Bug 523105 (CVE-2009-2629) - CVE-2009-2629 nginx: ngx_http_parse_complex_uri() buffer underflow vulnerability (VU#180065)
Summary: CVE-2009-2629 nginx: ngx_http_parse_complex_uri() buffer underflow vulnerabil...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 523302 523303 (view as bug list)
Depends On: 539573
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-14 07:31 UTC by Tomas Hoger
Modified: 2019-09-29 12:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-17 06:31:33 UTC
Embargoed:


Attachments (Terms of Use)
Upstream patch (849 bytes, patch)
2009-09-14 07:34 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2009-09-14 07:31:19 UTC
Chris Ries at the Carnegie Mellon University Information Security Office discovered a flaw in nginx's ngx_http_parse_complex_uri() function used to parse URIs.  Summary of the flaw from Chris:

  A buffer underflow vulnerability exists in nginx that can be triggered by
  a specially crafted URI. The vulnerability causes nginx to write bytes
  from the URI to memory before the allocated buffer. The vulnerability
  can be remotely exploited to crash the nginx worker process, or execute
  arbitrary code in the context of the worker process. (which by default
  appears to be run as 'nobody').

On Fedora, nginx non-privileged user is used instead.

CERT/CC is tracking this as VU#180065.

Upstream plans to release new fixed versions of nginx in branches 0.5-0.7 on Sept 14th, 2009.

Comment 1 Tomas Hoger 2009-09-14 07:33:43 UTC
Jeremy, this problem is non-public at the moment.  Do not make any public comments (including commits to Fedora CVS) about this before it's made public via new upstream release of publication of CERT/CC vulnerability report.

Comment 2 Tomas Hoger 2009-09-14 07:34:42 UTC
Created attachment 360889 [details]
Upstream patch

Patch that should be used in upstream updates.

Comment 3 Tomas Hoger 2009-09-14 16:27:14 UTC
Public now, fixed in upstream releases: 0.8.15, 0.7.62, 0.6.39 and 0.5.38

Official upstream patch:
  http://sysoev.ru/nginx/patch.180065.txt

Comment 4 Fedora Update System 2009-09-14 20:30:47 UTC
nginx-0.6.39-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/nginx-0.6.39-1.el5

Comment 5 Fedora Update System 2009-09-14 20:30:56 UTC
nginx-0.7.62-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/nginx-0.7.62-1.fc11

Comment 6 Fedora Update System 2009-09-14 20:31:05 UTC
nginx-0.6.39-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/nginx-0.6.39-1.el4

Comment 7 Fedora Update System 2009-09-14 20:31:13 UTC
nginx-0.7.62-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/nginx-0.7.62-1.fc10

Comment 8 Jeremy Hinegardner 2009-09-14 20:39:42 UTC
*** Bug 523302 has been marked as a duplicate of this bug. ***

Comment 9 Jeremy Hinegardner 2009-09-14 20:41:00 UTC
*** Bug 523303 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2009-09-15 20:59:41 UTC
nginx-0.7.62-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-09-15 21:01:46 UTC
nginx-0.7.62-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Jan Lieskovsky 2009-09-16 10:00:45 UTC
MITRE's CVE-2009-2629 record:
-----------------------------

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through
0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before
0.8.15 allows remote attackers to execute arbitrary code via crafted
HTTP requests.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629
http://nginx.net/CHANGES
http://nginx.net/CHANGES-0.5
http://nginx.net/CHANGES-0.6
http://nginx.net/CHANGES-0.7
http://sysoev.ru/nginx/patch.180065.txt
http://www.debian.org/security/2009/dsa-1884
http://www.kb.cert.org/vuls/id/180065

Comment 13 Mark D. Foster 2009-09-16 17:33:25 UTC
Please push the EPEL 5 update it appears to have built correctly night before last.

Comment 14 Fedora Update System 2009-09-17 02:29:46 UTC
nginx-0.6.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-09-17 02:32:03 UTC
nginx-0.6.39-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.