Bug 411751 (CVE-2012-2089)

Summary:	<www-servers/nginx-1.0.15 : Buffer overflow in the ngx_http_mp4_module (CVE-2012-2089)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	darkside, dev-zero, hollow
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://nginx.org/en/security_advisories.html
Whiteboard:	C2 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-04-12 15:52:10 UTC

Description: 

a specially crafted mp4 file might allow to overwrite
memory locations in a worker process, if ngx_http_mp4_module is 
used, potentially resulting in arbitrary code execution.  The mp4
module is not built in by default, and should be explicitly
configured to be included in nginx.  By default nginx worker
processes run under non-privileged user account.

The problem affects nginx versions newer than 1.1.3, 1.0.7, built with
the ngx_http_mp4_module, and "mp4" directive in the configuration.
To check if mp4 module is included in nginx build, use "nginx -V".

Users of nginx and mp4 pseudo-streaming module are kindly advised
to upgrade to the latest nginx versions, or apply the following patch:

http://nginx.org/download/patch.2012.mp4.txt

Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester

2012-04-13 02:47:33 UTC

*** Bug 411217 has been marked as a duplicate of this bug. ***

Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester

2012-04-13 02:51:48 UTC

http://git.overlays.gentoo.org/gitweb/?p=dev/darkside.git;a=commit;h=dfc0254b49a18c548de27b82e367029e3c268384 (1.1.19 bump)

Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester

2012-04-13 15:17:16 UTC

+  13 Apr 2012; Jeremy Olexa <darkside@gentoo.org> -nginx-1.0.10.ebuild,
+  -nginx-1.1.17.ebuild, -nginx-1.1.18.ebuild, +nginx-1.1.19.ebuild,
+  metadata.xml:
+  Version bump from upstream (security bug 411751), addition of fancyindex
+  third party module (bug 411663). Cleanup metadata.xml

Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester

2012-04-13 15:24:13 UTC

With multiple release trains in the same package, a ~arch version of the "stable train" will never get tested by ~arch users. Therefore, I feel like supporting multiple release trains for nginx in Gentoo is the wrong approach.

I added myself to metadata.xml and will contribute to the dev't releases. It is my opinion that we should just stabilize 1.1.19.

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2012-04-14 06:10:20 UTC

Sounds good, thank you. Benedikt and Tiziano, please let us know if you object.

Arches, please test and mark stable:
=www-servers/nginx-1.1.19
Target keywords : "amd64 x86"

Comment 6 Benedikt Böhm (RETIRED) gentoo-dev

2012-04-14 09:02:56 UTC

i'd rather bump and stabilize 1.0.15 instead of the development version ...

Comment 7 Agostino Sarubbo gentoo-dev

2012-04-14 09:04:39 UTC

(In reply to comment #6)
> i'd rather bump and stabilize 1.0.15 instead of the development version ...

+1

Comment 8 Benedikt Böhm (RETIRED) gentoo-dev

2012-04-14 09:22:29 UTC

i've added 1.0.15 to the tree, please stabilize that one

(In reply to comment #4)
> With multiple release trains in the same package, a ~arch version of the
> "stable train" will never get tested by ~arch users. Therefore, I feel like
> supporting multiple release trains for nginx in Gentoo is the wrong approach.

i understand your concerns, but i'd rather use p.mask to prevent ~arch users from installing the development versions or stabilize 1.1.x at a later time. we should not push the development version onto users right now just because of a security update.

please stabilize nginx-1.0.15!

Comment 9 Agostino Sarubbo gentoo-dev

2012-04-14 11:42:59 UTC

amd64 stable

Comment 10 Markus Meier gentoo-dev

2012-04-15 17:01:50 UTC

x86 stable, all arches done.

Comment 11 Agostino Sarubbo gentoo-dev

2012-04-15 17:35:11 UTC

Thanks folks.

Filed new glsa request.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2012-04-28 00:45:12 UTC

CVE-2012-2089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2089):
  Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module
  in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4
  directive is used, allows remote attackers to cause a denial of service
  (memory overwrite) or possibly execute arbitrary code via a crafted MP4
  file.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2012-06-21 10:31:45 UTC

This issue was resolved and addressed in
 GLSA 201206-07 at http://security.gentoo.org/glsa/glsa-201206-07.xml
by GLSA coordinator Sean Amoss (ackle).