Specially crafted request URI permits security restriction bypass [CVE-2013-4547]

Bug #1253691 reported by Robie Basak on 2013-11-21
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Quantal
High
Unassigned
Raring
High
Unassigned
Saucy
High
Unassigned
Trusty
High
Unassigned
Thomas Ward (teward) wrote :

For records:

The problem affects nginx 0.8.41 - 1.5.6.

The problem is fixed in nginx 1.5.7, 1.4.4.

------

Precise, Quantal, Raring, Saucy, and Trusty are currently affected.

Changed in nginx (Debian):
status: Unknown → Fix Released
Thomas Ward (teward) on 2013-11-21
summary: Specially crafted request URI permits security restriction bypass
+ [CVE-2013-4547]
Thomas Ward (teward) wrote :

Confirmed / High set after consulting with #ubuntu-hardened on IRC in regards for how the status and importance are to be set.

Changed in nginx (Ubuntu Precise):
importance: Undecided → High
status: New → Confirmed
Changed in nginx (Ubuntu Quantal):
importance: Undecided → High
status: New → Confirmed
Changed in nginx (Ubuntu Raring):
importance: Undecided → High
status: New → Confirmed
Changed in nginx (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → High
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → High
Thomas Ward (teward) wrote :

Precise debdiff for this bug.

Thomas Ward (teward) wrote :

Quantal debdiff for this bug.

Thomas Ward (teward) wrote :

Raring debdiff for this bug.

Thomas Ward (teward) wrote :

Saucy debdiff for this bug

Thomas Ward (teward) wrote :

cjwatson has told me that they will merge 1.4.4 from Debian into Trusty, once it's listed in `rmadison -u debian nginx`. Since nginx 1.4.4 has a fix for this CVE included in it, that should fix this bug for Trusty. (nginx 1.4.4 from Debian also addresses other bugs and issues in the Debian package, and is not yet displayed in rmadison because it was only uploaded today)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.1-2.2ubuntu0.2

---------------
nginx (1.2.1-2.2ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:19:37 -0500

Changed in nginx (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.2.6-1ubuntu3.3

---------------
nginx (1.2.6-1ubuntu3.3) raring-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:24:46 -0500

Changed in nginx (Ubuntu Raring):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.1.19-1ubuntu0.5

---------------
nginx (1.1.19-1ubuntu0.5) precise-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:02:22 -0500

Changed in nginx (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.1-3ubuntu1.1

---------------
nginx (1.4.1-3ubuntu1.1) saucy-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:27:20 -0500

Changed in nginx (Ubuntu Saucy):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.4-1ubuntu1

---------------
nginx (1.4.4-1ubuntu1) trusty; urgency=low

  * Resynchronise with Debian (LP: #1253691). Remaining changes:
    - debian/patches/ubuntu-branding.patch:
      + Add Ubuntu branding to server_tokens.

nginx (1.4.4-1) unstable; urgency=low

  [ Christos Trochalakis ]
  * New upstream release. (Closes: #730012)
  * debian/nginx-*.postinst:
    + Wait for the new master to write its pid file before sending QUIT to the
      old master. This solves an issue with systemd and the upgrade mechanism.
      Systemd receives the SIGCHLD from the old master but it can't see the new
      pid because the new master has not written it yet. As a result, it kills
      everything inside the cgroup, including the new master.
  * debian/modules/ngx-fancyindex:
    + Upgrade Fancy Index module to v0.3.3 (Closes: #728721)
  * debian/control:
    + Remove Upload module from nginx-extras description (Closes: #729003)

  [ Michael Lustfield ]
  * debian/control:
    + Added spdy to package description (Closes: #728038)
  * debian/nginx-common.nginx.init:
    + Showing better start/stop messages. Thanks Pim van den Berg.
      (Closes: #728103)
 -- Colin Watson <email address hidden> Fri, 22 Nov 2013 12:23:25 +0000

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.