nginx proxy_pass buffer overflow (CVE-2013-2070)

Debian Bug report logs - #708164
nginx proxy_pass buffer overflow (CVE-2013-2070)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)

Date: Mon, 13 May 2013 18:47:21 +0200

Package: nginx
Version: 1.2.1-2.2
Severity: serious
Tags: security patch

Hi,

A buffer overflow in the proxy_pass module has been reported by
Nginx upstream, and a patch made available. Please see:
http://www.openwall.com/lists/oss-security/2013/05/13/3

The issue is already fixed in the version in sid, and as far
as I can see the code is not present in squeeze.

Can you ensure that (a) the RC bug against nginx in sid is dealt with
so the fixed package can migrate to jessie, and (b) prepare an update
to wheezy?


Thanks,
Thijs

Message #10 received at 708164@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 708164@bugs.debian.org

Subject: Re: Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)

Date: Mon, 13 May 2013 21:15:52 +0200

* Thijs Kinkhorst:

> A buffer overflow in the proxy_pass module has been reported by
> Nginx upstream, and a patch made available. Please see:
> http://www.openwall.com/lists/oss-security/2013/05/13/3
>
> The issue is already fixed in the version in sid, and as far
> as I can see the code is not present in squeeze.
>
> Can you ensure that (a) the RC bug against nginx in sid is dealt with
> so the fixed package can migrate to jessie, and (b) prepare an update
> to wheezy?

Note that the upstream patch is not 100% correct C (the overflow check
can be optimized by the compiler).  Therefore, the generated assembly
has to be inspected to ensure that the check is actually in place.

Here's a bit of background information:

<http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
<https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>

Message #17 received at 708164@bugs.debian.org (full text, mbox, reply):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>

To: Florian Weimer <fw@deneb.enyo.de>, 708164@bugs.debian.org

Subject: Re: Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)

Date: Wed, 05 Jun 2013 10:27:41 +0200

On 05/13/2013 09:15 PM, Florian Weimer wrote:
> * Thijs Kinkhorst:
>
>> A buffer overflow in the proxy_pass module has been reported by
>> Nginx upstream, and a patch made available. Please see:
>> http://www.openwall.com/lists/oss-security/2013/05/13/3
>>
>> The issue is already fixed in the version in sid, and as far
>> as I can see the code is not present in squeeze.
>>
>> Can you ensure that (a) the RC bug against nginx in sid is dealt with
>> so the fixed package can migrate to jessie, and (b) prepare an update
>> to wheezy?
> Note that the upstream patch is not 100% correct C (the overflow check
> can be optimized by the compiler).  Therefore, the generated assembly
> has to be inspected to ensure that the check is actually in place.
>
> Here's a bit of background information:
>
> <http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html>
> <https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow>
>
Hello Florian.

Except the patch is not 100% correct C, does it sounds risky on the
security side to patch nginx stable (1.2.1-2.2) ?

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Message #22 received at 708164@bugs.debian.org (full text, mbox, reply):

From: steven hay <wintermute_77@yahoo.com>

To: "708164@bugs.debian.org" <708164@bugs.debian.org>

Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)

Date: Wed, 12 Jun 2013 16:09:56 -0700 (PDT)

[Message part 1 (text/plain, inline)]

I understand if this patch may not be 100% correct, but if I read the references correctly, the error is more of theoretical than practical concern since this particular compiler optimization is not likely to be implemented in the GNU compiler. Do we really think that GNU would include an optimization that broke 95% of the bounds checking implementations existing in the wild?

[Message part 2 (text/html, inline)]

Message #27 received at 708164@bugs.debian.org (full text, mbox, reply):

From: steven hay <wintermute_77@yahoo.com>

To: "708164@bugs.debian.org" <708164@bugs.debian.org>

Subject: nginx proxy_pass buffer overflow (CVE-2013-2070)

Date: Wed, 12 Jun 2013 20:05:10 -0700 (PDT)

[Message part 1 (text/plain, inline)]

I believe I may have found a way around inspecting the compiled code
for this check.  The GNU compiler has the following option:

-fwrapv
     This option instructs the compiler to assume that signed arithmetic overflow of
addition, subtraction and multiplication wraps around using twos-complement 

representation. This flag enables some optimizations and disables others. This 

option is enabled by default for the Java front-end, as required by the Java 

language specification.

 
I believe if this option is enabled for the nginx build, the correct optimizations will 
be disabled, and the overflow check will serve its intended purpose for all
twos-complement arithmetic platforms (e.g. x86, and probably all other relevant
architectures).


wintermute_77@yahoo.com

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.