- Package:
- src:libfcgi
- Source:
- src:libfcgi
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-25 14:33:08 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for libfcgi. CVE-2025-23016[0]: | FastCGI fcgi2 (aka fcgi) 2.x through 2.4.4 has an integer overflow | (and resultant heap-based buffer overflow) via crafted nameLen or | valueLen values in data to the IPC socket. This occurs in ReadParams | in fcgiapp.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-23016 https://www.cve.org/CVERecord?id=CVE-2025-23016 [1] https://github.com/FastCGI-Archives/fcgi2/issues/67 Regards, Salvatore
In the upstream bug there seems to be some disagreement if this is actually a problem. Has any other distro fixed this yet, in some form? Chris
Hi Chris, Not that I'm aware of yet. The reporter said that they will publish an article mid april (so soon?) about how to exploit the vulnerablity. I'm not exactly sure were we stand right now, and need to re-read the upstream issue, but as long upstream has not landed a potential fix then I do not think we need to take an action. Regards, Salvatore
Hi, here is a proposed patch picked from upstream repo. Best regards, Xavier
Please note that Yadd's debdiff is based on a patch that was rejected. The final solution was just released with the new upstream version 2.4.5: https://github.com/FastCGI-Archives/fcgi2/commit/b0eabcaf4d4f371514891a52115c746815c2ff15
I am uploading an undelayed NMU to fix thisin time for trixie. Please find the debdiff attached.
We believe that the bug you reported is fixed in the latest version of libfcgi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1092774@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bastian Germann <bage@debian.org> (supplier of updated libfcgi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 14 Apr 2025 20:11:58 +0200 Source: libfcgi Architecture: source Version: 2.4.5-0.1 Distribution: unstable Urgency: high Maintainer: Boris Pek <tehnick@debian.org> Changed-By: Bastian Germann <bage@debian.org> Closes: 1092774 Changes: libfcgi (2.4.5-0.1) unstable; urgency=high . * Non-maintainer upload. * New upstream release. (Closes: #1092774, CVE-2025-23016) * d/watch: Find new release on new GitHub tags path. * d/copyright: Add missing licenses. * Install upstream manpages. * Drop unused lintial overrides. Checksums-Sha1: 6c20e297e7e568e18b201982031595a967729ccd 1811 libfcgi_2.4.5-0.1.dsc 85533305786c4c74f51089465be27070d2de58db 263973 libfcgi_2.4.5.orig.tar.gz f316d9ea371443124107e58dcce852e9a81d50e8 5788 libfcgi_2.4.5-0.1.debian.tar.xz ebea246abad281bd1c1767298b532df0a7dc36b7 5210 libfcgi_2.4.5-0.1_source.buildinfo Checksums-Sha256: c93568ebe02b40d52b98c723993b12c9ed8e4c870a7c8e9d4d6a7e9ffac93772 1811 libfcgi_2.4.5-0.1.dsc 92b0111a98d8636e06c128444a3d4d7a720bdd54e6ee4dd0c7b67775b1b0abff 263973 libfcgi_2.4.5.orig.tar.gz b5f297ce4a44b6644cbd836e6adb8983b98f7de4bec29a7f1b0116aeb17e70f9 5788 libfcgi_2.4.5-0.1.debian.tar.xz 944906dd8ca6252adba26f87191e210a9e163798fd3367c911cb4bb89b2f2a1f 5210 libfcgi_2.4.5-0.1_source.buildinfo Files: c818cc8ba8f77aa2f8a59fcd14fd423e 1811 libs optional libfcgi_2.4.5-0.1.dsc 2d87ab3f5b1321cd39e1b6a9bd9e3088 263973 libs optional libfcgi_2.4.5.orig.tar.gz 1156f6e0884ed4b4dffe414c0f32b9d7 5788 libs optional libfcgi_2.4.5-0.1.debian.tar.xz 43d69c63b66958335f1c921721866a92 5210 libs optional libfcgi_2.4.5-0.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmf9V0YQHGJhZ2VAZGVi aWFuLm9yZwAKCRAfXHqLRVZDFMPQC/wPZc8H7p8DOuETCW1mm1BU6Ran2iVX3uiR sPDJ8HHhWlFnkx58t11F9HOaOYyMvC/c2aXnv0bDv6+gpljwH3/cW0n1M9e781+t bxk+7FYNNmL4GMc3ypxKsCmzNObwVh0A6HouszUU/eTLH282Y99fs0tPpIo/1NQx JN4OrN+hIn567zUv/ni6hz/uUEFUlq/bSDMa9Y5+86hu1Xk1qDg8mrV5ERG5P/w6 QSFb/9PC1mlkZVecaXcEhejQ7s4HotNPPf9d7XDfYpQKB1rwwcORSvRXKCg6gHwd eY2cUEupELISernMIozRNGRvKUDrlykNsY4NlWJEhwM5a3v1H+zkrwuXm2cLPRY3 jJyV6ZqDMja3AIFptI3uFk+YdYTN0Pe+t8aYKEuxX3DEa5V09LRy0hxgwNQLeoSz On45629y122S4pxKIm0KS7T3iKqek82QNu8fItiyOgHgkO1ULkC32L75y02qjpCk zJUABrUfex8b8mZgNbqzQNgGRb05k+A= =rcYC -----END PGP SIGNATURE-----
The upstream patch applies cleanly on (old)stable. Please find two debdiffs attached.
We believe that the bug you reported is fixed in the latest version of libfcgi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1092774@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Mühlenhoff <jmm@debian.org> (supplier of updated libfcgi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Mon, 26 May 2025 20:18:11 +0200 Source: libfcgi Architecture: source Version: 2.4.2-2+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Boris Pek <tehnick@debian.org> Changed-By: Moritz Mühlenhoff <jmm@debian.org> Closes: 1092774 Changes: libfcgi (2.4.2-2+deb12u1) bookworm; urgency=medium . * CVE-2025-23016 (Closes: #1092774) Checksums-Sha1: 8b4b56980861752fae5401b405358ec2c083d6c5 1986 libfcgi_2.4.2-2+deb12u1.dsc c6d09aff4e3426e228f36856cef5e5c397624fbb 6928 libfcgi_2.4.2-2+deb12u1.debian.tar.xz efe46da68cb58835817d5ce8ce71f0ad5517e5b7 7230 libfcgi_2.4.2-2+deb12u1_amd64.buildinfo Checksums-Sha256: 04a6b8d38091e38d3e87298fdd3af78194c4d369f8b01b9ed5850895f13bcb70 1986 libfcgi_2.4.2-2+deb12u1.dsc 38b48772ac2022a715ac52c61ee64fbd619a5b5db7a10b32b50c34446b0648d6 6928 libfcgi_2.4.2-2+deb12u1.debian.tar.xz b9bcab5f9987973c9c0f1b4788f175dbf7527b6b940c5dfeb7dd92f5851cf0a7 7230 libfcgi_2.4.2-2+deb12u1_amd64.buildinfo Files: ba879b285d46a7c923320067ef55facc 1986 libs optional libfcgi_2.4.2-2+deb12u1.dsc c5811fc6604c4df88e1d8a4c0ea268e9 6928 libs optional libfcgi_2.4.2-2+deb12u1.debian.tar.xz 4aa61b29971c19f09cdb40b0a5369af3 7230 libs optional libfcgi_2.4.2-2+deb12u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmionzwPHGptbUBkZWJp YW4ub3JnAAoJEBDCk7bDfE42mJsP+gJNy5pfT3o18I9Zy3VpRpHHFu9VSbY220GH ug+RMF/Dy4ez5/TMMmtnrxA5rLkBtQGQ9V9wrl/lkfm1VtevMsTrqlaEPcQYOkk6 74qfoqdziJ8jJhW4XxNCOnvG9fnpWXtUrj+sgDCrOHNrmUFh8nGILft0x3dxUyJk BHZvBrmyrPPWPDkTINNtknSD87PCiPIF8w62BSBuDPoL/44prvcng3gHVIAZHRbx 8qctHLZhUuvKNIVR0+0WM6XIZY3zHFm50Hu6U57re8z23ZnBEAbDdD7/BUzKPTYY 5H3J3byRIjJtG2yB1GZOS0kUp6AVObPmPUjYdRCRw9y+h7Emds1HY1HABdqDOjTV QE9KYZX535GvTeuqbCjnAhJAMdoj7NUBzjx7feoabcG+gn/VtqmWqBiLoUdJXwES cOiAOyUO0EJtKfVD5wNHo413MEXlfRWfeJJ+hfvU1OX2Y3u+ZSKsQmdTOw3b7Aib x2veeYFgsh2jMkyLHzA9KIO6GtvndYIlQ3XRu2CTAOHn+K1yDJ8FwOQ0folFt1MT JUP68hwJAKgrZ10fGro46gtTqGVZc6n3HpyNWOR83rQrrmTvBm1rp7pDVuqAjwRF ZZOgNNS9BlDiqSzEbALYJgpcBYCzWzD/GTkwN1Ror4NUC5jzNtrg2A02NaDpUopN 1qz6jAja =sHqa -----END PGP SIGNATURE-----