Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 539164 (CVE-2012-6687) - <dev-libs/fcgi-2.4.1_pre0910052249-r2: numerous connections cause segfault DoS (CVE-2012-6687)
Summary: <dev-libs/fcgi-2.4.1_pre0910052249-r2: numerous connections cause segfault Do...
Status: RESOLVED FIXED
Alias: CVE-2012-6687
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q1/440
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-06 22:35 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-06-17 17:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-06 22:35:29 UTC
From ${URL}:
Hi,

there appears to be at least a denial-of-service vulnerability in fcgi:
https://bugzilla.redhat.com/show_bug.cgi?id=1189958

Can someone pleas assign a CVE id to this, to make sure that other
distributions notice this problem as well.

Unfortunately it looks like fastcgi upstream now died, as their mailing
list is not reachable anymore:
http://mailman.fastcgi.com/mailman/listinfo/fastcgi-developers

So if someone knows how to contact them, please forward them this
information.

Regards
Till Maas

- --
From https://bugzilla.redhat.com/show_bug.cgi?id=1190294:
It is reported that fcgi will segmentation fault when 1000 connections are 
established due to use of select() rather than poll().

External references:
https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591
Comment 1 Rafael Martins (RETIRED) gentoo-dev 2015-02-06 23:38:12 UTC
working on it
Comment 2 Rafael Martins (RETIRED) gentoo-dev 2015-02-07 00:04:10 UTC
The patch provided does not applies cleanly to our version of fcgi (it is a snapshot). I ported it and revbumped to =dev-libs/fcgi-2.4.1_pre0910052249-r2.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-07 15:07:31 UTC
(In reply to Rafael Martins from comment #2)
> The patch provided does not applies cleanly to our version of fcgi (it is a
> snapshot). I ported it and revbumped to
> =dev-libs/fcgi-2.4.1_pre0910052249-r2.

Thanks. Is it ready for stabilization?
Comment 4 Rafael Martins (RETIRED) gentoo-dev 2015-02-07 21:14:16 UTC
(In reply to Kristian Fiskerstrand from comment #3)
> (In reply to Rafael Martins from comment #2)
> > The patch provided does not applies cleanly to our version of fcgi (it is a
> > snapshot). I ported it and revbumped to
> > =dev-libs/fcgi-2.4.1_pre0910052249-r2.
> 
> Thanks. Is it ready for stabilization?

i think so
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-07 21:16:33 UTC
Arches, please stabilize: 

=dev-libs/fcgi-2.4.1_pre0910052249-r2
Stable arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-08 09:38:06 UTC
amd64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-08 14:15:05 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-15 15:08:51 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-16 10:24:13 UTC
sparc stable
Comment 10 Markus Meier gentoo-dev 2015-02-17 21:06:46 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-02-18 08:53:08 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:33 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:45 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-02-24 10:58:56 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 04:30:46 UTC
Arches, Thank you for your work.
First Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 16 Rafael Martins (RETIRED) gentoo-dev 2015-02-25 04:41:24 UTC
vulnerable ebuild removed. thanks
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-03-07 06:40:37 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 18 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-18 18:00:41 UTC
GLSA vote: no.

Closing as [noglsa]
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:33:14 UTC
CVE-2012-6687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6687):
  FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a
  denial of service (segmentation fault and crash) via a large number of
  connections.