oss-sec mailing list archives

Re: nginx security advisory (CVE-2013-2028)

From: Florian Weimer <fweimer () redhat com>
Date: Tue, 07 May 2013 16:36:54 +0200

On 05/07/2013 02:44 PM, Andrew Alexeev wrote:

Hello!

Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx.  A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).

The problem affects nginx 1.3.9 - 1.4.0.

Isn't similar code in older version (say, 1.2.6) insrc/http/modules/ngx_http_proxy_module.c?

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.chunked.txt

I think this fix is not quite correct because it is not possible todetect signed integer overflow in C after it has happened. (Curiously,the original fix for CVE-2002-0392 had the same issue.)


--
Florian Weimer / Red Hat Product Security Team

Current thread:

nginx security advisory (CVE-2013-2028) Andrew Alexeev (May 07)
- Re: nginx security advisory (CVE-2013-2028) Florian Weimer (May 07)
- Re: nginx security advisory (CVE-2013-2028) Solar Designer (May 22)