nginx packages in hardy/hardy-backports allow null-byte vulnerability in certain configurations

Bug #803720 reported by Neal Poole on 2011-06-30
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hardy Backports
Undecided
Unassigned
nginx (Ubuntu)
Medium
Unassigned

Bug Description

This is related to LP #783508.

After more investigation, I've concluded that the issue identified in #783508 affects nginx 0.5, 0.6, 0.7 < 0.7.66, and 0.8 < 0.8.38. The nginx packages in hardy and hardy-backports are based off of the 0.5 and 0.6 branches of nginx (respectively) which means they're vulnerable. I've reported this issue upstream as well as to Red Hat (see https://bugzilla.redhat.com/show_bug.cgi?id=717078).

I attempted to build a debdiff for the 0.5 branch by applying the relevant changeset from the nginx SVN repository. However, the changeset patch does not apply properly given the differences between the 0.5 and 0.7 branches of nginx. I am not confident in my ability to provide a patch for this issue without potentially breaking the application.

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
Changed in nginx (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Neal Poole (nealpoole) wrote :

Alright. I've generated debdiffs for the relevant packages based on the original nginx patch for the 0.7 branch. Although the nginx patch did not apply cleanly to either branch, I did my best to make sure all the relevant code paths were updated. Please let me know if I've messed something up or there's something else I need to change.

Neal Poole (nealpoole) wrote :

Now attaching the debdiff for the hardy-backports package. I may have mangled the version string in this debdiff: I wasn't sure which part of the version I should be incrementing.

Marc Deslauriers (mdeslaur) wrote :

ACK on the hardy debdiff, looks good. Thanks!
The package has been uploaded for building and will be released today.

For hardy-backports, the process is different, I'll ask someone from the backports team to comment here.

Changed in nginx (Ubuntu):
status: Confirmed → Fix Committed
Scott Kitterman (kitterman) wrote :

For hardy-backports, if you can test that the package, as modified, builds, installs, and runs (that is at least starts, it needn't be extensive), we can get the fix in backports too.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.5.33-1ubuntu0.2

---------------
nginx (0.5.33-1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE:
      - Merge r3528 from upstream repository to mitigate
        potential null byte vulnerability (LP: #803720)
 -- Neal Poole <email address hidden> Tue, 12 Jul 2011 21:41:00 -0400

Changed in nginx (Ubuntu):
status: Fix Committed → Fix Released
Neal Poole (nealpoole) wrote :

Ran the following commands for the hardy-backports code:

./configure --prefix=/home/nbpoole/nginx/nginx-dev
make
make install
sudo ./sbin/nginx -c ~/nginx/nginx-dev/conf/nginx.conf

Server started up just fine. I tested it very briefly: it served up the requests (and returned a 400 error when the URL contained a null byte).

Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-security-sponsors, since the backports team will take care of the backport in Hardy. Thanks!

Neal Poole (nealpoole) wrote :

FYI, the details have been published at https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

Chinese hackers appear to be particularly interested in this vulnerability. I would recommend trying to release a patched version ASAP.

Jamie Strandboge (jdstrand) wrote :

Neal, could you respond on Scott's question in comment #5?

Neal Poole (nealpoole) wrote :

I though I did in comment #7. Let me know if what I did is sufficient (and if it isn't, what else I should do).

Neal Poole (nealpoole) wrote :

Jamie, is this still waiting on me to do something?

Iain Lane (laney) wrote :

uploading, sorry for the delays

Iain Lane (laney) wrote :

Ack from ubuntu-backporters. Uploaded to hardy/unapproved now.

Thanks for the patches Neal :-)

Changed in hardy-backports:
status: New → Incomplete
status: Incomplete → Confirmed
Iain Lane (laney) on 2011-10-08
Changed in hardy-backports:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers