A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).
Patch is trivial, but I suggest we bump to 1.4.7 as soon as possible. 1.5.x (in tree, masked) is vulnerable as well.
Patch here: http://nginx.org/download/patch.2014.spdy2.txt
I think it is plausible that at least 5% of Gentoo users have nginx installed.
However, USE=debug is likely highly rare. Perhaps C1 is more appropriate.
@Alex: The bug will occur if you've built the spdy module without debug.
Odd, I swear I read "with --with-debug".
Never mind then, definitely B1. Not A1 though, spdy is far from default.
nginx-1.4.7 is now in the tree for stabilization, 1.5.12 follows...
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before
1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary
code via a crafted request.
This issue was resolved and addressed in
GLSA 201406-20 at http://security.gentoo.org/glsa/glsa-201406-20.xml
by GLSA coordinator Mikle Kolyada (Zlogene).