bugfix and security update to 1.4.7:

CVE-2014-0133 does not affect OpenBSD because SPDY is not enabled

ok florian@

5 files changed, 40 insertions, 3 deletions

diff --git a/usr.sbin/nginx/CHANGES b/usr.sbin/nginx/CHANGES
index 3a6b9466ddb..4d9e62aa65b 100644
--- a/usr.sbin/nginx/CHANGES
+++ b/usr.sbin/nginx/CHANGES
@@ -1,4 +1,17 @@
 
+Changes with nginx 1.4.7                                         18 Mar 2014
+
+    *) Security: a heap memory buffer overflow might occur in a worker
+       process while handling a specially crafted request by
+       ngx_http_spdy_module, potentially resulting in arbitrary code
+       execution (CVE-2014-0133).
+       Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
+       Manuel Sadosky, Buenos Aires, Argentina.
+
+    *) Bugfix: in the "fastcgi_next_upstream" directive.
+       Thanks to Lucas Molas.
+
+
 Changes with nginx 1.4.6                                         04 Mar 2014
 
     *) Bugfix: the "client_max_body_size" directive might not work when
diff --git a/usr.sbin/nginx/CHANGES.ru b/usr.sbin/nginx/CHANGES.ru
index 186bb4670fc..2f9f3012ff5 100644
--- a/usr.sbin/nginx/CHANGES.ru
+++ b/usr.sbin/nginx/CHANGES.ru
@@ -1,4 +1,17 @@
 
+Изменения в nginx 1.4.7                                           18.03.2014
+
+    *) Безопасность: при обработке специально созданного запроса модулем
+       ngx_http_spdy_module могло происходить переполнение буфера в рабочем
+       процессе, что потенциально могло приводить к выполнению произвольного
+       кода (CVE-2014-0133).
+       Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky,
+       Buenos Aires, Argentina.
+
+    *) Исправление: в директиве fastcgi_next_upstream.
+       Спасибо Lucas Molas.
+
+
 Изменения в nginx 1.4.6                                           04.03.2014
 
     *) Исправление: директива client_max_body_size могла не работать при
diff --git a/usr.sbin/nginx/src/core/nginx.h b/usr.sbin/nginx/src/core/nginx.h
index 227e5f73568..77c88bf5f94 100644
--- a/usr.sbin/nginx/src/core/nginx.h
+++ b/usr.sbin/nginx/src/core/nginx.h
@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1004006
-#define NGINX_VERSION      "1.4.6"
+#define nginx_version      1004007
+#define NGINX_VERSION      "1.4.7"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
diff --git a/usr.sbin/nginx/src/http/modules/ngx_http_fastcgi_module.c b/usr.sbin/nginx/src/http/modules/ngx_http_fastcgi_module.c
index f386926da64..e2427b4a885 100644
--- a/usr.sbin/nginx/src/http/modules/ngx_http_fastcgi_module.c
+++ b/usr.sbin/nginx/src/http/modules/ngx_http_fastcgi_module.c
@@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r)
     f->fastcgi_stdout = 0;
     f->large_stderr = 0;
 
+    if (f->split_parts) {
+        f->split_parts->nelts = 0;
+    }
+
     r->state = 0;
 
     return NGX_OK;
@@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r)
 
                     rc = ngx_http_parse_header_line(r, &buf, 1);
 
+                    if (rc != NGX_OK) {
+                        ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+                                      "invalid header after joining "
+                                      "FastCGI records");
+                        return NGX_ERROR;
+                    }
+
                     h->key.len = r->header_name_end - r->header_name_start;
                     h->key.data = r->header_name_start;
                     h->key.data[h->key.len] = '\0';
diff --git a/usr.sbin/nginx/src/http/ngx_http_spdy.c b/usr.sbin/nginx/src/http/ngx_http_spdy.c
index f4f610a8227..99afbfca180 100644
--- a/usr.sbin/nginx/src/http/ngx_http_spdy.c
+++ b/usr.sbin/nginx/src/http/ngx_http_spdy.c
@@ -1465,7 +1465,7 @@ static u_char *
 ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
     u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
 {
-#if (NGX_DEBUG)
+#if 1
     if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
         ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
                       "spdy state buffer overflow: "