Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 686424 (CVE-2019-12206, CVE-2019-12207, CVE-2019-12208) - www-servers/nginx: multiple vulnerabilities
Summary: www-servers/nginx: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2019-12206, CVE-2019-12207, CVE-2019-12208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/nginx/njs/issues/163
Whiteboard: B3 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-21 00:10 UTC by D'juan McDonald (domhnall)
Modified: 2019-05-21 22:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-05-21 00:10:29 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-12208):

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c.


Gentoo Security Padawan
(domhnall)
Comment 1 D'juan McDonald (domhnall) 2019-05-21 00:15:28 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-12207):

njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c.

reference: https://github.com/nginx/njs/issues/168

(https://nvd.nist.gov/vuln/detail/CVE-2019-12206):

njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c.

reference: https://github.com/nginx/njs/issues/162
Comment 2 Larry the Git Cow gentoo-dev 2019-05-21 15:12:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fdf3186cecdd5096f4da7cf89951db6956561b9

commit 5fdf3186cecdd5096f4da7cf89951db6956561b9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-21 15:11:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-21 15:11:58 +0000

    www-servers/nginx: security cleanup
    
    Bug: https://bugs.gentoo.org/686424
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/Manifest                |    6 -
 www-servers/nginx/nginx-1.14.2-r4.ebuild  | 1089 -----------------------------
 www-servers/nginx/nginx-1.15.12-r1.ebuild | 1089 -----------------------------
 www-servers/nginx/nginx-1.16.0.ebuild     | 1089 -----------------------------
 4 files changed, 3273 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39515d7bd653357aa676db7ecec780ee41082772

commit 39515d7bd653357aa676db7ecec780ee41082772
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-21 15:11:12 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-21 15:11:57 +0000

    www-servers/nginx: amd64 & x86 stable
    
    Bug: https://bugs.gentoo.org/686424
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/nginx-1.16.0-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6db7bd5b06933cb95f1c57f5c97d18ca3006d8ba

commit 6db7bd5b06933cb95f1c57f5c97d18ca3006d8ba
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-21 15:09:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-21 15:11:56 +0000

    www-servers/nginx: rev bump to bump 3rd party modules
    
    - nginScript module bumped to v0.3.2
    
    - HTTP LUA module bumped to v0.10.15
    
    Bug: https://bugs.gentoo.org/686424
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/nginx-1.16.0-r1.ebuild | 1089 ++++++++++++++++++++++++++++++
 1 file changed, 1089 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=795099eac16f7bfad6c836e6c514c3efca5b2425

commit 795099eac16f7bfad6c836e6c514c3efca5b2425
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-21 15:07:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-21 15:11:55 +0000

    www-servers/nginx: bump to v1.17.0 mainline
    
    - nginScript module bumped to v0.3.2
    
    - HTTP LUA module bumped to v0.10.15
    
    Bug: https://bugs.gentoo.org/686424
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/Manifest            |    3 +
 www-servers/nginx/nginx-1.17.0.ebuild | 1089 +++++++++++++++++++++++++++++++++
 2 files changed, 1092 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-05-21 15:20:12 UTC
Problem was in njs extension.

GLSA Vote: No

Repository is clean, all done.
Comment 4 Thomas Deutschmann gentoo-dev Security 2019-05-21 22:32:12 UTC
Not all fixed yet. This will become a tracking nightmare, upstream started fuzzing.