Bug 286589 - www/fcgi: Update to 2.4.6 (fixes CVE-2025-23016)
Summary: www/fcgi: Update to 2.4.6 (fixes CVE-2025-23016)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Vladimir Druzenko
URL: https://github.com/FastCGI-Archives/f...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-05-04 23:06 UTC by Christos Chatzaras
Modified: 2025-05-11 22:18 UTC (History)
4 users (show)

See Also:
vvd: maintainer-feedback-
vvd: merge-quarterly+


Attachments
Update to version 2.4.6 and switch the download source to GitHub (5.18 KB, patch)
2025-05-04 23:52 UTC, Christos Chatzaras
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christos Chatzaras 2025-05-04 23:06:01 UTC
Fixes security issue: https://github.com/advisories/GHSA-9825-56cx-cfg6
Comment 1 Christos Chatzaras 2025-05-04 23:52:35 UTC
Created attachment 260160 [details]
Update to version 2.4.6 and switch the download source to GitHub
Comment 2 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-08 20:51:43 UTC
Additional changes:

1. Replace PORTVERSION with DISTVERSION.

2. Update WWW - old is down:
-WWW=           http://www.fastcgi.com/
+WWW=           https://fastcgi-archives.github.io/

3. USES+=pathfix - for install *.pc files in correct path.

4. Fix warnings from portclippy - order of lines in Makefile.

5. Remove MAKE_JOBS_UNSAFE=yes - obsoleted, build fine without it on host with 24 threads 10 times in a row.

6. COPYTREE_SHARE docs only if DOCS option is ON.

www/fcgi/Makefile:
@@ -1,36 +1,37 @@
 PORTNAME=      fcgi
-PORTVERSION=   2.4.0
-PORTREVISION=  6
+DISTVERSION=   2.4.6
 CATEGORIES=    www
-MASTER_SITES=  LOCAL/adamw
 PKGNAMESUFFIX= -devkit

 MAINTAINER=    john@essenz.com
 COMMENT=       FastCGI Development Kit
-WWW=           http://www.fastcgi.com/
+WWW=           https://fastcgi-archives.github.io/

 LICENSE=       Open_Market_FastCGI_license
 LICENSE_NAME=  Open Market FastCGI license
-LICENSE_FILE=  ${WRKSRC}/LICENSE.TERMS
+LICENSE_FILE=  ${WRKSRC}/LICENSE
 LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept

-USES=          cpe libtool
+USES=          autoreconf cpe libtool pathfix
 CPE_VENDOR=    fastcgi
+USE_GITHUB=    yes
+GH_ACCOUNT=    FastCGI-Archives
+GH_PROJECT=    fcgi2
+USE_LDCONFIG=  yes

 GNU_CONFIGURE= yes
-USE_LDCONFIG=  yes
-MAKE_JOBS_UNSAFE=      yes

 OPTIONS_DEFINE=        DOCS

 post-install:
        ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi.so.0.0.0
        ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libfcgi++.so.0.0.0
-
-       @${MKDIR} ${STAGEDIR}${DOCSDIR}
        ${INSTALL_MAN} ${WRKSRC}/doc/*.1 ${STAGEDIR}${PREFIX}/share/man/man1
        ${INSTALL_MAN} ${WRKSRC}/doc/*.3 ${STAGEDIR}${PREFIX}/share/man/man3
+
+post-install-DOCS-on:
+       @${MKDIR} ${STAGEDIR}${DOCSDIR}
        (cd ${WRKSRC}/doc && \
                ${COPYTREE_SHARE} . ${STAGEDIR}${DOCSDIR} "! -name *\.[13]")

 .include <bsd.port.mk>

7. Remove obsoleted patch www/fcgi/files/patch-include__fcgio.h added in https://bugs.freebsd.org/154190.
Tested build with GCC 14.

8. Add files to pkg-plist:
libdata/pkgconfig/fcgi++.pc
libdata/pkgconfig/fcgi.pc

9. Fix order in www/fcgi/pkg-plist:
@@ -14,11 +14,8 @@ lib/libfcgi.a
 lib/libfcgi.so
 lib/libfcgi.so.0
 lib/libfcgi.so.0.0.0
-share/man/man1/cgi-fcgi.1.gz
-share/man/man3/FCGI_Accept.3.gz
-share/man/man3/FCGI_Finish.3.gz
-share/man/man3/FCGI_SetExitStatus.3.gz
-share/man/man3/FCGI_StartFilterData.3.gz
+libdata/pkgconfig/fcgi++.pc
+libdata/pkgconfig/fcgi.pc
 %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/ap_guida.htm
 %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/ap_guide.htm
 %%PORTDOCS%%%%DOCSDIR%%/fastcgi-prog-guide/apaman.htm
@@ -43,3 +40,8 @@ share/man/man3/FCGI_StartFilterData.3.gz
 %%PORTDOCS%%%%DOCSDIR%%/omi-logo.gif
 %%PORTDOCS%%%%DOCSDIR%%/overview.html
 %%PORTDOCS%%%%DOCSDIR%%/www5-api-workshop.html
+share/man/man1/cgi-fcgi.1.gz
+share/man/man3/FCGI_Accept.3.gz
+share/man/man3/FCGI_Finish.3.gz
+share/man/man3/FCGI_SetExitStatus.3.gz
+share/man/man3/FCGI_StartFilterData.3.gz
Comment 4 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-08 21:00:02 UTC
I see last activity from maintainer (John von Essen <john@essenz.com>) in 2019.
This update fix CVE.
I guess we don't have to wait 2 weeks for maintainer timeout.
Comment 5 commit-hook freebsd_committer freebsd_triage 2025-05-08 21:29:46 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7809d8810df0f784a50ef375e6b828df1e3bbad3

commit 7809d8810df0f784a50ef375e6b828df1e3bbad3
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2025-05-08 21:21:58 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2025-05-08 21:29:15 +0000

    www/fcgi: Update 2.4.0 => 2.4.6 (fix CVE-2025-23016), improve port

    Commit log:
    https://github.com/FastCGI-Archives/fcgi2/compare/2.4.0...2.4.6

    Changelogs:
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1.1
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.2
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.3
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.4
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.6

    Improve port:
    - Replace PORTVERSION with DISTVERSION.
    - Update WWW - old is down.
    - Switch upstream to GitHub.
    - Add USES+=pathfix for install *.pc files in correct path.
    - Fix warnings from portclippy - order of lines in Makefile.
    - Remove MAKE_JOBS_UNSAFE=yes - obsoleted.
    - Make run COPYTREE_SHARE docs only if DOCS option is ON.
    - Remove upstreamed and obsoleted patches.
    - Fix order in plist.

    PR:             286589
    Approved by:    John von Essen <john@essenz.com> (maintainer, timeout - last activity 2019)
    Security:       CVE-2025-23016
    Co-authored-by: Christos Chatzaras <chris@cretaforce.gr>
    MFH:            2025Q2

 www/fcgi/Makefile                                 | 21 +++---
 www/fcgi/distinfo                                 |  5 +-
 www/fcgi/files/patch-CVE-2012-6687-pool (gone)    | 79 -----------------------
 www/fcgi/files/patch-examples__Makefile.in (gone) | 11 ----
 www/fcgi/files/patch-include__fcgio.h (gone)      | 10 ---
 www/fcgi/pkg-plist                                | 12 ++--
 6 files changed, 21 insertions(+), 117 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2025-05-08 21:44:49 UTC
A commit in branch 2025Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a98cffa6bfdf24036fc1bfd02ce8277f3342f1d0

commit a98cffa6bfdf24036fc1bfd02ce8277f3342f1d0
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2025-05-08 21:21:58 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2025-05-08 21:43:28 +0000

    www/fcgi: Update 2.4.0 => 2.4.6 (fix CVE-2025-23016), improve port

    Commit log:
    https://github.com/FastCGI-Archives/fcgi2/compare/2.4.0...2.4.6

    Changelogs:
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.1.1
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.2
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.3
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.4
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.5
    https://github.com/FastCGI-Archives/fcgi2/releases/tag/2.4.6

    Improve port:
    - Replace PORTVERSION with DISTVERSION.
    - Update WWW - old is down.
    - Switch upstream to GitHub.
    - Add USES+=pathfix for install *.pc files in correct path.
    - Fix warnings from portclippy - order of lines in Makefile.
    - Remove MAKE_JOBS_UNSAFE=yes - obsoleted.
    - Make run COPYTREE_SHARE docs only if DOCS option is ON.
    - Remove upstreamed and obsoleted patches.
    - Fix order in plist.

    PR:             286589
    Approved by:    John von Essen <john@essenz.com> (maintainer, timeout - last activity 2019)
    Security:       CVE-2025-23016
    Co-authored-by: Christos Chatzaras <chris@cretaforce.gr>
    MFH:            2025Q2

    (cherry picked from commit 7809d8810df0f784a50ef375e6b828df1e3bbad3)

 www/fcgi/Makefile                                 | 21 +++---
 www/fcgi/distinfo                                 |  5 +-
 www/fcgi/files/patch-CVE-2012-6687-pool (gone)    | 79 -----------------------
 www/fcgi/files/patch-examples__Makefile.in (gone) | 11 ----
 www/fcgi/files/patch-include__fcgio.h (gone)      | 10 ---
 www/fcgi/pkg-plist                                | 12 ++--
 6 files changed, 21 insertions(+), 117 deletions(-)
Comment 7 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-08 21:46:48 UTC
Thanks, committed!
Comment 8 Christos Chatzaras 2025-05-08 21:47:53 UTC
A question: How did you found the missing pkg-plist files? Did you use `make check-plist` or another tool?
Comment 9 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-08 22:04:08 UTC
(In reply to Christos Chatzaras from comment #8)
Yes: "make check-plist stage-qa".
Also I'm using poudriere testport - it uses "make check-plist stage-qa" too.
Comment 10 Mark Linimon freebsd_committer freebsd_triage 2025-05-11 10:46:32 UTC
^Triage: assigned to committer who resolved.

To committer: is there anything further that needs to be done with this PR?
Comment 11 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-11 20:05:41 UTC
(In reply to Mark Linimon from comment #10)
> To committer: is there anything further that needs to be done with this PR?
Add record to security/vuxml. Same for bug #286624.
Comment 12 Christos Chatzaras 2025-05-11 21:18:03 UTC
(In reply to Vladimir Druzenko from comment #11)

It's already added: bug #286590
Comment 13 Vladimir Druzenko freebsd_committer freebsd_triage 2025-05-11 22:18:22 UTC
(In reply to Christos Chatzaras from comment #12)
Ok!