Ubuntu
nginx package

CVE-2013-2070: nginx proxy_pass buffer overflow vulnerability

Bug #1182586 reported by Thomas Ward
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
Quantal
Fix Released
Medium
Unassigned
Raring
Fix Released
Medium
Unassigned

Bug Description

This is CVE-2013-2070. An nginx proxy_pass buffer overflow risk is present.

Per upstream, nginx versions 1.1.4 and higher are affected. As such, Precise, Quantal, and Raring are affected. Saucy has already received this fix as part of the 1.4.1-1 merge (bug 1177919).

This is tracked on the Ubuntu Security Team CVE Tracker at http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2070.html

The upstream patch for this is located at http://nginx.org/download/patch.2013.proxy.txt

This bug is being created to track the status of this being fixed in affected nginx versions in releases of Ubuntu.

(Bug importance was set to Medium per mdeslaur's guidance on IRC in #ubuntu-hardened.)

See original description

Related branches

lp:ubuntu/precise-security/nginx
lp:ubuntu/quantal-security/nginx
lp:ubuntu/raring-security/nginx
Roger Mbiama Assogo (community): Approve
Diff: 6045 lines (+5938/-7)
11 files modified
.pc/applied-patches (+2/-0)
.pc/cve-2013-2070.patch/src/http/modules/ngx_http_proxy_module.c (+4038/-0)
.pc/cve-2013-4547.patch/src/http/ngx_http_parse.c (+1820/-0)
debian/changelog (+24/-0)
debian/patches/cve-2013-2070.patch (+18/-0)
debian/patches/cve-2013-4547.patch (+21/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu-branding.patch (+5/-5)
src/core/nginx.h (+2/-2)
src/http/modules/ngx_http_proxy_module.c (+4/-0)
src/http/ngx_http_parse.c (+2/-0)

CVE References

Thomas Ward (teward)
description: updated
Thomas Ward (teward)
Changed in nginx (Ubuntu):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
importance: Undecided → Medium
Changed in nginx (Ubuntu Quantal):
importance: Undecided → Medium
Changed in nginx (Ubuntu Raring):
importance: Undecided → Medium
Changed in nginx (Ubuntu Precise):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Quantal):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Raring):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu Quantal):
status: New → Confirmed
Changed in nginx (Ubuntu Raring):
status: New → Confirmed
Changed in nginx (Ubuntu):
status: New → Fix Released
Revision history for this message
Thomas Ward (teward) wrote :

To summarize the reasons for the changes on this bug done by me:

This CVE has already been "Fix Released" in Saucy, as part of the 1.4.1-1ubuntu2 package, and as part of the merge of 1.4.1-1 from Debian with the ubuntu delta that exists.

The affected versions are in Precise, Quantal, and Raring, and I have assigned myself to those, as I will be working on preparing debdiffs for each of the affected releases, after which a member of the security team will be able to take a look at the debdiffs for inclusion into the security updates.

Lucid is not affected by this CVE.

Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Quantal):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Raring):
status: Confirmed → In Progress
Revision history for this message
Thomas Ward (teward) wrote :

Attaching debdiff, targeting precise-security, which addresses this CVE in precise.

Revision history for this message
Thomas Ward (teward) wrote :

Attaching debdiff, targeting quantal-security, which addresses this CVE in quantal.

Revision history for this message
Thomas Ward (teward) wrote :

Attaching debdiff, targeting raring-security, which addresses this CVE in raring.

Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Quantal):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Raring):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Precise):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Quantal):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Raring):
assignee: Thomas Ward (teward) → nobody
Revision history for this message
Thomas Ward (teward) wrote :

I have put build tests for this into the PPA at https://launchpad.net/~teward/+archive/nginx-ubuntu-security

I have not found any test-cases yet for this bug, which may require the security team to decide whether or not this patch is to be included without a test-case.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! In general, they are fine, but a couple of nitpicks for future updates:
 * for consistency, the format of the changelog should use 'SECURITY UPDATE', not 'Security update' and follow the changelog format as described in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
 * it isn't required, but normally you will use a '-' rather than a '*' for subentries in the changelog (eg you would use "- Patch to fix a buffer overflow vulnerability (CVE-2013-2070)"
 * you should use simply 'LP: #1182586', not 'closes LP: #1182586'
 * I encourage people to give more detail in the changelog

Eg, if I were writing this I would might write:

nginx (1.1.19-1ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: fix a buffer overflow via proxy_pass
     - debian/patches/cve-2013-2070.patch: verify ctx->size and ctx->length in
        src/http/modules/ngx_http_proxy_module.c
     - LP: #1182586

Builds fine with no new compiler errors/warnings. ACK

Changed in nginx (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in nginx (Ubuntu Quantal):
status: Confirmed → Fix Committed
Changed in nginx (Ubuntu Raring):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.1.19-1ubuntu0.2

---------------
nginx (1.1.19-1ubuntu0.2) precise-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:21:02 -0400

Changed in nginx (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.1-2.2ubuntu0.1

---------------
nginx (1.2.1-2.2ubuntu0.1) quantal-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:37:12 -0400

Changed in nginx (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.6-1ubuntu3.2

---------------
nginx (1.2.6-1ubuntu3.2) raring-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:49:32 -0400

Changed in nginx (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.