Forum: >>> Magnum BBS <<<

Bug#1092774: libfcgi: CVE-2025-23016

From Chris Hofstaedtler@21:1/5 to Salvatore Bonaccorso on Sun Apr 13 20:10:01 2025

On Sat, Jan 11, 2025 at 03:00:45PM +0100, Salvatore Bonaccorso wrote:

Source: libfcgi
Version: 2.4.2-2.1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FastCGI-Archives/fcgi2/issues/67

In the upstream bug there seems to be some disagreement if this is
actually a problem.

Has any other distro fixed this yet, in some form?

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Debian Bug Tracking System@21:1/5 to All on Mon Apr 14 10:20:01 2025

Processing control commands:

tags -1 + patch

Bug #1092774 [src:libfcgi] libfcgi: CVE-2025-23016
Added tag(s) patch.

--
1092774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092774
Debian Bug Tracking System
Contact [email protected] with problems

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Debian Bug Tracking System@21:1/5 to All on Mon Apr 14 20:10:02 2025

Processing control commands:

tags -1 fixed-upstream

Bug #1092774 [src:libfcgi] libfcgi: CVE-2025-23016
Added tag(s) fixed-upstream.

--
1092774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092774
Debian Bug Tracking System
Contact [email protected] with problems

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Bastian Germann@21:1/5 to All on Mon Apr 14 20:50:01 2025

I am uploading an undelayed NMU to fix thisin time for trixie.
Please find the debdiff attached.

diff -Nru libfcgi-2.4.2/acinclude.m4 libfcgi-2.4.5/acinclude.m4
--- libfcgi-2.4.2/acinclude.m4 2019-02-19 12:19:19.000000000 +0100
+++ libfcgi-2.4.5/acinclude.m4 2025-04-14 19:35:59.000000000 +0200
@@ -27,14 +27,12 @@
[Define if there's a fileno() prototype in stdio.h])],
AC_MSG_RESULT([no]))

- if test "$HAVE_SYS_SOCKET_H"; then
AC_MSG_CHECKING([for socklen_t in sys/socket.h])
AC_EGREP_HEADER([socklen_t], [sys/socket.h],
[AC_MSG_RESULT([yes])
AC_DEFINE([HAVE_SOCKLEN], [1],
[Define if the socklen_t typedef is in sys/socket.h])],
AC_MSG_RESULT([no]))
- fi

#--------------------------------------------------------------------
# Do we need cross-process locking on this platform?
diff -Nru libfcgi-2.4.2/cgi-fcgi/cgi-fcgi.c libfcgi-2.4.5/cgi-fcgi/cgi-fcgi.c --- libfcgi-2.4.2/cgi-fcgi/cgi-fcgi.c 2019-02-19 12:19:19.000000000 +0100
+++ libfcgi-2.4.5/cgi-fcgi/cgi-fcgi.c 2025-04-14 19:35:59.000000000 +0200
@@ -6,7 +6,7 @@
*
* Copyright (c) 1996 Open Market, Inc.
*
- * See the file "LICENSE.

From Debian Bug Tracking System@21:1/5 to All on Mon Apr 14 21:10:01 2025

This is a multi-part message in MIME format...

Your message dated Mon, 14 Apr 2025 19:05:59 +0000
with message-id <[email protected]>
and subject line Bug#1092774: fixed in libfcgi 2.4.5-0.1
has caused the Debian Bug report #1092774,
regarding libfcgi: CVE-2025-23016
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected]
immediately.)

--
1092774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1092774
Debian Bug Tracking System
Contact [email protected] with problems

Received: (at submit) by bugs.debian.org; 11 Jan 2025 14:00:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
(2021-04-09) on buxtehude.debian.org
X-Spam-Level:
X-Spam-Status: No, score=-8.6 required=4.0 tests=BAYES_00,FROMDEVELOPER,
KHOP_HELO_FCRDNS,RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG
autolearn=ham autolearn_force=no
version=3.4.6-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 144; neutral, 35; spammy,
1. spammytokens:0.944-+--H*r:bugs.debian.org
hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: <[email protected]>
Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:33314 helo=eldamar.lan)
by buxtehude.debian.org with esmtp (Exim 4.94.2)
(envelope-from <carn

Who's Online
Recent Visitors
- Michal Wronka
  Sun Jun 7 19:26:28 2026
  from Wroclaw, Poland via SSH
- Centurion
  Sun Jun 7 16:59:51 2026
  from Berea, Ohio via Telnet
- Furryboy
  Sun Jun 7 13:40:29 2026
  from Romania, Galati via SSH
- Krenn
  Sun Jun 7 10:02:33 2026
  from Sydney, Nsw via Telnet
- Spearb0y
  Sun Jun 7 07:41:05 2026
  from Massachusetts via SSH
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	04:34:07
Calls:	12,099
Calls today:	7
Files:	15,003
Messages:	6,517,894

Bug#1092774: libfcgi: CVE-2025-23016

Who's Online

Recent Visitors

System Info