[nginx-announce] security advisory

Maxim Dounin mdounin at mdounin.ru
Thu Apr 12 13:28:08 UTC 2012


Hello!

Matthew Daley discovered a security problem in the 
ngx_http_mp4_module, CVE-2012-2089.

A specially crafted mp4 file might allow to overwrite memory 
locations in a worker process if the ngx_http_mp4_module is 
used, potentially resulting in arbitrary code execution.

The problem affects nginx 1.1.3+, 1.0.7+ built with the 
ngx_http_mp4_module (the module is not built by default) and 
the "mp4" directive is used in a configuration file.

The problem is fixed in 1.1.19, 1.0.15.

Patch for the problem can be found here:

http://nginx.org/download/patch.2012.mp4.txt

Maxim Dounin



More information about the nginx-announce mailing list