buffer overflow, null pointer deref in nginx rtmp module

Bug #1977718 reported by Sven Neuhaus
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Thomas Ward
Jammy
Fix Released
Undecided
Thomas Ward

Bug Description

The relevant package name is libnginx-mod-rtmp.

There is a fix for a buffer overrun in the nginx RTMP module:

https://github.com/arut/nginx-rtmp-module/commit/2f2db811f8533782dfbef57fdb14f4737e2be55a

It should be applied to this package.

You should also fix the null pointer dereference as done with this commit

https://github.com/arut/nginx-rtmp-module/commit/23e1873aa62acb58b7881eed2a501f5bf35b82e9

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for the report. Have CVEs been assigned for either of these issues?

Given that the commits are public, I'm opening this bug up as public as well.

information type: Private Security → Public Security
Changed in nginx (Ubuntu):
status: New → Confirmed
Changed in nginx (Ubuntu Focal):
status: New → Confirmed
Changed in nginx (Ubuntu Jammy):
status: New → Confirmed
Changed in nginx (Ubuntu):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Focal):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Jammy):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward)
summary: - buffer overflow in nginx rtmp module
+ buffer overflow, null pointer deref in nginx rtmp module
Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Thomas Ward (teward) wrote :
Revision history for this message
Thomas Ward (teward) wrote :

Debdiffs prepared for Security Team review / inclusion. Note that the specific module is embedded in debian/modules/... so non-standard patching (aka non-Quilt-patching) was utilized.

Upstream patches were {UPSTREAM_URL}.patch to get the patch files that were applied.j

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hello Thomas,

I'm from security team and will handle it and let this bug know when it is done. thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.18.0-6ubuntu14.6

---------------
nginx (1.18.0-6ubuntu14.6) jammy-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in nginx-rtmp-module.
    - debian/modules/rtmp/ngx_rtmp_amf.c patched with upstream
      commits.
  * SECURITY UPDATE: buffer overrun in nginx-rtmp-module
    - debian/modules/rtmp/ngx_rtmp_handler.c patched with upstream
      commits.
  * Closes LP: #1977718

 -- Thomas Ward <email address hidden> Fri, 14 Feb 2025 13:40:46 -0500

Changed in nginx (Ubuntu Jammy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.18.0-0ubuntu1.7

---------------
nginx (1.18.0-0ubuntu1.7) focal-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference in nginx-rtmp-module.
    - debian/modules/rtmp/ngx_rtmp_amf.c patched with upstream
      commits.
  * SECURITY UPDATE: buffer overrun in nginx-rtmp-module
    - debian/modules/rtmp/ngx_rtmp_handler.c patched with upstream
      commits.
  * Closes LP: #1977718

 -- Thomas Ward <email address hidden> Fri, 14 Feb 2025 13:44:44 -0500

Changed in nginx (Ubuntu Focal):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.