Bug 15808 - fcgi new security issue CVE-2012-6687
Summary: fcgi new security issue CVE-2012-6687
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/642646/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-30 19:43 CEST by David Walser
Modified: 2015-05-03 02:20 CEST (History)
2 users (show)

See Also:
Source RPM: fcgi-2.4.0-15.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-30 19:43:08 CEST
Fedora has issued an advisory on February 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html

Apparently I fixed it in Cauldron on February 25.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated fcgi packages fix security vulnerability:

FCGI does not perform range checks for file descriptors before use of the
FD_SET macro.  This FD_SET macro could allow for more than 1024 total file
descriptors to be monitored in the closing state. This may allow remote
attackers to cause a denial of service (stack memory corruption, and infinite
loop or daemon crash) by opening many socket connections to the host and
crashing the service (CVE-2012-6687).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6687
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/156731.html
========================

Updated packages in core/updates_testing:
========================
fcgi-2.4.0-15.1.mga4
libfcgi0-2.4.0-15.1.mga4
libfcgi-devel-2.4.0-15.1.mga4

from fcgi-2.4.0-15.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Herman Viaene 2015-05-01 11:06:48 CEST
MGA4-32 on Acer D620 Xfce.
No installation issues.
Repeated test as per bug1449 Comment 1
at CLI as root

> httpd -M | grep fcgid
 fcgid_module (shared)

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 2 Herman Viaene 2015-05-01 11:19:40 CEST
MGA4-64 on HP Probook 6555b KDE
No installation issues.
I had to install apache-mod_fcgid and then had same result as per Comment 1 .

Whiteboard: MGA4-32-OK => MGA4-64-OK MGA4-32-OK

Comment 3 claire robinson 2015-05-02 12:38:52 CEST
Neither fcgi or libfcgi0 are not actually required by apache-mod_fcgid surprisingly.

$ urpmq --requires apache-mod_fcgid
apache
libc.so.6()(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.3)(64bit)
libc.so.6(GLIBC_2.4)(64bit)

Confirmed the patch was applied though and as there are no installation issues and we're short on time we can go with it.

It could be more thoroughly tested with mapserver the next time it's updated.
https://bugs.mageia.org/show_bug.cgi?id=7061#c3

$ urpmq --whatrequires fcgi
fcgi
$ urpmq --whatrequires lib64fcgi0
clisp
fcgi
lib64fcgi-devel
lib64fcgi0
mapserver
mapserver
ruby-fcgi



Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-05-03 02:20:24 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0184.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.