Bug#1111835: marked as done (bookworm-pu: package libfcgi/2.4.2-2+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1111835,
regarding bookworm-pu: package libfcgi/2.4.2-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1111835: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111835
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package libfcgi/2.4.2-2+deb12u1
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 22 Aug 2025 18:47:24 +0200
• Message-id: <175588124491.75771.16940640241502070439.reportbug@soju.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libfcgi@packages.debian.org
Control: affects -1 + src:libfcgi
User: release.debian.org@packages.debian.org
Usertags: pu

Low impact security issue, debdiff below.

Cheers,
        Moritz

diff -Nru libfcgi-2.4.2/debian/changelog libfcgi-2.4.2/debian/changelog
--- libfcgi-2.4.2/debian/changelog	2020-01-01 01:00:01.000000000 +0100
+++ libfcgi-2.4.2/debian/changelog	2025-05-26 20:18:11.000000000 +0200
@@ -1,3 +1,9 @@
+libfcgi (2.4.2-2+deb12u1) bookworm; urgency=medium
+
+  * CVE-2025-23016 (Closes: #1092774)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Mon, 26 May 2025 20:18:11 +0200
+
 libfcgi (2.4.2-2) unstable; urgency=medium
 
   * Move to unstable: no changes required.
diff -Nru libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch
--- libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-2.4.2/debian/patches/CVE-2025-23016.patch	2025-05-26 20:18:05.000000000 +0200
@@ -0,0 +1,29 @@
+From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001
+From: Pycatchown <39068868+Pycatchown@users.noreply.github.com>
+Date: Tue, 8 Apr 2025 17:39:30 +0200
+Subject: [PATCH] Update fcgiapp.c
+
+--- libfcgi-2.4.2.orig/libfcgi/fcgiapp.c
++++ libfcgi-2.4.2/libfcgi/fcgiapp.c
+@@ -1173,6 +1173,10 @@ static int ReadParams(Params *paramsPtr,
+ 	    }
+             nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (nameLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         if((valueLen = FCGX_GetChar(stream)) == EOF) {
+             SetError(stream, FCGX_PARAMS_ERROR);
+@@ -1185,6 +1189,10 @@ static int ReadParams(Params *paramsPtr,
+ 	    }
+             valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16)
+                     + (lenBuff[1] << 8) + lenBuff[2];
++	    if (valueLen >= INT_MAX) {
++                SetError(stream, FCGX_PARAMS_ERROR);
++                return -1;
++	    }
+         }
+         /*
+          * nameLen and valueLen are now valid; read the name and value
diff -Nru libfcgi-2.4.2/debian/patches/series libfcgi-2.4.2/debian/patches/series
--- libfcgi-2.4.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libfcgi-2.4.2/debian/patches/series	2025-05-26 20:17:51.000000000 +0200
@@ -0,0 +1 @@
+CVE-2025-23016.patch

--- End Message ---

--- Begin Message ---

• To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 12.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Sep 2025 12:14:50 +0100
• Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---