Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605008 (CVE-2016-1247) - <www-servers/nginx-{1.10.2-r3,1.11.6-r1}: root privilege escalation (CVE-2016-1247)
Summary: <www-servers/nginx-{1.10.2-r3,1.11.6-r1}: root privilege escalation (CVE-2016...
Status: RESOLVED FIXED
Alias: CVE-2016-1247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://legalhackers.com/advisories/N...
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-07 23:24 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-11 12:22 UTC (History)
4 users (show)

See Also:
Package list:
=www-servers/nginx-1.10.2-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-07 23:24:29 UTC
It was discovered that the default installation of www-servers/nginx on
Gentoo sets similar problematic permissions like Debian on "/var/log/nginx"
and is therefore vulnerable to the same potentially root privilege
escalation described in CVE-2016-1247 [1].

[1] https://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.html
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-07 23:34:51 UTC
Fixed ebuilds are now in repository, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e9a4ebc9ca7bb35814cacf85c9a28cdab6fdf9f


@ Arches,

please test and mark stable: =www-servers/nginx-1.10.2-r3
Comment 2 Agostino Sarubbo gentoo-dev 2017-01-10 14:57:06 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-10 15:27:09 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 15:36:05 UTC
Cleaned up via 688c54e5f570cfe816f69f5452817a320427474a

New GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 12:22:21 UTC
This issue was resolved and addressed in
 GLSA 201701-22 at https://security.gentoo.org/glsa/201701-22
by GLSA coordinator Aaron Bauman (b-man).