Debian Bug report logs -
#708164
nginx proxy_pass buffer overflow (CVE-2013-2070)
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Mon, 13 May 2013 16:51:02 UTC
Severity: serious
Tags: patch, security
Found in version nginx/1.2.1-2.2
Fixed in versions nginx/1.2.1-2.2+wheezy1, nginx/1.4.1-1
Done: Christos Trochalakis <yatiohi@ideopolis.gr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#708164
; Package nginx
.
(Mon, 13 May 2013 16:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>
.
(Mon, 13 May 2013 16:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nginx
Version: 1.2.1-2.2
Severity: serious
Tags: security patch
Hi,
A buffer overflow in the proxy_pass module has been reported by
Nginx upstream, and a patch made available. Please see:
http://www.openwall.com/lists/oss-security/2013/05/13/3
The issue is already fixed in the version in sid, and as far
as I can see the code is not present in squeeze.
Can you ensure that (a) the RC bug against nginx in sid is dealt with
so the fixed package can migrate to jessie, and (b) prepare an update
to wheezy?
Thanks,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#708164
; Package nginx
.
(Mon, 13 May 2013 19:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Mon, 13 May 2013 19:54:05 GMT) (full text, mbox, link).
Message #10 received at 708164@bugs.debian.org (full text, mbox, reply):
* Thijs Kinkhorst:
> A buffer overflow in the proxy_pass module has been reported by
> Nginx upstream, and a patch made available. Please see:
> http://www.openwall.com/lists/oss-security/2013/05/13/3
>
> The issue is already fixed in the version in sid, and as far
> as I can see the code is not present in squeeze.
>
> Can you ensure that (a) the RC bug against nginx in sid is dealt with
> so the fixed package can migrate to jessie, and (b) prepare an update
> to wheezy?
Note that the upstream patch is not 100% correct C (the overflow check
can be optimized by the compiler). Therefore, the generated assembly
has to be inspected to ensure that the check is actually in place.
Here's a bit of background information:
<http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
<https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>
Marked as fixed in versions nginx/1.4.1-1.
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org
.
(Tue, 14 May 2013 07:33:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#708164
; Package nginx
.
(Wed, 05 Jun 2013 08:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Cyril Lavier <cyril.lavier@davromaniak.eu>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Wed, 05 Jun 2013 08:36:05 GMT) (full text, mbox, link).
Message #17 received at 708164@bugs.debian.org (full text, mbox, reply):
On 05/13/2013 09:15 PM, Florian Weimer wrote:
> * Thijs Kinkhorst:
>
>> A buffer overflow in the proxy_pass module has been reported by
>> Nginx upstream, and a patch made available. Please see:
>> http://www.openwall.com/lists/oss-security/2013/05/13/3
>>
>> The issue is already fixed in the version in sid, and as far
>> as I can see the code is not present in squeeze.
>>
>> Can you ensure that (a) the RC bug against nginx in sid is dealt with
>> so the fixed package can migrate to jessie, and (b) prepare an update
>> to wheezy?
> Note that the upstream patch is not 100% correct C (the overflow check
> can be optimized by the compiler). Therefore, the generated assembly
> has to be inspected to ensure that the check is actually in place.
>
> Here's a bit of background information:
>
> <http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
> <https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>
>
Hello Florian.
Except the patch is not 100% correct C, does it sounds risky on the
security side to patch nginx stable (1.2.1-2.2) ?
Thanks.
--
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#708164
; Package nginx
.
(Wed, 12 Jun 2013 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to steven hay <wintermute_77@yahoo.com>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Wed, 12 Jun 2013 23:15:03 GMT) (full text, mbox, link).
Message #22 received at 708164@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I understand if this patch may not be 100% correct, but if I read the references correctly, the error is more of theoretical than practical concern since this particular compiler optimization is not likely to be implemented in the GNU compiler. Do we really think that GNU would include an optimization that broke 95% of the bounds checking implementations existing in the wild?
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#708164
; Package nginx
.
(Thu, 13 Jun 2013 03:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to steven hay <wintermute_77@yahoo.com>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Thu, 13 Jun 2013 03:09:04 GMT) (full text, mbox, link).
Message #27 received at 708164@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I believe I may have found a way around inspecting the compiled code
for this check. The GNU compiler has the following option:
-fwrapv
This option instructs the compiler to assume that signed arithmetic overflow of
addition, subtraction and multiplication wraps around using twos-complement
representation. This flag enables some optimizations and disables others. This
option is enabled by default for the Java front-end, as required by the Java
language specification.
I believe if this option is enabled for the nginx build, the correct optimizations will
be disabled, and the overflow check will serve its intended purpose for all
twos-complement arithmetic platforms (e.g. x86, and probably all other relevant
architectures).
wintermute_77@yahoo.com
[Message part 2 (text/html, inline)]
Marked as fixed in versions nginx/1.2.1-2.2+wheezy1.
Request was from Christos Trochalakis <yatiohi@ideopolis.gr>
to control@bugs.debian.org
.
(Tue, 31 Dec 2013 17:45:15 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Christos Trochalakis <yatiohi@ideopolis.gr>
to control@bugs.debian.org
.
(Tue, 31 Dec 2013 17:45:15 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>
:
Bug acknowledged by developer.
(Tue, 31 Dec 2013 17:45:17 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 29 Jan 2014 07:32:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:51:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.