Acknowledgement sent
to Clint Byrum <clint@fewbar.com>:
New Bug report received and forwarded. Copy sent to Tatsuki Sugiura <sugi@nemui.org>.
(Sat, 14 Jul 2012 15:12:04 GMT) (full text, mbox, link).
Package: libfcgi0ldbl
Version: 2.4.0-8.1
Severity: normal
Tags: patch
This bug was originally reported in Ubuntu:
https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417
--- BEGIN UBUNTU BUG DESCRIPTION ---
libfcgi uses select syscall, when some applications tryes to use more than 1024 connections from web-server it crashes. There is a solutions for this problem: use poll in os_unix.c instead of select. Patch with this change is attached to this bug. This patch was written in Yandex and successfully used for a several months.
LIBFCGI_OS_CLOSE_POLL_TIMEOUT and LIBFCGI_IS_AF_UNIX_KEEPER_POLL_TIMEOUT environment variables are added to control poll timeouts in Os_Close and is_af_unix_keeper functions accordingly.
$ lsb_release -rd
Description: Ubuntu 10.04.2 LTS
Release: 10.04
--- END UBUNTU BUG DESCRIPTION ---
I will attach the patch as well. I am not sure how to forward it to
upstream, as their developer information seems fairly sparse and hard
to find.
-- System Information:
Debian Release: wheezy/sid
APT prefers precise-updates
APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 'precise'), (100, 'precise-backports')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-26-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libfcgi0ldbl depends on:
ii libc6 2.15-0ubuntu10
ii libgcc1 1:4.6.3-1ubuntu5
ii libstdc++6 4.6.3-1ubuntu5
libfcgi0ldbl recommends no packages.
libfcgi0ldbl suggests no packages.
-- no debconf information
Source: libfcgi
Source-Version: 2.4.0-8.3
We believe that the bug you reported is fixed in the latest version of
libfcgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated libfcgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 08 Aug 2014 12:41:22 +0200
Source: libfcgi
Binary: libfcgi-dev libfcgi0ldbl
Architecture: source amd64
Version: 2.4.0-8.3
Distribution: unstable
Urgency: medium
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Matthias Klose <doko@debian.org>
Description:
libfcgi-dev - Header files of FastCGI
libfcgi0ldbl - Shared library of FastCGI
Closes: 633182681591
Changes:
libfcgi (2.4.0-8.3) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ James Page ]
* d/patches/fix_compiler_warnings.patch: Fixup misc complier warnings
in the codebase.
* d/libfcgi0ldbl.manpages,rules: Don't install manpage using rules file.
* d/libfcgi0ldbl.docs: Rationalized to prevent duplicate install of docs.
* d/dirs: Dropped - not actually required and generates linitan warning.
* d/control,rules: Drop use of quilt dh addon as this is provided by
debhelper.
* d/control: Bumped Standards-Version to 3.9.5:
- d/copyright: Converted to machine readable format.
.
[ Clint Byrum ]
* Applying patch to use poll instead of select which helps handle
more than 1024 connections. (LP: #933417). Thanks Anton Kortunov!
Closes: #681591.
.
[ Matthias Klose ]
* Build with hardening defaults.
* d/rules: Stop install .la files. Closes: #633182.
Checksums-Sha1:
5b0de3106d05c283f387528f4695aecc3d3bb89d 1174 libfcgi_2.4.0-8.3.dsc
a860ce3dd5ae1605d8b50aafcf22ff39a6a334bd 8060 libfcgi_2.4.0-8.3.debian.tar.xz
9a5005fd22d50230b603ee217fa2b1a5f2cfa4f1 31486 libfcgi-dev_2.4.0-8.3_amd64.deb
97bace525879a4920a3e4efed5c6b16c6a455d7f 161158 libfcgi0ldbl_2.4.0-8.3_amd64.deb
Checksums-Sha256:
2b8578c9f0f7be511ddcc1c50766763d9aff49d704efd0130ec0df1aa72b2772 1174 libfcgi_2.4.0-8.3.dsc
d3c9b406246371ddd6082e35e46595243fc7ef9594d89bbd7818fdee73377518 8060 libfcgi_2.4.0-8.3.debian.tar.xz
c15185426cafca3f2e65cb9ecae4b32f453c78349ae3322d263c1fa3efec1bfb 31486 libfcgi-dev_2.4.0-8.3_amd64.deb
5685d73e10dfa470fd7527dd013d62e9834aebfd14cdf61f13638e4b2f79c831 161158 libfcgi0ldbl_2.4.0-8.3_amd64.deb
Files:
91e738ce284aa6fb191e1f3355aab714 31486 libdevel optional libfcgi-dev_2.4.0-8.3_amd64.deb
2d52e4de71702b1368f09081835a2732 161158 libs optional libfcgi0ldbl_2.4.0-8.3_amd64.deb
fc322ae24106d2e32652bc51d4803a87 1174 libs optional libfcgi_2.4.0-8.3.dsc
b600be3e7e031485c7381cf9f80538cc 8060 libs optional libfcgi_2.4.0-8.3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlPkr6YACgkQStlRaw+TLJwAYwCgsMJGtjvyInnH7Q0b9Kpp1GUV
4kcAoJwCHmiKJ+DmjEhN239NDvt0VDTK
=Voyg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 11 Sep 2014 07:44:29 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Feb 2015 13:12:11 GMT) (full text, mbox, link).
Added tag(s) upstream and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 06 Feb 2015 13:12:12 GMT) (full text, mbox, link).
Changed Bug title to 'libfcgi: CVE-2012-6687: Stack smashing while using a lot of connections' from 'libfcgi0ldbl: Stack smashing while using a lot of connections'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 07 Feb 2015 13:09:05 GMT) (full text, mbox, link).
Reply sent
to Joe Damato <joe@packagecloud.io>:
You have taken responsibility.
(Sat, 21 Feb 2015 22:18:20 GMT) (full text, mbox, link).
Notification sent
to Clint Byrum <clint@fewbar.com>:
Bug acknowledged by developer.
(Sat, 21 Feb 2015 22:18:20 GMT) (full text, mbox, link).
Subject: Bug#681591: fixed in libfcgi 2.4.0-8.1+deb7u1
Date: Sat, 21 Feb 2015 22:17:05 +0000
Source: libfcgi
Source-Version: 2.4.0-8.1+deb7u1
We believe that the bug you reported is fixed in the latest version of
libfcgi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681591@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joe Damato <joe@packagecloud.io> (supplier of updated libfcgi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 Feb 2015 19:31:23 -0800
Source: libfcgi
Binary: libfcgi-dev libfcgi0ldbl
Architecture: source amd64
Version: 2.4.0-8.1+deb7u1
Distribution: wheezy
Urgency: low
Maintainer: Tatsuki Sugiura <sugi@nemui.org>
Changed-By: Joe Damato <joe@packagecloud.io>
Description:
libfcgi-dev - Header files of FastCGI
libfcgi0ldbl - Shared library of FastCGI
Closes: 681591
Changes:
libfcgi (2.4.0-8.1+deb7u1) wheezy; urgency=low
.
* Non-maintainer upload.
* CVE-2012-6687: Apply path from Anton Kortunov to swap select with poll to
avoid stack smashing. Closes: #681591.
Checksums-Sha1:
14e469fcda244e4351d783f227bcdff57198da95 1843 libfcgi_2.4.0-8.1+deb7u1.dsc
b5f1059aa296a95d9e19edf8f7fe1bcaacb3836a 417129 libfcgi_2.4.0-8.1+deb7u1.debian.tar.gz
60560baec61835673ccb70ea0f2b40c2abe0b37c 37624 libfcgi-dev_2.4.0-8.1+deb7u1_amd64.deb
8e64e99fb19c4d8488a189bb43374fea70bfdcc5 285552 libfcgi0ldbl_2.4.0-8.1+deb7u1_amd64.deb
Checksums-Sha256:
9d5dd77aa03fe384b46826c5d4a70b10a8587433aeb995d417055a3448d52cb4 1843 libfcgi_2.4.0-8.1+deb7u1.dsc
62ce0b8a4daef499412e39dcdc9e2d930d160ad75a49162a89f5467231fe5dda 417129 libfcgi_2.4.0-8.1+deb7u1.debian.tar.gz
d81a102e429fdc066a66ac7b032636da252ae440bb145bd076951e92c4023907 37624 libfcgi-dev_2.4.0-8.1+deb7u1_amd64.deb
bd2e7ce0b26a2b050c3bcaa2ce870acecaac7b9197c648baad298e93b75fb332 285552 libfcgi0ldbl_2.4.0-8.1+deb7u1_amd64.deb
Files:
7eb3f2b891cb4a2e29c2a366518ab39f 1843 libs optional libfcgi_2.4.0-8.1+deb7u1.dsc
6579b2c9a2d4eda929903e1336c2a4c9 417129 libs optional libfcgi_2.4.0-8.1+deb7u1.debian.tar.gz
3556cc905aeb4c5c43e8f2f5b9125ddf 37624 libdevel optional libfcgi-dev_2.4.0-8.1+deb7u1_amd64.deb
a4edaff6960975d12e9f0661f50c5e20 285552 libs optional libfcgi0ldbl_2.4.0-8.1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJU5W4YAAoJEAVMuPMTQ89ENuoP/jZzmLInHwyTwrq0oqJPSHLW
OtBDGufahb9gPNXAH/8Fndsl9n4+wF0LKpo2JVNoBm3uXsvW6IGxuogw0GXP92xR
0rbgXeZT8xxMuyme2qo3Nh4mPFPgSGLHJpioNILquC5L9l4meesm3x4HNzfTGVHb
fmn/CWv0S4Kkgh4kKTLhUY+HSPakoWo7HpTxP9IKuJaSh0zwgPaVjO3xoq28gbob
CfpHErnZuTMJHYfEQmq16WB7yxFthmyQ9HK+/1asBvKYcwFcDQ+7uingaBcXIFaL
4ilXYy0sWUFgDoqdFdL16oU0buRaWttE5FpPattUZXVWnmBkHLoBcbFYCaOlelwD
LZdAi1dgWFzGosi4IpFm7Ibtoi8cZYosei/oQ3PZ9UXUb/NwEeR+Ki29gyXFRUMp
DGAi1lQOhW+KT+WQ+gRjNoyNiGZ6cR9MmMDq2qQDv7fwqxYjyJLbydu+SfpZsjxb
kwJ/4TUP42zkD8GAMiK5RqVYozURlC83zSQhpXZTjOl1tSN8P0eAa4HwIakWOd/N
gjr3uM4lGJ4eH17nbkFrVcbzE64ZxH+irBEZksTIIJRNjRCX9AWIWnfuliTjYSHT
a+9yExfuV8kpvbD0SSVUPza4WJ3RQz2642ASbVg27mzYRCdf6XfQ3RbdZ2lBS16n
1tEnKiUu+aRreVKxN7LL
=ZGuB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 22 Mar 2015 07:29:13 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.