Ubuntu
nginx package

[CVE-2016-4450] NULL pointer dereference while writing client request body

Bug #1587577 reported by Thomas Ward
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Fix Released
Undecided
Thomas Ward
Trusty
Fix Released
Undecided
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Thomas Ward

Bug Description

It was announced by NGINX on May 31, 2016 that there is a security update for NGINX. Patches are available as below.

This is CVE-2016-4450.

------

(http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html)

A problem was identified in nginx code responsible for saving
client request body to a temporary file. A specially crafted request
might result in worker process crash due to a NULL pointer dereference
while writing client request body to a temporary file (CVE-2016-4450).

The problem affects nginx 1.3.9 - 1.11.0.

The problem is fixed in nginx 1.11.1, 1.10.1.

Patch for nginx 1.9.13 - 1.11.0 can be found here:

http://nginx.org/download/patch.2016.write.txt

Patch for older nginx versions (1.3.9 - 1.9.12):

http://nginx.org/download/patch.2016.write2.txt

------

Trusty, Vivid, Wily, Xenial, and Yakkety are affected, based on the NGINX upstream reported 'affected versions'.

See original description
Tags: patch

CVE References

Thomas Ward (teward)
description: updated
Changed in nginx (Ubuntu Xenial):
status: New → Confirmed
Changed in nginx (Ubuntu Wily):
status: New → Confirmed
Changed in nginx (Ubuntu Vivid):
status: New → Confirmed
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
Changed in nginx (Ubuntu Yakkety):
assignee: nobody → Thomas Ward (teward)
summary: - Security Advisory - May 31 2016
+ Security Advisory - May 31 2016 - CVE-2016-4450
description: updated
Thomas Ward (teward)
Changed in nginx (Ubuntu Yakkety):
status: Confirmed → In Progress
Thomas Ward (teward)
summary: - Security Advisory - May 31 2016 - CVE-2016-4450
+ [CVE-2016-4450] NULL pointer dereference while writing client request
+ body
Thomas Ward (teward)
Changed in nginx (Ubuntu Yakkety):
status: In Progress → Fix Committed
Revision history for this message
Thomas Ward (teward) wrote :

Xenial debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/xenial-buildtests/+packages successfully.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Thomas Ward (teward) wrote :

Wily debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/wily-buildtests/+packages successfully.

Revision history for this message
Thomas Ward (teward) wrote :

Vivid is End of Life; it was added to the bug as a result of myself clicking all the affected series... oopsies! Marking Won't Fix, because EOL.

Changed in nginx (Ubuntu Vivid):
status: Confirmed → Won't Fix
Revision history for this message
Thomas Ward (teward) wrote :

Trusty debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/trusty-buildtests/+packages successfully.

Bug Watch Updater (bug-watch-updater)
Changed in nginx (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.10.1-0ubuntu1

---------------
nginx (1.10.1-0ubuntu1) yakkety; urgency=medium

  * New upstream release (1.10.1) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.10.
  * Update done to address the following security issues:
    - [CVE-2016-4450] NULL pointer dereference while writing client
      request body. (LP: #1587577)
  * Additional changes:
    * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 19:09:33 -0400

Changed in nginx (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, packages are building now. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.10.0-0ubuntu0.16.04.2

---------------
nginx (1.10.0-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 19:47:42 -0400

Changed in nginx (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.6-1ubuntu3.5

---------------
nginx (1.4.6-1ubuntu3.5) trusty-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 20:23:03 -0400

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.9.3-1ubuntu1.2

---------------
nginx (1.9.3-1ubuntu1.2) wily-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 20:14:23 -0400

Changed in nginx (Ubuntu Wily):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.