Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#989095: nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
53 views
Skip to first unread message
Salvatore Bonaccorso
May 25, 2021, 2:50:02 PM5/25/21
to
Source: nginx
Version: 1.18.0-6
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1.14.2-2+deb10u3
Control: found -1 1.14.2-2
Hi,
The following vulnerability was published for nginx.
CVE-2021-23017[0]:
| DNS Resolver off-by-one heap write vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017
[1] https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
Regards,
Salvatore
Version: 1.18.0-6
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1.14.2-2+deb10u3
Control: found -1 1.14.2-2
Hi,
The following vulnerability was published for nginx.
CVE-2021-23017[0]:
| DNS Resolver off-by-one heap write vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23017
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017
[1] https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
Regards,
Salvatore
Anton Luka Šijanec
May 26, 2021, 4:30:02 PM5/26/21
to
Hello!
> If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I made a debdiff for myself according to upstream instructions from the patch [0]. It is attached to this e-mail.
Link to the upstream patch was found here:
https://security-tracker.debian.org/tracker/CVE-2021-23017
Note that the upstream patch by nginx is for fresh nginx versions, whereas my debdiff targets the 1.14.2-2+deb10u3 release in Debian 10 (buster), so there's a small possibility that the mentioned patch might not be enough to fix the vulnerability. But I tested the patch on the PoC python script that the research team provided and valgrind did not report invalid reads like it did in the current version in Debian repos.
Applying my patch and building package:
apt-get source nginx
cd nginx-1.14.2
curl https://of.sijanec.eu/krneki/ngx-debdiff.txt | debdiff-apply
# edit debian/changelog to set the target version (by default debdiff adds .1 to previous version), probably 1.14.2-2+deb10u4
debuild -uc -us
Regards!
[0] http://nginx.org/download/patch.2021.resolver.txt
> If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Link to the upstream patch was found here:
https://security-tracker.debian.org/tracker/CVE-2021-23017
Note that the upstream patch by nginx is for fresh nginx versions, whereas my debdiff targets the 1.14.2-2+deb10u3 release in Debian 10 (buster), so there's a small possibility that the mentioned patch might not be enough to fix the vulnerability. But I tested the patch on the PoC python script that the research team provided and valgrind did not report invalid reads like it did in the current version in Debian repos.
Applying my patch and building package:
apt-get source nginx
cd nginx-1.14.2
curl https://of.sijanec.eu/krneki/ngx-debdiff.txt | debdiff-apply
# edit debian/changelog to set the target version (by default debdiff adds .1 to previous version), probably 1.14.2-2+deb10u4
debuild -uc -us
Regards!
[0] http://nginx.org/download/patch.2021.resolver.txt
Debian Bug Tracking System
May 29, 2021, 11:10:03 AM5/29/21
to
Processing control commands:
> tags 989095 + patch
Bug #989095 [src:nginx] nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
Added tag(s) patch.
> tags 989095 + pending
Bug #989095 [src:nginx] nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
Added tag(s) pending.
--
989095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989095
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
> tags 989095 + patch
Bug #989095 [src:nginx] nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
Added tag(s) patch.
> tags 989095 + pending
Bug #989095 [src:nginx] nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
Added tag(s) pending.
--
989095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989095
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Debian Bug Tracking System
May 30, 2021, 2:10:04 PM5/30/21
to
Your message dated Sun, 30 May 2021 18:02:08 +0000
with message-id <E1lnPlI-...@fasolo.debian.org>
and subject line Bug#989095: fixed in nginx 1.14.2-2+deb10u4
has caused the Debian Bug report #989095,
regarding nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
with message-id <E1lnPlI-...@fasolo.debian.org>
and subject line Bug#989095: fixed in nginx 1.14.2-2+deb10u4
has caused the Debian Bug report #989095,
regarding nginx: CVE-2021-23017: DNS Resolver off-by-one heap write vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
Debian Bug Tracking System
May 31, 2021, 11:30:03 AM5/31/21
to
Your message dated Mon, 31 May 2021 15:18:27 +0000
with message-id <E1lnjgR-...@fasolo.debian.org>
and subject line Bug#989095: fixed in nginx 1.18.0-6.1
with message-id <E1lnjgR-...@fasolo.debian.org>
and subject line Bug#989095: fixed in nginx 1.18.0-6.1
0 new messages