Debian Bug report logs - #708164
nginx proxy_pass buffer overflow (CVE-2013-2070)

version graph

Package: nginx; Maintainer for nginx is Kartik Mistry <kartik@debian.org>; Source for nginx is src:nginx.

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Mon, 13 May 2013 16:51:02 UTC

Severity: serious

Tags: patch, security

Found in version nginx/1.2.1-2.2

Fixed in versions nginx/1.2.1-2.2+wheezy1, nginx/1.4.1-1

Done: Christos Trochalakis <yatiohi@ideopolis.gr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#708164; Package nginx. (Mon, 13 May 2013 16:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>. (Mon, 13 May 2013 16:51:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)
Date: Mon, 13 May 2013 18:47:21 +0200
Package: nginx
Version: 1.2.1-2.2
Severity: serious
Tags: security patch

Hi,

A buffer overflow in the proxy_pass module has been reported by
Nginx upstream, and a patch made available. Please see:
http://www.openwall.com/lists/oss-security/2013/05/13/3

The issue is already fixed in the version in sid, and as far
as I can see the code is not present in squeeze.

Can you ensure that (a) the RC bug against nginx in sid is dealt with
so the fixed package can migrate to jessie, and (b) prepare an update
to wheezy?


Thanks,
Thijs



Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#708164; Package nginx. (Mon, 13 May 2013 19:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Mon, 13 May 2013 19:54:05 GMT) Full text and rfc822 format available.

Message #10 received at 708164@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 708164@bugs.debian.org
Subject: Re: Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
Date: Mon, 13 May 2013 21:15:52 +0200
* Thijs Kinkhorst:

> A buffer overflow in the proxy_pass module has been reported by
> Nginx upstream, and a patch made available. Please see:
> http://www.openwall.com/lists/oss-security/2013/05/13/3
>
> The issue is already fixed in the version in sid, and as far
> as I can see the code is not present in squeeze.
>
> Can you ensure that (a) the RC bug against nginx in sid is dealt with
> so the fixed package can migrate to jessie, and (b) prepare an update
> to wheezy?

Note that the upstream patch is not 100% correct C (the overflow check
can be optimized by the compiler).  Therefore, the generated assembly
has to be inspected to ensure that the check is actually in place.

Here's a bit of background information:

<http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
<https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>



Marked as fixed in versions nginx/1.4.1-1. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Tue, 14 May 2013 07:33:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#708164; Package nginx. (Wed, 05 Jun 2013 08:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril Lavier <cyril.lavier@davromaniak.eu>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 05 Jun 2013 08:36:05 GMT) Full text and rfc822 format available.

Message #17 received at 708164@bugs.debian.org (full text, mbox):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>
To: Florian Weimer <fw@deneb.enyo.de>, 708164@bugs.debian.org
Subject: Re: Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
Date: Wed, 05 Jun 2013 10:27:41 +0200
On 05/13/2013 09:15 PM, Florian Weimer wrote:
> * Thijs Kinkhorst:
>
>> A buffer overflow in the proxy_pass module has been reported by
>> Nginx upstream, and a patch made available. Please see:
>> http://www.openwall.com/lists/oss-security/2013/05/13/3
>>
>> The issue is already fixed in the version in sid, and as far
>> as I can see the code is not present in squeeze.
>>
>> Can you ensure that (a) the RC bug against nginx in sid is dealt with
>> so the fixed package can migrate to jessie, and (b) prepare an update
>> to wheezy?
> Note that the upstream patch is not 100% correct C (the overflow check
> can be optimized by the compiler).  Therefore, the generated assembly
> has to be inspected to ensure that the check is actually in place.
>
> Here's a bit of background information:
>
> <http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
> <https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>
>
Hello Florian.

Except the patch is not 100% correct C, does it sounds risky on the
security side to patch nginx stable (1.2.1-2.2) ?

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu




Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#708164; Package nginx. (Wed, 12 Jun 2013 23:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to steven hay <wintermute_77@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 12 Jun 2013 23:15:03 GMT) Full text and rfc822 format available.

Message #22 received at 708164@bugs.debian.org (full text, mbox):

From: steven hay <wintermute_77@yahoo.com>
To: "708164@bugs.debian.org" <708164@bugs.debian.org>
Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)
Date: Wed, 12 Jun 2013 16:09:56 -0700 (PDT)
[Message part 1 (text/plain, inline)]
I understand if this patch may not be 100% correct, but if I read the references correctly, the error is more of theoretical than practical concern since this particular compiler optimization is not likely to be implemented in the GNU compiler. Do we really think that GNU would include an optimization that broke 95% of the bounds checking implementations existing in the wild?
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#708164; Package nginx. (Thu, 13 Jun 2013 03:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to steven hay <wintermute_77@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Thu, 13 Jun 2013 03:09:04 GMT) Full text and rfc822 format available.

Message #27 received at 708164@bugs.debian.org (full text, mbox):

From: steven hay <wintermute_77@yahoo.com>
To: "708164@bugs.debian.org" <708164@bugs.debian.org>
Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)
Date: Wed, 12 Jun 2013 20:05:10 -0700 (PDT)
[Message part 1 (text/plain, inline)]
I believe I may have found a way around inspecting the compiled code
for this check.  The GNU compiler has the following option:

-fwrapv
     This option instructs the compiler to assume that signed arithmetic overflow of
addition, subtraction and multiplication wraps around using twos-complement 

representation. This flag enables some optimizations and disables others. This 

option is enabled by default for the Java front-end, as required by the Java 

language specification.

 
I believe if this option is enabled for the nginx build, the correct optimizations will 
be disabled, and the overflow check will serve its intended purpose for all
twos-complement arithmetic platforms (e.g. x86, and probably all other relevant
architectures).


wintermute_77@yahoo.com
[Message part 2 (text/html, inline)]

Marked as fixed in versions nginx/1.2.1-2.2+wheezy1. Request was from Christos Trochalakis <yatiohi@ideopolis.gr> to control@bugs.debian.org. (Tue, 31 Dec 2013 17:45:15 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Christos Trochalakis <yatiohi@ideopolis.gr> to control@bugs.debian.org. (Tue, 31 Dec 2013 17:45:15 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Tue, 31 Dec 2013 17:45:17 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 29 Jan 2014 07:32:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:32:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.