Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505018 (CVE-2014-0133) - <www-servers/nginx-1.4.7: [nginx_modules_http_spdy] heap memory buffer overflow (CVE-2014-0133)
Summary: <www-servers/nginx-1.4.7: [nginx_modules_http_spdy] heap memory buffer overfl...
Status: RESOLVED FIXED
Alias: CVE-2014-0133
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://mailman.nginx.org/pipermail/ng...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-18 20:53 UTC by Johan Bergström
Modified: 2014-06-22 12:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Bergström 2014-03-18 20:53:39 UTC 
A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).

Patch is trivial, but I suggest we bump to 1.4.7 as soon as possible. 1.5.x (in tree, masked) is vulnerable as well.

Patch here: http://nginx.org/download/patch.2014.spdy2.txt
Comment 1 Alex Xu (Hello71) 2014-03-18 21:40:07 UTC 
I think it is plausible that at least 5% of Gentoo users have nginx installed.

However, USE=debug is likely highly rare. Perhaps C1 is more appropriate.
Comment 2 Johan Bergström 2014-03-18 21:46:59 UTC 
@Alex: The bug will occur if you've built the spdy module without debug.
Comment 3 Alex Xu (Hello71) 2014-03-18 21:50:56 UTC 
Odd, I swear I read "with --with-debug".

Never mind then, definitely B1. Not A1 though, spdy is far from default.
Comment 4 Tiziano Müller (RETIRED) gentoo-dev 2014-03-28 14:15:26 UTC 
nginx-1.4.7 is now in the tree for stabilization, 1.5.12 follows...
Comment 5 Agostino Sarubbo gentoo-dev 2014-03-28 19:34:28 UTC 
Arches, please test and mark stable:
=www-servers/nginx-1.4.7
Target keywords : "amd64 x86"
Comment 6 Agostino Sarubbo gentoo-dev 2014-03-29 06:07:01 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-29 06:07:08 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-29 06:07:42 UTC 
cleanup done.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-06-18 23:48:05 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-06-18 23:48:55 UTC 
CVE-2014-0133 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0133):
  Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before
  1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary
  code via a crafted request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-06-22 12:40:55 UTC 
This issue was resolved and addressed in
 GLSA 201406-20 at http://security.gentoo.org/glsa/glsa-201406-20.xml
by GLSA coordinator Mikle Kolyada (Zlogene).