Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
The problem affects nginx 1.3.9 - 1.4.0.
The problem is fixed in nginx 1.5.0, 1.4.1.
Reference site: http://nginx.org/en/security_advisories.html
CVE url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028
Maintainers: I have tested renaming nginx-1.4.0-r1 to nginx-1.4.1 which worked well in my setup.
*** Bug 468962 has been marked as a duplicate of this bug. ***
1.4.1 is now in the tree
(In reply to comment #2)
> 1.4.1 is now in the tree
I'd like to wait before close the bug because of this:
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Old removed, security please go ahead with the glsa
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0
through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows
remote attackers to cause a denial of service (crash) and obtain sensitive
information from worker process memory via a crafted proxy response, a
similar vulnerability to CVE-2013-2028.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9
through 1.4.0 allows remote attackers to cause a denial of service (crash)
and execute arbitrary code via a chunked Transfer-Encoding request with a
large chunk size, which triggers an integer signedness error and a
stack-based buffer overflow.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml
by GLSA coordinator Sean Amoss (ackle).