Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 411751 (CVE-2012-2089) - <www-servers/nginx-1.0.15 : Buffer overflow in the ngx_http_mp4_module (CVE-2012-2089)
Summary: <www-servers/nginx-1.0.15 : Buffer overflow in the ngx_http_mp4_module (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-2089
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://nginx.org/en/security_advisori...
Whiteboard: C2 [glsa]
Keywords:
: 411217 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-04-12 15:52 UTC by Agostino Sarubbo
Modified: 2012-06-21 10:31 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-04-12 15:52:10 UTC
Description: 

a specially crafted mp4 file might allow to overwrite
memory locations in a worker process, if ngx_http_mp4_module is 
used, potentially resulting in arbitrary code execution.  The mp4
module is not built in by default, and should be explicitly
configured to be included in nginx.  By default nginx worker
processes run under non-privileged user account.

The problem affects nginx versions newer than 1.1.3, 1.0.7, built with
the ngx_http_mp4_module, and "mp4" directive in the configuration.
To check if mp4 module is included in nginx build, use "nginx -V".

Users of nginx and mp4 pseudo-streaming module are kindly advised
to upgrade to the latest nginx versions, or apply the following patch:

http://nginx.org/download/patch.2012.mp4.txt
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-04-13 02:47:33 UTC
*** Bug 411217 has been marked as a duplicate of this bug. ***
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-04-13 15:17:16 UTC
+  13 Apr 2012; Jeremy Olexa <darkside@gentoo.org> -nginx-1.0.10.ebuild,
+  -nginx-1.1.17.ebuild, -nginx-1.1.18.ebuild, +nginx-1.1.19.ebuild,
+  metadata.xml:
+  Version bump from upstream (security bug 411751), addition of fancyindex
+  third party module (bug 411663). Cleanup metadata.xml
Comment 4 Jeremy Olexa (darkside) (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-04-13 15:24:13 UTC
With multiple release trains in the same package, a ~arch version of the "stable train" will never get tested by ~arch users. Therefore, I feel like supporting multiple release trains for nginx in Gentoo is the wrong approach.

I added myself to metadata.xml and will contribute to the dev't releases. It is my opinion that we should just stabilize 1.1.19.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-04-14 06:10:20 UTC
Sounds good, thank you. Benedikt and Tiziano, please let us know if you object.

Arches, please test and mark stable:
=www-servers/nginx-1.1.19
Target keywords : "amd64 x86"
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2012-04-14 09:02:56 UTC
i'd rather bump and stabilize 1.0.15 instead of the development version ...
Comment 7 Agostino Sarubbo gentoo-dev 2012-04-14 09:04:39 UTC
(In reply to comment #6)
> i'd rather bump and stabilize 1.0.15 instead of the development version ...

+1
Comment 8 Benedikt Böhm (RETIRED) gentoo-dev 2012-04-14 09:22:29 UTC
i've added 1.0.15 to the tree, please stabilize that one

(In reply to comment #4)
> With multiple release trains in the same package, a ~arch version of the
> "stable train" will never get tested by ~arch users. Therefore, I feel like
> supporting multiple release trains for nginx in Gentoo is the wrong approach.

i understand your concerns, but i'd rather use p.mask to prevent ~arch users from installing the development versions or stabilize 1.1.x at a later time. we should not push the development version onto users right now just because of a security update.

please stabilize nginx-1.0.15!
Comment 9 Agostino Sarubbo gentoo-dev 2012-04-14 11:42:59 UTC
amd64 stable
Comment 10 Markus Meier gentoo-dev 2012-04-15 17:01:50 UTC
x86 stable, all arches done.
Comment 11 Agostino Sarubbo gentoo-dev 2012-04-15 17:35:11 UTC
Thanks folks.

Filed new glsa request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:45:12 UTC
CVE-2012-2089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2089):
  Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module
  in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4
  directive is used, allows remote attackers to cause a denial of service
  (memory overwrite) or possibly execute arbitrary code via a crafted MP4
  file.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 10:31:45 UTC
This issue was resolved and addressed in
 GLSA 201206-07 at http://security.gentoo.org/glsa/glsa-201206-07.xml
by GLSA coordinator Sean Amoss (ackle).