CVE-2013-2070: nginx proxy_pass buffer overflow vulnerability

Bug #1182586 reported by Thomas Ward on 2013-05-21
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned

Bug Description

This is CVE-2013-2070. An nginx proxy_pass buffer overflow risk is present.

Per upstream, nginx versions 1.1.4 and higher are affected. As such, Precise, Quantal, and Raring are affected. Saucy has already received this fix as part of the 1.4.1-1 merge (bug 1177919).

This is tracked on the Ubuntu Security Team CVE Tracker at http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-2070.html

The upstream patch for this is located at http://nginx.org/download/patch.2013.proxy.txt

This bug is being created to track the status of this being fixed in affected nginx versions in releases of Ubuntu.

(Bug importance was set to Medium per mdeslaur's guidance on IRC in #ubuntu-hardened.)

Related branches

CVE References

Thomas Ward (teward) on 2013-05-21
description: updated
Thomas Ward (teward) on 2013-05-21
Changed in nginx (Ubuntu):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2013-05-23
Changed in nginx (Ubuntu Precise):
importance: Undecided → Medium
Changed in nginx (Ubuntu Quantal):
importance: Undecided → Medium
Changed in nginx (Ubuntu Raring):
importance: Undecided → Medium
Changed in nginx (Ubuntu Precise):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Quantal):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Raring):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu Quantal):
status: New → Confirmed
Changed in nginx (Ubuntu Raring):
status: New → Confirmed
Changed in nginx (Ubuntu):
status: New → Fix Released
Thomas Ward (teward) wrote :

To summarize the reasons for the changes on this bug done by me:

This CVE has already been "Fix Released" in Saucy, as part of the 1.4.1-1ubuntu2 package, and as part of the merge of 1.4.1-1 from Debian with the ubuntu delta that exists.

The affected versions are in Precise, Quantal, and Raring, and I have assigned myself to those, as I will be working on preparing debdiffs for each of the affected releases, after which a member of the security team will be able to take a look at the debdiffs for inclusion into the security updates.

Lucid is not affected by this CVE.

Thomas Ward (teward) on 2013-05-24
Changed in nginx (Ubuntu Precise):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Quantal):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Raring):
status: Confirmed → In Progress
Thomas Ward (teward) wrote :

Attaching debdiff, targeting precise-security, which addresses this CVE in precise.

Thomas Ward (teward) wrote :

Attaching debdiff, targeting quantal-security, which addresses this CVE in quantal.

Thomas Ward (teward) wrote :

Attaching debdiff, targeting raring-security, which addresses this CVE in raring.

Thomas Ward (teward) on 2013-05-24
Changed in nginx (Ubuntu Precise):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Quantal):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Raring):
status: In Progress → Confirmed
Changed in nginx (Ubuntu Precise):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Quantal):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Raring):
assignee: Thomas Ward (teward) → nobody
Thomas Ward (teward) wrote :

I have put build tests for this into the PPA at https://launchpad.net/~teward/+archive/nginx-ubuntu-security

I have not found any test-cases yet for this bug, which may require the security team to decide whether or not this patch is to be included without a test-case.

Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! In general, they are fine, but a couple of nitpicks for future updates:
 * for consistency, the format of the changelog should use 'SECURITY UPDATE', not 'Security update' and follow the changelog format as described in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
 * it isn't required, but normally you will use a '-' rather than a '*' for subentries in the changelog (eg you would use "- Patch to fix a buffer overflow vulnerability (CVE-2013-2070)"
 * you should use simply 'LP: #1182586', not 'closes LP: #1182586'
 * I encourage people to give more detail in the changelog

Eg, if I were writing this I would might write:

nginx (1.1.19-1ubuntu0.2) precise-security; urgency=low

  * SECURITY UPDATE: fix a buffer overflow via proxy_pass
     - debian/patches/cve-2013-2070.patch: verify ctx->size and ctx->length in
        src/http/modules/ngx_http_proxy_module.c
     - LP: #1182586

Builds fine with no new compiler errors/warnings. ACK

Changed in nginx (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in nginx (Ubuntu Quantal):
status: Confirmed → Fix Committed
Changed in nginx (Ubuntu Raring):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.1.19-1ubuntu0.2

---------------
nginx (1.1.19-1ubuntu0.2) precise-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:21:02 -0400

Changed in nginx (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.1-2.2ubuntu0.1

---------------
nginx (1.2.1-2.2ubuntu0.1) quantal-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:37:12 -0400

Changed in nginx (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.6-1ubuntu3.2

---------------
nginx (1.2.6-1ubuntu3.2) raring-security; urgency=low

  * Security update (closes LP: #1182586):
    * Patch to fix a buffer overflow vulnerability (CVE-2013-2070)
 -- Thomas Ward <email address hidden> Fri, 24 May 2013 12:49:32 -0400

Changed in nginx (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers