Version in base suite: 0.4.13-2 Version in overlay suite: 0.4.13-2+etch2 Base version: nginx_0.4.13-2 Target version: nginx_0.4.13-2+etch3 Base file: /org/ftp.debian.org/ftp/pool/main/n/nginx/nginx_0.4.13-2.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/nginx_0.4.13-2+etch3.dsc nginx-0.4.13/debian/changelog | 16 ++++++++++++++++ src/http/ngx_http_parse.c | 16 ++++++++++------ 2 files changed, 26 insertions(+), 6 deletions(-) diff -u nginx-0.4.13/debian/changelog nginx-0.4.13/debian/changelog --- nginx-0.4.13/debian/changelog +++ nginx-0.4.13/debian/changelog @@ -1,3 +1,19 @@ +nginx (0.4.13-2+etch3) oldstable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix remote denial of service (segmentation fault): Null pointer + dereference if request ends on buffer boundary. Closes: #552035 + + -- Stefan Fritsch Sat, 24 Oct 2009 11:52:41 +0200 + +nginx (0.4.13-2+etch2) oldstable-security; urgency=high + + * Non-maintainer upload by the security team. + * Fix buffer underflow leading to arbitrary code execution + when processing dotted urls. + + -- Nico Golde Sun, 13 Sep 2009 21:50:57 +0000 + nginx (0.4.13-2) unstable; urgency=low * Fixed default installation paths for www/ files, avoiding the only in patch2: unchanged: --- nginx-0.4.13.orig/src/http/ngx_http_parse.c +++ nginx-0.4.13/src/http/ngx_http_parse.c @@ -643,6 +643,7 @@ /* first char */ case sw_start: + r->header_name_start = p; r->invalid_header = 0; switch (ch) { @@ -655,7 +656,6 @@ goto header_done; default: state = sw_name; - r->header_name_start = p; c = lowcase[ch]; @@ -1024,11 +1024,15 @@ #endif case '/': state = sw_slash; - u -= 4; - if (u < r->uri.data) { - return NGX_HTTP_PARSE_INVALID_REQUEST; - } - while (*(u - 1) != '/') { + u -= 5; + for ( ;; ) { + if (u < r->uri.data) { + return NGX_HTTP_PARSE_INVALID_REQUEST; + } + if (*u == '/') { + u++; + break; + } u--; } break;