Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285162 - <www-servers/nginx-{0.7.62, 0.6.39, 0.5.38} Request URI Buffer Underflow (CVE-2009-2629)
Summary: <www-servers/nginx-{0.7.62, 0.6.39, 0.5.38} Request URI Buffer Underflow (CVE...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/180065
Whiteboard: A1 [glsa]
Keywords:
: 283802 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-09-16 07:19 UTC by Mike Limansky
Modified: 2010-12-15 20:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build.log (build.log,151.37 KB, text/plain)
2009-09-16 09:42 UTC, Tkachenko Sergey
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Limansky 2009-09-16 07:19:52 UTC
CVE-2009-2629

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

Please stabilize =nginx-0.7.62.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-16 08:46:48 UTC
Already in the works.
Comment 2 Tkachenko Sergey 2009-09-16 09:42:50 UTC
Created attachment 204299 [details]
build.log
Comment 3 Tkachenko Sergey 2009-09-16 09:47:06 UTC
(In reply to comment #2)
> Created an attachment (id=204299) [edit]
> build.log
> 

Sorry, I uploaded attachment for other bug. Please delete
Comment 4 Mike Limansky 2009-09-16 13:00:44 UTC
(In reply to comment #1)
> Already in the works.
> 

Why invalid? If it duplicate it should be marked as duplicate. I searched for the bug for this issue before raising of this bug and didn't found it.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-16 13:06:12 UTC
(In reply to comment #4)
> 
> Why invalid? If it duplicate it should be marked as duplicate. I searched for
> the bug for this issue before raising of this bug and didn't found it.
> 

You couldn't have found it. And I can't dupe it at the moment.
Comment 6 Mike Limansky 2009-09-16 13:14:37 UTC
Street magic...
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-18 09:41:14 UTC
CVE-2009-2629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2629):
  Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through
  0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before
  0.8.15 allows remote attackers to execute arbitrary code via crafted
  HTTP requests.
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-18 09:42:18 UTC
Using this bug as public reference.

amd64, please stabilize immediately:
=www-servers/nginx-0.5.38
=www-servers/nginx-0.6.39
=www-servers/nginx-0.7.62
Comment 9 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-18 09:42:52 UTC
*** Bug 283802 has been marked as a duplicate of this bug. ***
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-18 19:26:06 UTC
amd64 stable.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 15:02:07 UTC
GLSA 200909-18, thanks everyone!