Updated patch for CVE-2013-2070?

Hello.

As stated here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164), the patch
nginx developers wrote for fixing CVE-2013-2070 is not 100% correct C.

This is a big issue for us (I’m part of the nginx debian packaging
team), because this patch can be applied on the Debian Wheezy’s packages
(1.2.1) but won’t be accepted in the repositories because the patch can
create new security issues.

Does anyone has an updated version of this patch ?

Thanks.


Cyril “Davromaniak” Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Hello!

On Fri, Jun 07, 2013 at 08:37:49AM +0200, Cyril Lavier wrote:

Hello.

As stated here
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164), the patch
nginx developers wrote for fixing CVE-2013-2070 is not 100% correct C.

From standards point of view - yes, the patch in question might
not be enough and the check might be, in theory, optimized out by
a compiler.

It’s not a practical problem though.

This is a big issue for us (I’m part of the nginx debian packaging
team), because this patch can be applied on the Debian Wheezy’s packages
(1.2.1) but won’t be accepted in the repositories because the patch can
create new security issues.

The patch can’t create new security issues as in worst
(theoretical) case the check added will be optimized out by a
compiler.


Maxim D.
http://nginx.org/en/donation.html