[nginx/el5] Update for CVE-2012-1180
jjh
jjh at fedoraproject.org
Sun Mar 18 02:40:09 UTC 2012
commit b1128a596a69140f184814ad3455efa1c2f53618
Author: Jeremy Hinegardner <jeremy at hinegardner.org>
Date: Sat Mar 17 20:40:04 2012 -0600
Update for CVE-2012-1180
nginx.CVE-2012-1180.patch | 113 +++++++++++++++++++++++++++++++++++++++++++++
nginx.spec | 7 ++-
2 files changed, 119 insertions(+), 1 deletions(-)
---
diff --git a/nginx.CVE-2012-1180.patch b/nginx.CVE-2012-1180.patch
new file mode 100644
index 0000000..940d1ce
--- /dev/null
+++ b/nginx.CVE-2012-1180.patch
@@ -0,0 +1,113 @@
+--- src/http/modules/ngx_http_fastcgi_module.c
++++ src/http/modules/ngx_http_fastcgi_module.c
+@@ -1501,10 +1501,10 @@ ngx_http_fastcgi_process_header(ngx_http
+ h->lowcase_key = h->key.data + h->key.len + 1
+ + h->value.len + 1;
+
+- ngx_cpystrn(h->key.data, r->header_name_start,
+- h->key.len + 1);
+- ngx_cpystrn(h->value.data, r->header_start,
+- h->value.len + 1);
++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
++ h->key.data[h->key.len] = '\0';
++ ngx_memcpy(h->value.data, r->header_start, h->value.len);
++ h->value.data[h->value.len] = '\0';
+ }
+
+ h->hash = r->header_hash;
+--- src/http/modules/ngx_http_proxy_module.c
++++ src/http/modules/ngx_http_proxy_module.c
+@@ -1381,8 +1381,10 @@ ngx_http_proxy_process_header(ngx_http_r
+ h->value.data = h->key.data + h->key.len + 1;
+ h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
+
+- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
+- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
++ h->key.data[h->key.len] = '\0';
++ ngx_memcpy(h->value.data, r->header_start, h->value.len);
++ h->value.data[h->value.len] = '\0';
+
+ if (h->key.len == r->lowcase_index) {
+ ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
+--- src/http/modules/ngx_http_scgi_module.c
++++ src/http/modules/ngx_http_scgi_module.c
+@@ -941,8 +941,10 @@ ngx_http_scgi_process_header(ngx_http_re
+ h->value.data = h->key.data + h->key.len + 1;
+ h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
+
+- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
+- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
++ h->key.data[h->key.len] = '\0';
++ ngx_memcpy(h->value.data, r->header_start, h->value.len);
++ h->value.data[h->value.len] = '\0';
+
+ if (h->key.len == r->lowcase_index) {
+ ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
+--- src/http/modules/ngx_http_uwsgi_module.c
++++ src/http/modules/ngx_http_uwsgi_module.c
+@@ -985,8 +985,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
+ h->value.data = h->key.data + h->key.len + 1;
+ h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
+
+- ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
+- ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
++ ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
++ h->key.data[h->key.len] = '\0';
++ ngx_memcpy(h->value.data, r->header_start, h->value.len);
++ h->value.data[h->value.len] = '\0';
+
+ if (h->key.len == r->lowcase_index) {
+ ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len);
+--- src/http/ngx_http_parse.c
++++ src/http/ngx_http_parse.c
+@@ -874,6 +874,10 @@ ngx_http_parse_header_line(ngx_http_requ
+ break;
+ }
+
++ if (ch == '\0') {
++ return NGX_HTTP_PARSE_INVALID_HEADER;
++ }
++
+ r->invalid_header = 1;
+
+ break;
+@@ -936,6 +940,10 @@ ngx_http_parse_header_line(ngx_http_requ
+ break;
+ }
+
++ if (ch == '\0') {
++ return NGX_HTTP_PARSE_INVALID_HEADER;
++ }
++
+ r->invalid_header = 1;
+
+ break;
+@@ -954,6 +962,8 @@ ngx_http_parse_header_line(ngx_http_requ
+ r->header_start = p;
+ r->header_end = p;
+ goto done;
++ case '\0':
++ return NGX_HTTP_PARSE_INVALID_HEADER;
+ default:
+ r->header_start = p;
+ state = sw_value;
+@@ -975,6 +985,8 @@ ngx_http_parse_header_line(ngx_http_requ
+ case LF:
+ r->header_end = p;
+ goto done;
++ case '\0':
++ return NGX_HTTP_PARSE_INVALID_HEADER;
+ }
+ break;
+
+@@ -988,6 +1000,8 @@ ngx_http_parse_header_line(ngx_http_requ
+ break;
+ case LF:
+ goto done;
++ case '\0':
++ return NGX_HTTP_PARSE_INVALID_HEADER;
+ default:
+ state = sw_value;
+ break;
diff --git a/nginx.spec b/nginx.spec
index 3884ab3..f41283c 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -9,7 +9,7 @@
Name: nginx
Version: 0.8.55
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Robust, small and high performance HTTP and reverse proxy server
Group: System Environment/Daemons
@@ -48,6 +48,7 @@ Source104: 404.html
# removes -Werror in upstream build scripts. -Werror conflicts with
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Patch0: nginx-auto-cc-gcc.patch
+Patch1: nginx.CVE-2012-1180.patch
%description
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
@@ -57,6 +58,7 @@ proxy server written by Igor Sysoev.
%setup -q
%patch0 -p0
+%patch1 -p0
%build
# nginx does not utilize a standard configure script. It has its own
@@ -191,6 +193,9 @@ fi
%changelog
+* Sat Mar 17 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.55-2
+- patch for CVE-2012-1180
+
* Mon Aug 29 2011 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.8.55-1
- Update to legacy stable 0.8.55
- fix bug #717078
More information about the scm-commits
mailing list