Stack smashing while using a lot of connections

Bug #1418778 reported by Joe Damato on 2015-02-06
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libfcgi (Ubuntu)
Medium
Unassigned
Precise
Undecided
Unassigned

Bug Description

The bug described in #933417 which is fixed in Quantal and later appears to be a security issue as it can affect a server processes and cause a DoS. It would be great to get a patched version in 12.04.

I've taken the patch from #933417 and applied it (with no modifications) against the source package for fcgi in 12.04 and bumped the changelog. I've attached a debdiff of these changes to this report.

Please let me know how I can help to get this accepted.

information type: Private Security → Public Security
Changed in libfcgi (Ubuntu):
assignee: nobody → Ubuntu Security Sponsors Team (ubuntu-security-sponsors)
assignee: Ubuntu Security Sponsors Team (ubuntu-security-sponsors) → nobody
Thomas Ward (teward) wrote :

Note on the debdiff: The wrong bug number is present in the debdiff (the old one). Since that bug is now "fixed" we would be using the new bug number here.

I've attached the same debdiff with a one line revision to correct the bug number. Still has the original debdiff author's fingerprints all over it, i just made one revision to the debian/changelog.

Thomas Ward (teward) wrote :

Please make a note: I have nominated this bug for the Precise series. When the Precise series is approved on this bug, the status for the development-release (i.e. the 'no series' bug which is implied for the in-development release) should be set to "Fix Released" as this issue has been fixed with the prior bug (#933417) since Quantal. This update here only applies to Precise.

tags: added: precise
Changed in libfcgi (Ubuntu):
importance: Undecided → Medium
Thomas Ward (teward) wrote :

(NOTE: Importance change is done to match the previous bug, #933417. It can be changed at the Security Team's discretion.)

Changed in libfcgi (Ubuntu Precise):
status: New → Confirmed
Changed in libfcgi (Ubuntu):
status: New → Fix Released
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff. Looks good. Uploaded for building with a slight version change, and will be released today.

Thanks!

Changed in libfcgi (Ubuntu Precise):
status: Confirmed → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

Actually, it will be published on monday as we don't typically publish updates on friday.

Kees Cook (kees) wrote :

Today I learned that Apache raises its rlimit for open files to 8192 by default. This is controlled by APACHE_ULIMIT_MAX_FILES.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libfcgi - 2.4.0-8.1ubuntu0.1

---------------
libfcgi (2.4.0-8.1ubuntu0.1) precise-security; urgency=low

  * Applying patch to swap select with poll to handle more than 1024
    connections and avoid data corruption or a segfault. (LP: #1418778).
 -- Joe Damato <email address hidden> Thu, 05 Feb 2015 16:28:53 -0800

Changed in libfcgi (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers