Hello community, here is the log from the commit of package nginx-0.8 for openSUSE:11.4:Update:Test checked in at 2012-03-26 15:40:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:11.4:Update:Test/nginx-0.8 (Old) and /work/SRC/openSUSE:11.4:Update:Test/.nginx-0.8.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "nginx-0.8", Maintainer is "schubi@suse.com" Changes: -------- --- /work/SRC/openSUSE:11.4:Update:Test/nginx-0.8/nginx-0.8.changes 2012-03-19 17:46:55.000000000 +0100 +++ /work/SRC/openSUSE:11.4:Update:Test/.nginx-0.8.new/nginx-0.8.changes 2012-03-26 15:40:57.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Mar 19 14:36:56 UTC 2012 - schubi@suse.com + +- Fixed VUL-0: CVE-2012-1180 nginx: information leak + (bnc #752482) + +------------------------------------------------------------------- New: ---- nginx-CVE-2012-1180.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx-0.8.spec ++++++ --- /var/tmp/diff_new_pack.5ceOk8/_old 2012-03-26 15:40:57.000000000 +0200 +++ /var/tmp/diff_new_pack.5ceOk8/_new 2012-03-26 15:40:57.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package nginx-0.8 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -59,6 +59,8 @@ Patch4: nginx-0.6.31_default_config.patch # PATCH-FIX-UPSTREAM Patch5: nginx_heap_overflow_4315.patch +# PATCH CVE-2012-1180 +Patch6: nginx-CVE-2012-1180.patch BuildRequires: dos2unix BuildRequires: gd-devel @@ -97,6 +99,7 @@ %patch3 %patch4 %patch5 +%patch6 dos2unix contrib/geo2nginx.pl %build ++++++ nginx-CVE-2012-1180.patch ++++++ --- src/http/modules/ngx_http_fastcgi_module.c +++ src/http/modules/ngx_http_fastcgi_module.c @@ -1438,10 +1438,11 @@ h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, - h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, - h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; + } h->hash = r->header_hash; --- src/http/modules/ngx_http_proxy_module.c +++ src/http/modules/ngx_http_proxy_module.c @@ -1276,8 +1276,10 @@ h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); --- src/http/modules/ngx_http_scgi_module.c +++ src/http/modules/ngx_http_scgi_module.c @@ -884,8 +884,10 @@ h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); --- src/http/modules/ngx_http_uwsgi_module.c +++ src/http/modules/ngx_http_uwsgi_module.c @@ -934,8 +934,10 @@ h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); --- src/http/ngx_http_parse.c +++ src/http/ngx_http_parse.c @@ -813,6 +813,10 @@ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -875,6 +879,9 @@ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } r->invalid_header = 1; break; @@ -893,6 +900,8 @@ r->header_start = p; r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: r->header_start = p; state = sw_value; @@ -914,6 +923,8 @@ case LF: r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; } break; @@ -927,6 +938,8 @@ break; case LF: goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: state = sw_value; break; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org