Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
I understand if this patch may not be 100% correct, but if I read the references correctly, the error is more of theoretical than practical concern since this particular compiler optimization is not likely to be implemented in the GNU compiler. Do we really think that GNU would include an optimization that broke 95% of the bounds checking implementations existing in the wild?
Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
I believe I may have found a way around inspecting the compiled code for this check. The GNU compiler has the following option: -fwrapv This option instructs the compiler to assume that signed arithmetic overflow of addition, subtraction and multiplication wraps around using twos-complement representation. This flag enables some optimizations and disables others. This option is enabled by default for the Java front-end, as required by the Java language specification. I believe if this option is enabled for the nginx build, the correct optimizations will be disabled, and the overflow check will serve its intended purpose for all twos-complement arithmetic platforms (e.g. x86, and probably all other relevant architectures). wintermute...@yahoo.com
Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
On 05/13/2013 09:15 PM, Florian Weimer wrote: * Thijs Kinkhorst: A buffer overflow in the proxy_pass module has been reported by Nginx upstream, and a patch made available. Please see: http://www.openwall.com/lists/oss-security/2013/05/13/3 The issue is already fixed in the version in sid, and as far as I can see the code is not present in squeeze. Can you ensure that (a) the RC bug against nginx in sid is dealt with so the fixed package can migrate to jessie, and (b) prepare an update to wheezy? Note that the upstream patch is not 100% correct C (the overflow check can be optimized by the compiler). Therefore, the generated assembly has to be inspected to ensure that the check is actually in place. Here's a bit of background information: http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow Hello Florian. Except the patch is not 100% correct C, does it sounds risky on the security side to patch nginx stable (1.2.1-2.2) ? Thanks. -- Cyril Davromaniak Lavier KeyID 59E9A881 http://www.davromaniak.eu -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
Package: nginx Version: 1.2.1-2.2 Severity: serious Tags: security patch Hi, A buffer overflow in the proxy_pass module has been reported by Nginx upstream, and a patch made available. Please see: http://www.openwall.com/lists/oss-security/2013/05/13/3 The issue is already fixed in the version in sid, and as far as I can see the code is not present in squeeze. Can you ensure that (a) the RC bug against nginx in sid is dealt with so the fixed package can migrate to jessie, and (b) prepare an update to wheezy? Thanks, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#708164: nginx proxy_pass buffer overflow (CVE-2013-2070)
* Thijs Kinkhorst: A buffer overflow in the proxy_pass module has been reported by Nginx upstream, and a patch made available. Please see: http://www.openwall.com/lists/oss-security/2013/05/13/3 The issue is already fixed in the version in sid, and as far as I can see the code is not present in squeeze. Can you ensure that (a) the RC bug against nginx in sid is dealt with so the fixed package can migrate to jessie, and (b) prepare an update to wheezy? Note that the upstream patch is not 100% correct C (the overflow check can be optimized by the compiler). Therefore, the generated assembly has to be inspected to ensure that the check is actually in place. Here's a bit of background information: http://cert.uni-stuttgart.de/ticker/advisories/c-integer-overflow.html https://www.securecoding.cert.org/confluence/display/seccode/INT32-C.+Ensure+that+operations+on+signed+integers+do+not+result+in+overflow -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org