Bug#777553: marked as done (pu: package libfcgi/2.4.0-8)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#777553: marked as done (pu: package libfcgi/2.4.0-8)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 05 Sep 2015 13:37:42 +0000
Message-id: <[🔎] handler.777553.D777553.14414600866740.ackdone@bugs.debian.org>
References: <1441460034.2151.33.camel@adam-barratt.org.uk> <20150209184751.3924.77515.reportbug@debian>

Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <1441460034.2151.33.camel@adam-barratt.org.uk>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #777553,
regarding pu: package libfcgi/2.4.0-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
777553: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777553
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package libfcgi/2.4.0-8
From: Joe Damato <joe@packagecloud.io>
Date: Mon, 09 Feb 2015 10:47:51 -0800
Message-id: <20150209184751.3924.77515.reportbug@debian>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi:

There is a stack smashing/corruption bug in libfcgi/2.4.0-8. The bug was fixed in: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591, however this package is currently
in unstable as other changes were added as well. This bug is a security issue as you can DoS
a server process quite easily.

A CVE has been assigned (CVE-2012-6687): http://www.openwall.com/lists/oss-security/2015/02/07/4.

Ubuntu accepted my patched version of their  package into 12.04 precise-security: 
https://bugs.launchpad.net/ubuntu/precise/+source/libfcgi/+bug/1418778

Instructions for setting up a PoC: https://gist.github.com/ice799/abc2522397b1605a5d7f.

I sent my changes to the security team who told me this should be fixed with an 's-p-u' so I 
am trying to follow directions found online on how to do this.

I've attached a debdiff I generated against the version in stable.

Let me know how else I can help.

Thanks,
Joe

-- System Information:
Debian Release: 7.6
  APT prefers wheezy
  APT policy: (500, 'wheezy'), (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Attachment: libfcgi_2.4.0-8.1_2.4.0-8.2.diff.gz
Description: GNU Zip compressed data

--- End Message ---

--- Begin Message ---

To: 725661-done@bugs.debian.org, 770955-done@bugs.debian.org, 773796-done@bugs.debian.org, 774773-done@bugs.debian.org, 774820-done@bugs.debian.org, 774850-done@bugs.debian.org, 774921-done@bugs.debian.org, 775380-done@bugs.debian.org, 775603-done@bugs.debian.org, 775664-done@bugs.debian.org, 775825-done@bugs.debian.org, 776095-done@bugs.debian.org, 776734-done@bugs.debian.org, 776781-done@bugs.debian.org, 776884-done@bugs.debian.org, 777046-done@bugs.debian.org, 777047-done@bugs.debian.org, 777372-done@bugs.debian.org, 777553-done@bugs.debian.org, 778622-done@bugs.debian.org, 779083-done@bugs.debian.org, 779622-done@bugs.debian.org, 779926-done@bugs.debian.org, 780191-done@bugs.debian.org, 780471-done@bugs.debian.org, 780798-done@bugs.debian.org, 780924-done@bugs.debian.org, 781281-done@bugs.debian.org, 781406-done@bugs.debian.org, 781542-done@bugs.debian.org, 781885-done@bugs.debian.org, 781965-done@bugs.debian.org, 782042-done@bugs.debian.org, 782165-done@bugs.debian.org, 782409-done@bugs.debian.org, 782600-done@bugs.debian.org, 782663-done@bugs.debian.org, 782848-done@bugs.debian.org, 783659-done@bugs.debian.org, 783749-done@bugs.debian.org, 784102-done@bugs.debian.org, 785155-done@bugs.debian.org, 785348-done@bugs.debian.org, 785735-done@bugs.debian.org, 786691-done@bugs.debian.org, 786830-done@bugs.debian.org, 786919-done@bugs.debian.org, 787076-done@bugs.debian.org, 787403-done@bugs.debian.org, 787933-done@bugs.debian.org, 787947-done@bugs.debian.org, 788064-done@bugs.debian.org, 788242-done@bugs.debian.org, 788558-done@bugs.debian.org, 788664-done@bugs.debian.org, 790692-done@bugs.debian.org, 790940-done@bugs.debian.org, 793028-done@bugs.debian.org, 794962-done@bugs.debian.org, 795166-done@bugs.debian.org, 795892-done@bugs.debian.org, 797079-done@bugs.debian.org, 797213-done@bugs.debian.org

Subject: Closing bugs for 7.9

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 05 Sep 2015 14:33:54 +0100

Message-id: <1441460034.2151.33.camel@adam-barratt.org.uk>
Version: 7.9

Hi,

These bugs relate to updates which were included in the 7.9 point
release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#777372: marked as done (wheezy-pu: package frogr/0.7-2)
Next by Date: Bug#778622: marked as done (wheezy-pu: package vigor/0.016-19+deb7u1)
Previous by thread: Bug#777372: marked as done (wheezy-pu: package frogr/0.7-2)
Next by thread: Bug#778622: marked as done (wheezy-pu: package vigor/0.016-19+deb7u1)
Index(es):
- Date
- Thread