Bug 1644508 (CVE-2018-16845)

Summary: CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, affix, athmanem, bperkins, cmoore, dajohnso, dbaker, dmetzger, gblomqui, gmainwar, gmccullo, gtanzill, hhorak, jeremy, jfrey, jhardy, jkaluza, jlaska, jokerman, jorton, jprause, kaycoth, kdixon, kwalsh, luhliari, obarenbo, pavel.lisy, peter.borsa, rcosta, roliveri, security-response-team, simaishi, sthangav, tadej.j, trankin, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nginx 1.15.6, nginx 1.14.1 Doc Type: If docs needed, set a value
Doc Text:
An instance of missing input sanitization was found in the mp4 module for nginx. A local attacker could create a specially crafted video file that, when streamed by the server, would cause a denial of service (server crash or hang) and, possibly, information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:41:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1647255, 1647256, 1647257, 1648219, 1648220, 1648221, 1648223, 1648362, 1648363, 1648364, 1648365, 1888168    
Bug Blocks: 1644513    

Description Sam Fowler 2018-10-31 04:02:02 UTC 
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the mp4 module that allows for denial of service or worker process memory disclosure.
Comment 1 Borja Tarraso 2018-11-02 08:47:57 UTC 
Acknowledgments:

Name: the Nginx project
Comment 2 Borja Tarraso 2018-11-02 15:06:50 UTC 
Ansible Tower is not using ngx_http_mp4_module at all, therefore is not affected.
Comment 3 Borja Tarraso 2018-11-02 20:11:00 UTC 
Already did some research and discuss with Satoe I. from CloudForms. CFME is not using in any way nginx more than the inclusion from Ansible Tower (not changed or altered configuration or used outside from Tower), and Ansible Tower is not affected, so CloudForms is also not affected; updating the task accordingly.
Comment 4 Sam Fowler 2018-11-07 00:33:07 UTC 
External Reference:

http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html


Upstream Patch:

http://nginx.org/download/patch.2018.mp4.txt
Comment 5 Sam Fowler 2018-11-07 00:33:58 UTC 
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1647256]
Affects: fedora-all [bug 1647255]
Comment 10 Riccardo Schirone 2018-11-08 10:16:18 UTC 
Mercurial commit that patches this flaw:
http://hg.nginx.org/nginx/rev/fdc19a3289c1
Comment 11 Riccardo Schirone 2018-11-08 10:21:06 UTC 
ngx_http_mp4_read_atom() function in ngx_http_mp4_module.c file does not check if atom_size in a 64-bit atom in mp4 files is greater than the minimum value atom_header_size, which is 16 for 64-bit atoms. When atom_header_size is subtracted from atom_size, the result may underflow and cause various issues like infinite loops, when the size is 0, crashes or memory disclosure.
Comment 14 errata-xmlrpc 2018-11-26 12:06:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3652 https://access.redhat.com/errata/RHSA-2018:3652
Comment 15 errata-xmlrpc 2018-11-26 12:26:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2018:3653 https://access.redhat.com/errata/RHSA-2018:3653
Comment 16 errata-xmlrpc 2018-11-27 09:03:01 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3680 https://access.redhat.com/errata/RHSA-2018:3680
Comment 17 errata-xmlrpc 2018-11-27 09:17:24 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3681 https://access.redhat.com/errata/RHSA-2018:3681