Bug 562798 (CVE-2009-4487)

Summary: CVE-2009-4487 nginx: Absent sanitation of escape sequences in web server log
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jeremy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-23 15:25:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2010-02-08 12:38:46 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4487 to
the following vulnerability:

nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. 

  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4487
  [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
  [3] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
  [4] http://www.securityfocus.com/bid/37711

Upstream status:
  [5] http://nginx.org/en/security_advisories.html contains record
  for CVE-2009-4487:

    An error log data are not sanitized
    Severity: none
    Not vulnerable: none
    Vulnerable: all

So looks, they are aware of it, but not planning to fix it.

Comment 1 Jan Lieskovsky 2010-02-08 12:58:06 UTC
In fact the impact of this issue against various versions of *term
package / binary, as shipped within Fedora release of 11 and 12,
because advisory [1] from References part above further references
([4], [5], [6], [7] links in [1]):

[a] -- [4] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability

This is #CVE-2008-2383, which is already fixed.

[b] -- [5] Terminal Emulator Security Issues

The list of CNA's is pretty long, but similar as above.

[c] -- [6] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability

This is CVE-2003-0021, which was fixed in upstream Eterm 0.9.2 version
(current versions of Eterm package in Fedora are newer than this).

[d] -- [7] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability

This is CVE-2003-0022, which was fixed in upstream rxvt-v2.7.10 version
(ftp://ftp.rxvt.org/pub/rxvt/rxvt-2.7.10.tar.gz) and current rxvt
packages in Fedora and EPEL repositories are already v2.7.10 based.

So the issues, as mentioned in:

  [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded

would be real issues only on very old (not updated) systems.

Comment 2 Jan Lieskovsky 2010-02-08 13:03:35 UTC
Just for completeness, here are the links to patches for the Cherokee
web server, as applied for the clone of the same issue (CVE-2009-4489)
in Cherokee:


Comment 3 Jeremy Hinegardner 2010-02-10 22:15:03 UTC
I assume this means, since upstream nginx is not providing a fix at this time that we should not do anything?

I'm about package up 0.7.65 and want to check if we should do anything before then.

Comment 4 Jamie Nguyen 2014-02-23 15:25:46 UTC
(In reply to Jan Lieskovsky from comment #1)
> So the issues, as mentioned in:
> References:
>   [2] http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
> would be real issues only on very old (not updated) systems.

Upstream have been aware of this issue for years and have decided not to fix it. As stated in the quote above, it appears to only affect very old systems running vulnerable *term packages so there does not appear to be any significant consequences. I am therefore closing this bug.