Bug#1111835: bookworm-pu: package libfcgi/2.4.2-2+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1111835: bookworm-pu: package libfcgi/2.4.2-2+deb12u1
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 22 Aug 2025 18:47:24 +0200
Message-id: <[🔎] 175588124491.75771.16940640241502070439.reportbug@soju.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 1111835@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libfcgi@packages.debian.org
Control: affects -1 + src:libfcgi
User: release.debian.org@packages.debian.org
Usertags: pu

Low impact security issue, debdiff below.

Cheers,
        Moritz

diff -Nru libfcgi-2.4.2/debian/changelog libfcgi-2.4.2/debian/changelog
--- libfcgi-2.4.2/debian/changelog	2020-01-01 01:00:01.000000000 +0100
+++ libfcgi-2.4.2/debian/changelog	2025-05-26 20:18:11.000000000 +0200
@@ -1,3 +1,9 @@
+libfcgi (2.4.2-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2025-23016 (Closes: #1092774)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 26 May 2025 20:18:11 +0200
+
 libfcgi (2.4.2-2) unstable; urgency=medium
 
   * Move to unstable: no changes required.
diff -Nru libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch
--- libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch	2025-05-26 20:18:05.000000000 +0200
@@ -0,0 +1,29 @@
+From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
+From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: [PATCH] Update fcgiapp.c
+
+--- libfcgi-2.4.2.orig/libfcgi/fcgiapp.c
++++ libfcgi-2.4.2/libfcgi/fcgiapp.c
+@@ -1173,6 +1173,10 @@ static int ReadParams(Params *paramsPtr,
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1185,6 +1189,10 @@ static int ReadParams(Params *paramsPtr,
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
diff -Nru libfcgi-2.4.2/debian/patches/series libfcgi-2.4.2/debian/patches/series
--- libfcgi-2.4.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-2.4.2/debian/patches/series	2025-05-26 20:17:51.000000000 +0200
@@ -0,0 +1 @@
+CVE-2025-23016.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package libfcgi/2.4.2-2+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1111835: libfcgi 2.4.2-2+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1110866: transition: gdal
Next by Date: Processed: bookworm-pu: package libfcgi/2.4.2-2+deb12u1
Previous by thread: Processed: block 1110866 with 1108656 1111300
Next by thread: Processed: bookworm-pu: package libfcgi/2.4.2-2+deb12u1
Index(es):
- Date
- Thread