Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584744 (CVE-2016-4450) - <www-servers/nginx-1.10.1: NULL pointer dereference while writing client request body to a temporary file (CVE-2016-4450)
Summary: <www-servers/nginx-1.10.1: NULL pointer dereference while writing client requ...
Status: RESOLVED FIXED
Alias: CVE-2016-4450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://mailman.nginx.org/pipermail/ng...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-01 10:58 UTC by Agostino Sarubbo
Modified: 2016-06-17 18:31 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Changes needed for nginx-1.11.1 (nginx-1.11.1.diff,2.92 KB, patch)
2016-06-02 13:30 UTC, Thomas Deutschmann
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-01 10:58:32 UTC
From ${URL} :

A problem was identified in nginx code responsible for saving
client request body to a temporary file.  A specially crafted request
might result in worker process crash due to a NULL pointer dereference
while writing client request body to a temporary file (CVE-2016-4450).

The problem affects nginx 1.3.9 - 1.11.0.

The problem is fixed in nginx 1.11.1, 1.10.1.

Patch for nginx 1.9.13 - 1.11.0 can be found here:

http://nginx.org/download/patch.2016.write.txt

Patch for older nginx versions (1.3.9 - 1.9.12):

http://nginx.org/download/patch.2016.write2.txt


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2016-06-02 13:30:28 UTC
Created attachment 436180 [details, diff]
Changes needed for nginx-1.11.1

Some modules should be bumped, to. See my diff against nginx-1.10.0 ebuild.

If the bump won't happen within the next 24 hours please check https://github.com/nbs-system/naxsi if they have released 0.55.


Not sure if want to bring back "mainline" and "stable" slot Manual removed with https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/nginx?id=18052d2432f8bdfd67092a09b5bb27702ef8763c
Comment 2 Thomas Deutschmann gentoo-dev 2016-06-02 13:32:09 UTC
CC'ing Manuel who removed the stable/mainline slot in the previous bump.
Comment 3 Thomas Deutschmann gentoo-dev 2016-06-11 15:20:38 UTC
PR submitted: https://github.com/gentoo/gentoo/pull/1650
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-11 15:50:53 UTC
(In reply to Thomas Deutschmann from comment #3)
> PR submitted: https://github.com/gentoo/gentoo/pull/1650

@proxied maintainer: Thank you; PR committed and pushed, once you're satisfied with the in-tree result please call for stabilization to further this security bug.

commit c0f1582077ff5ae4346bbaaaa9ac540c08b48949
Author: Thomas Deutschmann <whissi@whissi.de>
Date:   Sat Jun 11 17:16:14 2016 +0200

    www-servers/nginx: Security cleanup

    Gentoo-Bug: 584744

    Package-Manager: portage-2.3.0_rc1

commit ae9482758bf9b7ecbd965a324f13e7f3bd0c17d1
Author: Thomas Deutschmann <whissi@whissi.de>
Date:   Sat Jun 11 17:14:07 2016 +0200

    www-servers/nginx: Version bump

    Gentoo-Bug: 584212
    Gentoo-Bug: 584744

    Package-Manager: portage-2.3.0_rc1
Comment 5 Thomas Deutschmann gentoo-dev 2016-06-11 21:18:55 UTC
@ Arches, please stabilize =www-servers/nginx-1.10.1

Stable targets: amd64, x86
Comment 6 Agostino Sarubbo gentoo-dev 2016-06-13 12:26:40 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-13 12:27:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Thomas Deutschmann gentoo-dev 2016-06-13 14:05:30 UTC
PR for security cleanup submitted: https://github.com/gentoo/gentoo/pull/1669
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-13 18:37:44 UTC
Cleanup done: 
commit fa58d5378eee1fc28ceff889a80e26beffa23d38
Author: Thomas Deutschmann <whissi@whissi.de>
Date:   Mon Jun 13 20:30:54 2016 +0200

    www-servers/nginx: Security cleanup
    
    Dropping nginx-1.8.1 which is vulnerable to CVE-2016-4450 and was replaced
    by nginx-1.10.1 via commit 9d8b4adb72f5912b8c121bdda6ffee72e08926d7.
    
    Gentoo-Bug: 584744
    
    Package-Manager: portage-2.3.0_rc1
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-06-14 08:41:33 UTC
CVE-2016-4450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4450):
  os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows
  remote attackers to cause a denial of service (NULL pointer dereference and
  worker process crash) via a crafted request, involving writing a client
  request body to a temporary file.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-14 08:42:42 UTC
GLSA Vote: Yes.

New request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 18:31:04 UTC
This issue was resolved and addressed in
 GLSA 201606-06 at https://security.gentoo.org/glsa/201606-06
by GLSA coordinator Kristian Fiskerstrand (K_F).