diff options
| author | nginx <nginx@nginx.org> | 2014-03-18 16:43:46 +0000 |
|---|---|---|
| committer | Jon Kolb <kolbyjack@gmail.com> | 2014-03-18 16:43:46 +0000 |
| commit | 47c4fba86c48d7b8556c7f4d6d3773a25ab162fe (patch) | |
| tree | f45083ebcdfde566c3775457bfc35053af34b759 | |
| parent | 483f0cd547195b96550760fc5ab510eb67ec0160 (diff) | |
| download | nginx-1.4.tar.gz | |
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0133).
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Bugfix: in the "fastcgi_next_upstream" directive.
Thanks to Lucas Molas.
| -rw-r--r-- | CHANGES | 13 | ||||
| -rw-r--r-- | CHANGES.ru | 13 | ||||
| -rw-r--r-- | src/core/nginx.h | 4 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_fastcgi_module.c | 11 | ||||
| -rw-r--r-- | src/http/ngx_http_spdy.c | 2 |
5 files changed, 40 insertions, 3 deletions
@@ -1,4 +1,17 @@ +Changes with nginx 1.4.7 18 Mar 2014 + + *) Security: a heap memory buffer overflow might occur in a worker + process while handling a specially crafted request by + ngx_http_spdy_module, potentially resulting in arbitrary code + execution (CVE-2014-0133). + Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. + Manuel Sadosky, Buenos Aires, Argentina. + + *) Bugfix: in the "fastcgi_next_upstream" directive. + Thanks to Lucas Molas. + + Changes with nginx 1.4.6 04 Mar 2014 *) Bugfix: the "client_max_body_size" directive might not work when diff --git a/CHANGES.ru b/CHANGES.ru index 186bb4670..2f9f3012f 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,17 @@ +Изменения в nginx 1.4.7 18.03.2014 + + *) Безопасность: при обработке специально созданного запроса модулем + ngx_http_spdy_module могло происходить переполнение буфера в рабочем + процессе, что потенциально могло приводить к выполнению произвольного + кода (CVE-2014-0133). + Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky, + Buenos Aires, Argentina. + + *) Исправление: в директиве fastcgi_next_upstream. + Спасибо Lucas Molas. + + Изменения в nginx 1.4.6 04.03.2014 *) Исправление: директива client_max_body_size могла не работать при diff --git a/src/core/nginx.h b/src/core/nginx.h index 227e5f735..77c88bf5f 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1004006 -#define NGINX_VERSION "1.4.6" +#define nginx_version 1004007 +#define NGINX_VERSION "1.4.7" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index f386926da..e2427b4a8 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r) f->fastcgi_stdout = 0; f->large_stderr = 0; + if (f->split_parts) { + f->split_parts->nelts = 0; + } + r->state = 0; return NGX_OK; @@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r) rc = ngx_http_parse_header_line(r, &buf, 1); + if (rc != NGX_OK) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "invalid header after joining " + "FastCGI records"); + return NGX_ERROR; + } + h->key.len = r->header_name_end - r->header_name_start; h->key.data = r->header_name_start; h->key.data[h->key.len] = '\0'; diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index f4f610a82..99afbfca1 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1465,7 +1465,7 @@ static u_char * ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc, u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler) { -#if (NGX_DEBUG) +#if 1 if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) { ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0, "spdy state buffer overflow: " |