nginx packages in hardy/hardy-backports allow null-byte vulnerability in certain configurations

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Alright. I've generated debdiffs for the relevant packages based on the original nginx patch for the 0.7 branch. Although the nginx patch did not apply cleanly to either branch, I did my best to make sure all the relevant code paths were updated. Please let me know if I've messed something up or there's something else I need to change.

Now attaching the debdiff for the hardy-backports package. I may have mangled the version string in this debdiff: I wasn't sure which part of the version I should be incrementing.

ACK on the hardy debdiff, looks good. Thanks!
The package has been uploaded for building and will be released today.

For hardy-backports, the process is different, I'll ask someone from the backports team to comment here.

For hardy-backports, if you can test that the package, as modified, builds, installs, and runs (that is at least starts, it needn't be extensive), we can get the fix in backports too.

This bug was fixed in the package nginx - 0.5.33-1ubuntu0.2

---------------
nginx (0.5.33-1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE:
      - Merge r3528 from upstream repository to mitigate
        potential null byte vulnerability (LP: #803720)
 -- Neal Poole <email address hidden> Tue, 12 Jul 2011 21:41:00 -0400

Ran the following commands for the hardy-backports code:

./configure --prefix=/home/nbpoole/nginx/nginx-dev
make
make install
sudo ./sbin/nginx -c ~/nginx/nginx-dev/conf/nginx.conf

Server started up just fine. I tested it very briefly: it served up the requests (and returned a 400 error when the URL contained a null byte).

Unsubscribing ubuntu-security-sponsors, since the backports team will take care of the backport in Hardy. Thanks!

FYI, the details have been published at https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/

Chinese hackers appear to be particularly interested in this vulnerability. I would recommend trying to release a patched version ASAP.

Neal, could you respond on Scott's question in comment #5?

I though I did in comment #7. Let me know if what I did is sufficient (and if it isn't, what else I should do).

Jamie, is this still waiting on me to do something?

uploading, sorry for the delays

Ack from ubuntu-backporters. Uploaded to hardy/unapproved now.

Thanks for the patches Neal :-)