--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org
Hi Release team,
Please unblock package nginx
[ Reason ]
nginx in bullseye's version is affected by CVE-2021-23017, as reported
in https://www.openwall.com/lists/oss-security/2021/05/25/5 .
[ Impact ]
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
The vulnerability might allow an attacker to cause a 1-byte memory
overwrite by using a specially crafted DNS response. The effect is a
denial of service (or potentially could result in arbitrary code
execution).
For buster DSA 4921-1 was released for this issue.
Not letting the fix in is defintively as well regressing security wise
from buster to bullseye updates. So we should try to avoid that.
[ Tests ]
Done against explict test setup/poc as provived by the reporters of
the issue.
[ Risks ]
We use the overviewable upstream patch, which was both applied for the
unstable upload and used as well in DSA 4921-1.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None neeed.
unblock nginx/1.18.0-6.1
Thanks for your work!
Regards,
Salvatore
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog 2020-08-19 15:27:02.000000000 +0200
+++ nginx-1.18.0/debian/changelog 2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017)
+ (Closes: #989095)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 29 May 2021 16:21:37 +0200
+
nginx (1.18.0-6) unstable; urgency=medium
* Fix GCC-10 compatibility (Closes: #957605).
diff -Nru nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
--- nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch 1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch 2021-05-29 16:21:37.000000000 +0200
@@ -0,0 +1,39 @@
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: Resolver: fixed off-by-one write in ngx_resolver_copy().
+Origin: https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+Bug-Debian: https://bugs.debian.org/989095
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 793907010278..63b26193df4f 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+ n = *src++;
+
+ } else {
++ if (dst != name->data) {
++ *dst++ = '.';
++ }
++
+ ngx_strlow(dst, src, n);
+ dst += n;
+ src += n;
+
+ n = *src++;
+-
+- if (n != 0) {
+- *dst++ = '.';
+- }
+ }
+
+ if (n == 0) {
+--
+2.31.1
+
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series 2020-08-19 15:11:02.000000000 +0200
+++ nginx-1.18.0/debian/patches/series 2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,4 @@
0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
0003-define_gnu_source-on-other-glibc-based-platforms.patch
CVE-2019-20372.patch
+Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
--- End Message ---