[CVE-2016-4450] NULL pointer dereference while writing client request body

Bug #1587577 reported by Thomas Ward on 2016-05-31
264
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Undecided
Thomas Ward
Trusty
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Thomas Ward

Bug Description

It was announced by NGINX on May 31, 2016 that there is a security update for NGINX. Patches are available as below.

This is CVE-2016-4450.

------

(http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html)

A problem was identified in nginx code responsible for saving
client request body to a temporary file. A specially crafted request
might result in worker process crash due to a NULL pointer dereference
while writing client request body to a temporary file (CVE-2016-4450).

The problem affects nginx 1.3.9 - 1.11.0.

The problem is fixed in nginx 1.11.1, 1.10.1.

Patch for nginx 1.9.13 - 1.11.0 can be found here:

http://nginx.org/download/patch.2016.write.txt

Patch for older nginx versions (1.3.9 - 1.9.12):

http://nginx.org/download/patch.2016.write2.txt

------

Trusty, Vivid, Wily, Xenial, and Yakkety are affected, based on the NGINX upstream reported 'affected versions'.

CVE References

Thomas Ward (teward) on 2016-05-31
description: updated
Changed in nginx (Ubuntu Xenial):
status: New → Confirmed
Changed in nginx (Ubuntu Wily):
status: New → Confirmed
Changed in nginx (Ubuntu Vivid):
status: New → Confirmed
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
Changed in nginx (Ubuntu Yakkety):
assignee: nobody → Thomas Ward (teward)
summary: - Security Advisory - May 31 2016
+ Security Advisory - May 31 2016 - CVE-2016-4450
description: updated
Thomas Ward (teward) on 2016-05-31
Changed in nginx (Ubuntu Yakkety):
status: Confirmed → In Progress
Thomas Ward (teward) on 2016-05-31
summary: - Security Advisory - May 31 2016 - CVE-2016-4450
+ [CVE-2016-4450] NULL pointer dereference while writing client request
+ body
Thomas Ward (teward) on 2016-05-31
Changed in nginx (Ubuntu Yakkety):
status: In Progress → Fix Committed
Thomas Ward (teward) wrote :

Xenial debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/xenial-buildtests/+packages successfully.

tags: added: patch
Thomas Ward (teward) wrote :

Wily debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/wily-buildtests/+packages successfully.

Thomas Ward (teward) wrote :

Vivid is End of Life; it was added to the bug as a result of myself clicking all the affected series... oopsies! Marking Won't Fix, because EOL.

Changed in nginx (Ubuntu Vivid):
status: Confirmed → Won't Fix
Thomas Ward (teward) wrote :

Trusty debdiff. Build tests completed in https://launchpad.net/~teward/+archive/ubuntu/trusty-buildtests/+packages successfully.

Changed in nginx (Debian):
status: Unknown → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.10.1-0ubuntu1

---------------
nginx (1.10.1-0ubuntu1) yakkety; urgency=medium

  * New upstream release (1.10.1) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.10.
  * Update done to address the following security issues:
    - [CVE-2016-4450] NULL pointer dereference while writing client
      request body. (LP: #1587577)
  * Additional changes:
    * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 19:09:33 -0400

Changed in nginx (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, packages are building now. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.10.0-0ubuntu0.16.04.2

---------------
nginx (1.10.0-0ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 19:47:42 -0400

Changed in nginx (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.6-1ubuntu3.5

---------------
nginx (1.4.6-1ubuntu3.5) trusty-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 20:23:03 -0400

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.9.3-1ubuntu1.2

---------------
nginx (1.9.3-1ubuntu1.2) wily-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference while writing client request
    body (LP: #1587577)
    - debian/patches/cve-2016-4450.patch: Upstream patch to address issue.
    - CVE-2016-4450

 -- Thomas Ward <email address hidden> Tue, 31 May 2016 20:14:23 -0400

Changed in nginx (Ubuntu Wily):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.