Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 584744 (CVE-2016-4450)

Summary: <www-servers/nginx-1.10.1: NULL pointer dereference while writing client request body to a temporary file (CVE-2016-4450)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: bugs, dev-zero, mrueg, proxy-maint, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Description Flags
Changes needed for nginx-1.11.1 none

Description Agostino Sarubbo gentoo-dev 2016-06-01 10:58:32 UTC
From ${URL} :

A problem was identified in nginx code responsible for saving
client request body to a temporary file.  A specially crafted request
might result in worker process crash due to a NULL pointer dereference
while writing client request body to a temporary file (CVE-2016-4450).

The problem affects nginx 1.3.9 - 1.11.0.

The problem is fixed in nginx 1.11.1, 1.10.1.

Patch for nginx 1.9.13 - 1.11.0 can be found here:

Patch for older nginx versions (1.3.9 - 1.9.12):

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-06-02 13:30:28 UTC
Created attachment 436180 [details, diff]
Changes needed for nginx-1.11.1

Some modules should be bumped, to. See my diff against nginx-1.10.0 ebuild.

If the bump won't happen within the next 24 hours please check if they have released 0.55.

Not sure if want to bring back "mainline" and "stable" slot Manual removed with
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-06-02 13:32:09 UTC
CC'ing Manuel who removed the stable/mainline slot in the previous bump.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-06-11 15:20:38 UTC
PR submitted:
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-11 15:50:53 UTC
(In reply to Thomas Deutschmann from comment #3)
> PR submitted:

@proxied maintainer: Thank you; PR committed and pushed, once you're satisfied with the in-tree result please call for stabilization to further this security bug.

commit c0f1582077ff5ae4346bbaaaa9ac540c08b48949
Author: Thomas Deutschmann <>
Date:   Sat Jun 11 17:16:14 2016 +0200

    www-servers/nginx: Security cleanup

    Gentoo-Bug: 584744

    Package-Manager: portage-2.3.0_rc1

commit ae9482758bf9b7ecbd965a324f13e7f3bd0c17d1
Author: Thomas Deutschmann <>
Date:   Sat Jun 11 17:14:07 2016 +0200

    www-servers/nginx: Version bump

    Gentoo-Bug: 584212
    Gentoo-Bug: 584744

    Package-Manager: portage-2.3.0_rc1
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2016-06-11 21:18:55 UTC
@ Arches, please stabilize =www-servers/nginx-1.10.1

Stable targets: amd64, x86
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-13 12:26:40 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-13 12:27:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2016-06-13 14:05:30 UTC
PR for security cleanup submitted:
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-13 18:37:44 UTC
Cleanup done: 
commit fa58d5378eee1fc28ceff889a80e26beffa23d38
Author: Thomas Deutschmann <>
Date:   Mon Jun 13 20:30:54 2016 +0200

    www-servers/nginx: Security cleanup
    Dropping nginx-1.8.1 which is vulnerable to CVE-2016-4450 and was replaced
    by nginx-1.10.1 via commit 9d8b4adb72f5912b8c121bdda6ffee72e08926d7.
    Gentoo-Bug: 584744
    Package-Manager: portage-2.3.0_rc1
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-06-14 08:41:33 UTC
CVE-2016-4450 (
  os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  worker process crash) via a crafted request, involving writing a client
  request body to a temporary file.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-06-14 08:42:42 UTC
GLSA Vote: Yes.

New request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 18:31:04 UTC
This issue was resolved and addressed in
 GLSA 201606-06 at
by GLSA coordinator Kristian Fiskerstrand (K_F).