Security Advisory - July 11 2017: CVE-2017-7529

Bug #1704151 reported by Thomas Ward on 2017-07-13
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Medium
Thomas Ward
Trusty
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Medium
Unassigned
Zesty
Medium
Unassigned
Artful
Medium
Thomas Ward

Bug Description

It was reported by NGINX that there was a security vulnerability. Specifically that:

A specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak.

------

Refer to original notice here: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html

Copy of the message contents below:

Hello!

A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).

When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.

Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory. No such modules are currently known though.

The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.

For older versions, the following configuration can be used
as a temporary workaround:

    max_ranges 1;

Patch for the issue can be found here:

http://nginx.org/download/patch.2017.ranges.txt

--
Maxim Dounin
http://nginx.org/

------

CVE References

Thomas Ward (teward) wrote :

A temporary workaround would be to set this in your configuration:

  max_ranges 1;

Changed in nginx (Ubuntu Zesty):
status: New → Confirmed
Changed in nginx (Ubuntu Yakkety):
status: New → Confirmed
Changed in nginx (Ubuntu Xenial):
status: New → Incomplete
status: Incomplete → Confirmed
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → Medium
Changed in nginx (Ubuntu Xenial):
importance: Undecided → Medium
Changed in nginx (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in nginx (Ubuntu Zesty):
importance: Undecided → Medium
Changed in nginx (Ubuntu Artful):
status: Confirmed → In Progress
Thomas Ward (teward) on 2017-07-13
Changed in nginx (Ubuntu Zesty):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Yakkety):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Xenial):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Trusty):
status: Confirmed → Won't Fix
status: Won't Fix → Fix Released
Thomas Ward (teward) on 2017-07-15
Changed in nginx (Ubuntu Artful):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.12.1-0ubuntu1

---------------
nginx (1.12.1-0ubuntu1) artful; urgency=medium

  * New upstream release (1.12.1) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.12
  * This release is a security patch micro-release from Upstream.
  * This package contains security content to fix the following CVEs:
    * CVE-2017-7529: A security issue was identified in nginx range filter.
      A specially crafted request might result in an integer overflow and
      incorrect processing of ranges, potentially resulting in sensitive
      information leak. (Closes LP: #1704151)
  * Additional changes:
    * d/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.

 -- Thomas Ward <email address hidden> Sat, 15 Jul 2017 12:40:15 -0400

Changed in nginx (Ubuntu Artful):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers