Bug 15808

Summary: fcgi new security issue CVE-2012-6687
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/642646/
Whiteboard: has_procedure advisory MGA4-64-OK MGA4-32-OK
Source RPM: fcgi-2.4.0-15.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-30 19:43:08 CEST 
Fedora has issued an advisory on February 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html

Apparently I fixed it in Cauldron on February 25.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated fcgi packages fix security vulnerability:

FCGI does not perform range checks for file descriptors before use of the
FD_SET macro.  This FD_SET macro could allow for more than 1024 total file
descriptors to be monitored in the closing state. This may allow remote
attackers to cause a denial of service (stack memory corruption, and infinite
loop or daemon crash) by opening many socket connections to the host and
crashing the service (CVE-2012-6687).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html
========================

Updated packages in core/updates_testing:
========================
fcgi-2.4.0-15.1.mga4
libfcgi0-2.4.0-15.1.mga4
libfcgi-devel-2.4.0-15.1.mga4

from fcgi-2.4.0-15.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Herman Viaene 2015-05-01 11:06:48 CEST 
MGA4-32 on Acer D620 Xfce.
No installation issues.
Repeated test as per bug1449 Comment 1
at CLI as root

> httpd -M | grep fcgid
 fcgid_module (shared)

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 2 Herman Viaene 2015-05-01 11:19:40 CEST 
MGA4-64 on HP Probook 6555b KDE
No installation issues.
I had to install apache-mod_fcgid and then had same result as per Comment 1 .

Whiteboard: MGA4-32-OK => MGA4-64-OK MGA4-32-OK

Comment 3 claire robinson 2015-05-02 12:38:52 CEST 
Neither fcgi or libfcgi0 are not actually required by apache-mod_fcgid surprisingly.

$ urpmq --requires apache-mod_fcgid
apache
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3)(64bit)
libc.so.6(GLIBC_2.4)(64bit)

Confirmed the patch was applied though and as there are no installation issues and we're short on time we can go with it.

It could be more thoroughly tested with mapserver the next time it's updated.
https://bugs.mageia.org/show_bug.cgi?id=7061#c3

$ urpmq --whatrequires fcgi
fcgi
$ urpmq --whatrequires lib64fcgi0
clisp
fcgi
lib64fcgi-devel
lib64fcgi0
mapserver
mapserver
ruby-fcgi



Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-05-03 02:20:24 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0184.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED