Ubuntu
nginx package

[CVE-2014-0133] SPDY Heap Buffer Overflow Vulnerability

Bug #1294280 reported by Thomas Ward
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Fix Released
Undecided
Unassigned
Nominated for Saucy by Thomas Ward
Nominated for Trusty by Thomas Ward

Bug Description

This is CVE-2014-0133.

This is Debian Bug 742059.

------

This was the nginx announcement of this issue:

Hello!

A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).

The problem affects nginx 1.3.15 - 1.5.11, compiled with the
ngx_http_spdy_module module (which is not compiled by default) and
without --with-debug configure option, if the "spdy" option of the
"listen" directive is used in a configuration file.

The problem is fixed in nginx 1.5.12, 1.4.7.

Patch for the problem can be found here:

http://nginx.org/download/patch.2014.spdy2.txt

Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel
Sadosky, Buenos Aires, Argentina.

------

Trusty and Saucy are affected.

Tags: patch

CVE References

Revision history for this message
Thomas Ward (teward) wrote :

Key thing to check is if all binaries build with the --with-debug option. If they all build with it, then we are not vulnerable. (according to the Debian people)

Bug Watch Updater (bug-watch-updater)
Changed in nginx (Debian):
status: Unknown → Fix Released
Revision history for this message
Thomas Ward (teward) wrote :

As with Debian, we are not affected by this bug, as we build with the --with-debug option on all binaries, and it's up to the security team if they want to sponsor the patch in, since we're not affected.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Trusty uses the --with-debug on all binaries; Saucy does not. Saucy should probably just get the upstream Nginx patch to enable that one code block.

Thanks

Revision history for this message
Thomas Ward (teward) wrote :

I've attached a debdiff for Saucy.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2014-0133 Debdiff for Saucy" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.1-3ubuntu1.3

---------------
nginx (1.4.1-3ubuntu1.3) saucy-security; urgency=low

  * SECURITY UPDATE: SPDY Heap Buffer Overflow Vulnerabilty (LP: #1294280)
    - debian/patches/cve-2014-0133.patch: modify src/http/ngx_http_spdy.c to
      fix a heap buffer overflow vulnerability in the SPDY module by using
      a specially crafted request.
    - CVE-2014-0133
 -- Thomas Ward <email address hidden> Tue, 18 Mar 2014 21:17:14 -0400

Changed in nginx (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.