From 47c4fba86c48d7b8556c7f4d6d3773a25ab162fe Mon Sep 17 00:00:00 2001 From: nginx Date: Tue, 18 Mar 2014 16:43:46 +0000 Subject: Changes with nginx 1.4.7 18 Mar 2014 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit *) Security: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_spdy_module, potentially resulting in arbitrary code execution (CVE-2014-0133). Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel Sadosky, Buenos Aires, Argentina. *) Bugfix: in the "fastcgi_next_upstream" directive. Thanks to Lucas Molas. --- CHANGES | 13 +++++++++++++ CHANGES.ru | 13 +++++++++++++ src/core/nginx.h | 4 ++-- src/http/modules/ngx_http_fastcgi_module.c | 11 +++++++++++ src/http/ngx_http_spdy.c | 2 +- 5 files changed, 40 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 3a6b9466d..4d9e62aa6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,17 @@ +Changes with nginx 1.4.7 18 Mar 2014 + + *) Security: a heap memory buffer overflow might occur in a worker + process while handling a specially crafted request by + ngx_http_spdy_module, potentially resulting in arbitrary code + execution (CVE-2014-0133). + Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. + Manuel Sadosky, Buenos Aires, Argentina. + + *) Bugfix: in the "fastcgi_next_upstream" directive. + Thanks to Lucas Molas. + + Changes with nginx 1.4.6 04 Mar 2014 *) Bugfix: the "client_max_body_size" directive might not work when diff --git a/CHANGES.ru b/CHANGES.ru index 186bb4670..2f9f3012f 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,17 @@ +Изменения в nginx 1.4.7 18.03.2014 + + *) Безопасность: при обработке специально созданного запроса модулем + ngx_http_spdy_module могло происходить переполнение буфера в рабочем + процессе, что потенциально могло приводить к выполнению произвольного + кода (CVE-2014-0133). + Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky, + Buenos Aires, Argentina. + + *) Исправление: в директиве fastcgi_next_upstream. + Спасибо Lucas Molas. + + Изменения в nginx 1.4.6 04.03.2014 *) Исправление: директива client_max_body_size могла не работать при diff --git a/src/core/nginx.h b/src/core/nginx.h index 227e5f735..77c88bf5f 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1004006 -#define NGINX_VERSION "1.4.6" +#define nginx_version 1004007 +#define NGINX_VERSION "1.4.7" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index f386926da..e2427b4a8 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r) f->fastcgi_stdout = 0; f->large_stderr = 0; + if (f->split_parts) { + f->split_parts->nelts = 0; + } + r->state = 0; return NGX_OK; @@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r) rc = ngx_http_parse_header_line(r, &buf, 1); + if (rc != NGX_OK) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "invalid header after joining " + "FastCGI records"); + return NGX_ERROR; + } + h->key.len = r->header_name_end - r->header_name_start; h->key.data = r->header_name_start; h->key.data[h->key.len] = '\0'; diff --git a/src/http/ngx_http_spdy.c b/src/http/ngx_http_spdy.c index f4f610a82..99afbfca1 100644 --- a/src/http/ngx_http_spdy.c +++ b/src/http/ngx_http_spdy.c @@ -1465,7 +1465,7 @@ static u_char * ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc, u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler) { -#if (NGX_DEBUG) +#if 1 if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) { ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0, "spdy state buffer overflow: " -- cgit v1.2.1