Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385489 (CVE-2011-2766) - <dev-perl/FCGI-0.740.0 CGI::Fast API Environment Variables Security Bypass (CVE-2011-2766)
Summary: <dev-perl/FCGI-0.740.0 CGI::Fast API Environment Variables Security Bypass (C...
Status: RESOLVED FIXED
Alias: CVE-2011-2766
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46263/
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 412999
Blocks:
  Show dependency tree
 
Reported: 2011-10-03 12:08 UTC by Agostino Sarubbo
Modified: 2013-12-11 01:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-03 12:08:36 UTC 
Description:
The security issue is caused due to the CGI::Fast API not properly resetting environment variables, which can be exploited to leak information (e.g. authentication credentials) from the second request into subsequent requests, if the first request had an empty environment.

Note: Successful exploitation requires that the deprecated CGI::Fast API is used.

The security issue is reported in versions 0.7x prior to 0.74.

Solution:
Update to version 0.74.
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-03 13:46:49 UTC 
@Maintaner:

The fixed version is already in tree, can we go to stabilize it?
=dev-perl/FCGI-0.740.0
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:41:26 UTC 
CVE-2011-2766 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2766):
  The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by
  CGI::Fast, uses environment variable values from one request during
  processing of a later request, which allows remote attackers to bypass
  authentication via crafted HTTP headers.
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-07-20 18:19:40 UTC 
@ago, it is is already stable in bug #412999
Comment 4 Sergey Popov gentoo-dev 2013-08-22 09:47:21 UTC 
GLSA vote: no
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-11 01:35:23 UTC 
GLSA vote: no. Closing noglsa.