Chris Ries at the Carnegie Mellon University Information Security Office discovered a flaw in nginx's ngx_http_parse_complex_uri() function used to parse URIs. Summary of the flaw from Chris: A buffer underflow vulnerability exists in nginx that can be triggered by a specially crafted URI. The vulnerability causes nginx to write bytes from the URI to memory before the allocated buffer. The vulnerability can be remotely exploited to crash the nginx worker process, or execute arbitrary code in the context of the worker process. (which by default appears to be run as 'nobody'). On Fedora, nginx non-privileged user is used instead. CERT/CC is tracking this as VU#180065. Upstream plans to release new fixed versions of nginx in branches 0.5-0.7 on Sept 14th, 2009.
Jeremy, this problem is non-public at the moment. Do not make any public comments (including commits to Fedora CVS) about this before it's made public via new upstream release of publication of CERT/CC vulnerability report.
Created attachment 360889 [details] Upstream patch Patch that should be used in upstream updates.
Public now, fixed in upstream releases: 0.8.15, 0.7.62, 0.6.39 and 0.5.38 Official upstream patch: http://sysoev.ru/nginx/patch.180065.txt
nginx-0.6.39-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/nginx-0.6.39-1.el5
nginx-0.7.62-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/nginx-0.7.62-1.fc11
nginx-0.6.39-1.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/nginx-0.6.39-1.el4
nginx-0.7.62-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/nginx-0.7.62-1.fc10
*** Bug 523302 has been marked as a duplicate of this bug. ***
*** Bug 523303 has been marked as a duplicate of this bug. ***
nginx-0.7.62-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
nginx-0.7.62-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
MITRE's CVE-2009-2629 record: ----------------------------- Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629 http://nginx.net/CHANGES http://nginx.net/CHANGES-0.5 http://nginx.net/CHANGES-0.6 http://nginx.net/CHANGES-0.7 http://sysoev.ru/nginx/patch.180065.txt http://www.debian.org/security/2009/dsa-1884 http://www.kb.cert.org/vuls/id/180065
Please push the EPEL 5 update it appears to have built correctly night before last.
nginx-0.6.39-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
nginx-0.6.39-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.