Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock X-Debbugs-Cc: [email protected]
Hi Release team, Please unblock package nginx [ Reason ] nginx in bullseye's version is affected by CVE-2021-23017, as reported in https://www.openwall.com/lists/oss-security/2021/05/25/5 . [ Impact ] https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html The vulnerability might allow an attacker to cause a 1-byte memory overwrite by using a specially crafted DNS response. The effect is a denial of service (or potentially could result in arbitrary code execution). For buster DSA 4921-1 was released for this issue. Not letting the fix in is defintively as well regressing security wise from buster to bullseye updates. So we should try to avoid that. [ Tests ] Done against explict test setup/poc as provived by the reporters of the issue. [ Risks ] We use the overviewable upstream patch, which was both applied for the unstable upload and used as well in DSA 4921-1. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] None neeed. unblock nginx/1.18.0-6.1 Thanks for your work! Regards, Salvatore
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog --- nginx-1.18.0/debian/changelog 2020-08-19 15:27:02.000000000 +0200 +++ nginx-1.18.0/debian/changelog 2021-05-29 16:21:37.000000000 +0200 @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017) + (Closes: #989095) + + -- Salvatore Bonaccorso <[email protected]> Sat, 29 May 2021 16:21:37 +0200 + nginx (1.18.0-6) unstable; urgency=medium * Fix GCC-10 compatibility (Closes: #957605). diff -Nru nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch --- nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch 1970-01-01 01:00:00.000000000 +0100 +++ nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch 2021-05-29 16:21:37.000000000 +0200 @@ -0,0 +1,39 @@ +From: Maxim Dounin <[email protected]> +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: Resolver: fixed off-by-one write in ngx_resolver_copy(). +Origin: https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf +Bug-Debian: https://bugs.debian.org/989095 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017 + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 793907010278..63b26193df4f 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.31.1 + diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series --- nginx-1.18.0/debian/patches/series 2020-08-19 15:11:02.000000000 +0200 +++ nginx-1.18.0/debian/patches/series 2021-05-29 16:21:37.000000000 +0200 @@ -1,3 +1,4 @@ 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch 0003-define_gnu_source-on-other-glibc-based-platforms.patch CVE-2019-20372.patch +Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
