diff -Nru --exclude git nginx-0.7.65/debian/changelog nginx-0.7.65/debian/changelog --- nginx-0.7.65/debian/changelog 2012-01-12 02:57:20.000000000 -0500 +++ nginx-0.7.65/debian/changelog 2012-06-12 12:39:39.000000000 -0400 @@ -1,3 +1,12 @@ +nginx (0.7.65-1ubuntu2.3) lucid; urgency=low + + * Security update (closes LP: #956150): + * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180). + * Patch to fix 'Heap-based buffer overflow in compression-pointer + processing in core/ngx_resolver.c' (CVE-2011-4315). + + -- Thomas Ward Tue, 12 Jun 2012 12:37:49 -0400 + nginx (0.7.65-1ubuntu2.2) lucid-proposed; urgency=low * debian/patches/LP-902223.patch: Patch to fix reloading diff -Nru --exclude git nginx-0.7.65/debian/patches/cve-2011-4315.patch nginx-0.7.65/debian/patches/cve-2011-4315.patch --- nginx-0.7.65/debian/patches/cve-2011-4315.patch 1969-12-31 19:00:00.000000000 -0500 +++ nginx-0.7.65/debian/patches/cve-2011-4315.patch 2012-06-12 12:32:50.000000000 -0400 @@ -0,0 +1,35 @@ +From: Thomas Ward +Description: Fixes CVE-2011-4315 - Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c +Bug-Ubuntu: https://bugs.launchpad.net/bugs/956150 +Origin: upstream, http://trac.nginx.org/nginx/changeset/4268/nginx + +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -1919,7 +1919,13 @@ + n = *src++; + + for ( ;; ) { +- if (n != 0xc0) { ++ if (n & 0xc0) { ++ n = ((n & 0x3f) << 8) + *src; ++ src = &buf[n]; ++ ++ n = *src++; ++ ++ } else { + ngx_memcpy(dst, src, n); + dst += n; + src += n; +@@ -1929,12 +1935,6 @@ + if (n != 0) { + *dst++ = '.'; + } +- +- } else { +- n = ((n & 0x3f) << 8) + *src; +- src = &buf[n]; +- +- n = *src++; + } + + if (n == 0) { diff -Nru --exclude git nginx-0.7.65/debian/patches/cve-2012-1180.patch nginx-0.7.65/debian/patches/cve-2012-1180.patch --- nginx-0.7.65/debian/patches/cve-2012-1180.patch 1969-12-31 19:00:00.000000000 -0500 +++ nginx-0.7.65/debian/patches/cve-2012-1180.patch 2012-06-12 12:37:37.000000000 -0400 @@ -0,0 +1,91 @@ +From: Thomas Ward +Description: Fixes CVE-2012-1180 - Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/956150 +Origin: upstream, http://trac.nginx.org/nginx/changeset/4535/nginx +Origin: upstream, http://trac.nginx.org/nginx/changeset/4531/nginx +Origin: upstream, http://trac.nginx.org/nginx/changeset/4530/nginx + +--- a/src/http/modules/ngx_http_fastcgi_module.c ++++ b/src/http/modules/ngx_http_fastcgi_module.c +@@ -1331,11 +1331,10 @@ + h->value.data = h->key.data + h->key.len + 1; + h->lowcase_key = h->key.data + h->key.len + 1 + + h->value.len + 1; +- +- ngx_cpystrn(h->key.data, r->header_name_start, +- h->key.len + 1); +- ngx_cpystrn(h->value.data, r->header_start, +- h->value.len + 1); ++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len); ++ h->key.data[h->key.len] = '\0'; ++ ngx_memcpy(h->value.data, r->header_start, h->value.len); ++ h->value.data[h->value.len] = '\0'; + } + + h->hash = r->header_hash; +--- a/src/http/modules/ngx_http_proxy_module.c ++++ b/src/http/modules/ngx_http_proxy_module.c +@@ -1514,8 +1514,10 @@ + h->value.data = h->key.data + h->key.len + 1; + h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; + +- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); +- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); ++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len); ++ h->key.data[h->key.len] = '\0'; ++ ngx_memcpy(h->value.data, r->header_start, h->value.len); ++ h->value.data[h->value.len] = '\0'; + + if (h->key.len == r->lowcase_index) { + ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); +--- a/src/http/ngx_http_parse.c ++++ b/src/http/ngx_http_parse.c +@@ -759,6 +759,10 @@ + break; + } + ++ if (ch == '\0') { ++ return NGX_HTTP_PARSE_INVALID_HEADER; ++ } ++ + r->invalid_header = 1; + + break; +@@ -821,6 +825,10 @@ + break; + } + ++ if (ch == '\0') { ++ return NGX_HTTP_PARSE_INVALID_HEADER; ++ } ++ + r->invalid_header = 1; + + break; +@@ -839,6 +847,8 @@ + r->header_start = p; + r->header_end = p; + goto done; ++ case '\0': ++ return NGX_HTTP_PARSE_INVALID_HEADER; + default: + r->header_start = p; + state = sw_value; +@@ -860,6 +870,8 @@ + case LF: + r->header_end = p; + goto done; ++ case '\0': ++ return NGX_HTTP_PARSE_INVALID_HEADER; + } + break; + +@@ -873,6 +885,8 @@ + break; + case LF: + goto done; ++ case '\0': ++ return NGX_HTTP_PARSE_INVALID_HEADER; + default: + state = sw_value; + break; diff -Nru --exclude git nginx-0.7.65/debian/patches/series nginx-0.7.65/debian/patches/series --- nginx-0.7.65/debian/patches/series 2012-01-12 02:35:43.000000000 -0500 +++ nginx-0.7.65/debian/patches/series 2012-05-20 13:12:42.000000000 -0400 @@ -2,3 +2,5 @@ dlopen.diff nginx-null_byte_in_urls.patch LP-902223.patch +cve-2012-1180.patch +cve-2011-4315.patch