Changes with nginx 1.5.0 07 May 2013v1.5.0

*) Security: a stack-based buffer overflow might occur in a worker
process while handling a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2013-2028); the bug had
appeared in 1.3.9.
Thanks to Greg MacManus, iSIGHT Partners Labs.

7 files changed, 28 insertions, 6 deletions

diff --git a/CHANGES b/CHANGES
index 56aaf478f..fe3e77872 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,13 @@
 
+Changes with nginx 1.5.0                                         07 May 2013
+
+    *) Security: a stack-based buffer overflow might occur in a worker
+       process while handling a specially crafted request, potentially
+       resulting in arbitrary code execution (CVE-2013-2028); the bug had
+       appeared in 1.3.9.
+       Thanks to Greg MacManus, iSIGHT Partners Labs.
+
+
 Changes with nginx 1.4.0                                         24 Apr 2013
 
     *) Bugfix: nginx could not be built with the ngx_http_perl_module if the
diff --git a/CHANGES.ru b/CHANGES.ru
index cb961d08b..1087b3a4f 100644
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,13 @@
 
+Изменения в nginx 1.5.0                                           07.05.2013
+
+    *) Безопасность: при обработке специально созданного запроса мог
+       перезаписываться стек рабочего процесса, что могло приводить к
+       выполнению произвольного кода (CVE-2013-2028); ошибка появилась в
+       1.3.9.
+       Спасибо Greg MacManus, iSIGHT Partners Labs.
+
+
 Изменения в nginx 1.4.0                                           24.04.2013
 
     *) Исправление: nginx не собирался с модулем ngx_http_perl_module, если
diff --git a/auto/cc/clang b/auto/cc/clang
index 9f60d7b3a..2611caa65 100644
--- a/auto/cc/clang
+++ b/auto/cc/clang
@@ -5,8 +5,8 @@
 # clang
 
 
-NGX_CLANG_VER=`$CC -v 2>&1 | grep 'clang version' 2>&1 \
-                           | sed -e 's/^.*clang version \(.*\)/\1/'`
+NGX_CLANG_VER=`$CC -v 2>&1 | grep '\(clang\|LLVM\) version' 2>&1 \
+                           | sed -e 's/^.* version \(.*\)/\1/'`
 
 echo " + clang version: $NGX_CLANG_VER"
 
diff --git a/auto/cc/name b/auto/cc/name
index 7a5656c64..51a7ed92e 100644
--- a/auto/cc/name
+++ b/auto/cc/name
@@ -67,7 +67,7 @@ elif `$CC -v 2>&1 | grep 'gcc version' >/dev/null 2>&1`; then
     NGX_CC_NAME=gcc
     echo " + using GNU C compiler"
 
-elif `$CC -v 2>&1 | grep 'clang version' >/dev/null 2>&1`; then
+elif `$CC -v 2>&1 | grep '\(clang\|LLVM\) version' >/dev/null 2>&1`; then
     NGX_CC_NAME=clang
     echo " + using Clang C compiler"
 
diff --git a/src/core/nginx.h b/src/core/nginx.h
index fec8b6680..be20460eb 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1004000
-#define NGINX_VERSION      "1.4.0"
+#define nginx_version      1005000
+#define NGINX_VERSION      "1.5.0"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index eadc8c480..892ee27cb 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -2076,7 +2076,7 @@ ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
     v->no_cacheable = 0;
     v->not_found = 0;
 
-    v->data = ngx_pnalloc(r->connection->pool, NGX_OFF_T_LEN);
+    v->data = ngx_pnalloc(r->pool, NGX_OFF_T_LEN);
 
     if (v->data == NULL) {
         return NGX_ERROR;
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 34b3b85d0..3c168aaf2 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2209,6 +2209,10 @@ data:
 
     }
 
+    if (ctx->size < 0 || ctx->length < 0) {
+        goto invalid;
+    }
+
     return rc;
 
 done: