Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 303751 (CVE-2009-4487) - www-servers/nginx remote arbitrary code execution (CVE-2009-4487)
Summary: www-servers/nginx remote arbitrary code execution (CVE-2009-4487)
Alias: CVE-2009-4487
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B2? [ebuild]
Depends on:
Reported: 2010-02-06 15:24 UTC by Stefan Behte (RETIRED)
Modified: 2010-06-04 21:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:24:43 UTC
CVE-2009-4487 (
  nginx 0.7.64 writes data to a log file without sanitizing
  non-printable characters, which might allow remote attackers to
  modify a window's title, or possibly execute arbitrary commands or
  overwrite files, via an HTTP request containing an escape sequence
  for a terminal emulator.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-02-06 18:56:16 UTC
nginx changelog for 0.7 doesn't mention this CVE, so not sure if this has been fixed in 0.7.65.
Comment 2 Johan Bergström 2010-02-06 22:10:00 UTC
Not sure if the nginx author will recognize this as an actual "bug", here's varnish route:
Comment 3 Matt Summers (RETIRED) gentoo-dev 2010-04-02 19:58:10 UTC
nginx seems to accept this as a vuln. see link
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-01 20:12:07 UTC
I mailed the author, if it's planned to fix this CVE.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-01 21:45:35 UTC wrote:
"No, I do not consider this as vulnerability. This is terminal issue."
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2010-06-04 06:51:35 UTC
i have to agree with igor and also the team behind varnish, which issued the following statement, that this is not a vulnerability in nginx/varnish/apache/whatever.

The real problem is the mistaken belief that you can cat(1) a random
logfile to your terminal safely.

This is not a new issue. I first remember the issue with xterm(1)'s
inadvisably implemented escape-sequences in a root-context, brought up
heatedly, in 1988, possibly late 1987, at Copenhagens University
Computer Science dept. [...]
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-04 21:20:44 UTC
Issue disputed. I have not looked very deeply into this, but it really seems to be a terminal issue. However, it would have been nice to filter out these characters.

It's a feature, not a bug? ;(