539164 – (CVE-2012-6687) <dev-libs/fcgi-2.4.1_pre0910052249-r2: numerous connections cause segfault DoS (CVE-2012-6687)

Bug 539164 (CVE-2012-6687) - <dev-libs/fcgi-2.4.1_pre0910052249-r2: numerous connections cause segfault DoS (CVE-2012-6687)

Summary: <dev-libs/fcgi-2.4.1_pre0910052249-r2: numerous connections cause segfault Do...

Status:	RESOLVED FIXED

Alias:	CVE-2012-6687

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2015/q1/440
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-02-06 22:35 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2015-06-17 17:33 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-06 22:35:29 UTC

From ${URL}:
Hi,

there appears to be at least a denial-of-service vulnerability in fcgi:
https://bugzilla.redhat.com/show_bug.cgi?id=1189958

Can someone pleas assign a CVE id to this, to make sure that other
distributions notice this problem as well.

Unfortunately it looks like fastcgi upstream now died, as their mailing
list is not reachable anymore:
http://mailman.fastcgi.com/mailman/listinfo/fastcgi-developers

So if someone knows how to contact them, please forward them this
information.

Regards
Till Maas

- --
From https://bugzilla.redhat.com/show_bug.cgi?id=1190294:
It is reported that fcgi will segmentation fault when 1000 connections are 
established due to use of select() rather than poll().

External references:
https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681591

Comment 1 Rafael Martins (RETIRED) gentoo-dev

2015-02-06 23:38:12 UTC

working on it

Comment 2 Rafael Martins (RETIRED) gentoo-dev

2015-02-07 00:04:10 UTC

The patch provided does not applies cleanly to our version of fcgi (it is a snapshot). I ported it and revbumped to =dev-libs/fcgi-2.4.1_pre0910052249-r2.

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-07 15:07:31 UTC

(In reply to Rafael Martins from comment #2)
> The patch provided does not applies cleanly to our version of fcgi (it is a
> snapshot). I ported it and revbumped to
> =dev-libs/fcgi-2.4.1_pre0910052249-r2.

Thanks. Is it ready for stabilization?

Comment 4 Rafael Martins (RETIRED) gentoo-dev

2015-02-07 21:14:16 UTC

(In reply to Kristian Fiskerstrand from comment #3)
> (In reply to Rafael Martins from comment #2)
> > The patch provided does not applies cleanly to our version of fcgi (it is a
> > snapshot). I ported it and revbumped to
> > =dev-libs/fcgi-2.4.1_pre0910052249-r2.
> 
> Thanks. Is it ready for stabilization?

i think so

Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-07 21:16:33 UTC

Arches, please stabilize: 

=dev-libs/fcgi-2.4.1_pre0910052249-r2
Stable arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 6 Agostino Sarubbo gentoo-dev

2015-02-08 09:38:06 UTC

amd64 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2015-02-08 14:15:05 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2015-02-15 15:08:51 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2015-02-16 10:24:13 UTC

sparc stable

Comment 10 Markus Meier gentoo-dev

2015-02-17 21:06:46 UTC

arm stable

Comment 11 Agostino Sarubbo gentoo-dev

2015-02-18 08:53:08 UTC

ppc64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2015-02-18 09:18:33 UTC

ppc stable

Comment 13 Agostino Sarubbo gentoo-dev

2015-02-23 11:38:45 UTC

ia64 stable

Comment 14 Agostino Sarubbo gentoo-dev

2015-02-24 10:58:56 UTC

alpha stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 15 Yury German Gentoo Infrastructure

2015-02-25 04:30:46 UTC

Arches, Thank you for your work.
First Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 16 Rafael Martins (RETIRED) gentoo-dev

2015-02-25 04:41:24 UTC

vulnerable ebuild removed. thanks

Comment 17 Yury German Gentoo Infrastructure

2015-03-07 06:40:37 UTC

Arches and Maintainer(s), Thank you for your work.

Comment 18 Mikle Kolyada (RETIRED) archtester

2015-03-18 18:00:41 UTC

GLSA vote: no.

Closing as [noglsa]

Comment 19 GLSAMaker/CVETool Bot gentoo-dev

2015-06-17 17:33:14 UTC

CVE-2012-6687 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6687):
  FastCGI (aka fcgi and libfcgi) 2.4.0 allows remote attackers to cause a
  denial of service (segmentation fault and crash) via a large number of
  connections.