-0.74-1.fc14, 4) perl-FCGI-0.71-4.el6.