Your message dated Tue, 01 Jun 2021 22:37:32 +0000
with message-id <[email protected]>
and subject line unblock nginx
has caused the Debian Bug report #989359,
regarding unblock: nginx/1.18.0-6.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Hi Release team,
Please unblock package nginx
[ Reason ]
nginx in bullseye's version is affected by CVE-2021-23017, as reported
in https://www.openwall.com/lists/oss-security/2021/05/25/5 .
[ Impact ]
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
The vulnerability might allow an attacker to cause a 1-byte memory
overwrite by using a specially crafted DNS response. The effect is a
denial of service (or potentially could result in arbitrary code
execution).
For buster DSA 4921-1 was released for this issue.
Not letting the fix in is defintively as well regressing security wise
from buster to bullseye updates. So we should try to avoid that.
[ Tests ]
Done against explict test setup/poc as provived by the reporters of
the issue.
[ Risks ]
We use the overviewable upstream patch, which was both applied for the
unstable upload and used as well in DSA 4921-1.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None neeed.
unblock nginx/1.18.0-6.1
Thanks for your work!
Regards,
Salvatore
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog 2020-08-19 15:27:02.000000000 +0200
+++ nginx-1.18.0/debian/changelog 2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017)
+ (Closes: #989095)
+
+ -- Salvatore Bonaccorso <[email protected]> Sat, 29 May 2021 16:21:37 +0200
+
nginx (1.18.0-6) unstable; urgency=medium
* Fix GCC-10 compatibility (Closes: #957605).
diff -Nru
nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
---
nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
1970-01-01 01:00:00.000000000 +0100
+++
nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
2021-05-29 16:21:37.000000000 +0200
@@ -0,0 +1,39 @@
+From: Maxim Dounin <[email protected]>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: Resolver: fixed off-by-one write in ngx_resolver_copy().
+Origin:
https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+Bug-Debian: https://bugs.debian.org/989095
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 793907010278..63b26193df4f 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+ n = *src++;
+
+ } else {
++ if (dst != name->data) {
++ *dst++ = '.';
++ }
++
+ ngx_strlow(dst, src, n);
+ dst += n;
+ src += n;
+
+ n = *src++;
+-
+- if (n != 0) {
+- *dst++ = '.';
+- }
+ }
+
+ if (n == 0) {
+--
+2.31.1
+
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series 2020-08-19 15:11:02.000000000 +0200
+++ nginx-1.18.0/debian/patches/series 2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,4 @@
0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
0003-define_gnu_source-on-other-glibc-based-platforms.patch
CVE-2019-20372.patch
+Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
