Updated patch for CVE-2013-2070 ?

Maxim Dounin mdounin at mdounin.ru
Fri Jun 7 13:28:55 UTC 2013


Hello!

On Fri, Jun 07, 2013 at 08:37:49AM +0200, Cyril Lavier wrote:

> Hello.
> 
> As stated here
> (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164), the patch
> nginx developers wrote for fixing CVE-2013-2070 is not 100% correct C.

>From standards point of view - yes, the patch in question might 
not be enough and the check might be, in theory, optimized out by 
a compiler.

It's not a practical problem though.

> This is a big issue for us (I'm part of the nginx debian packaging
> team), because this patch can be applied on the Debian Wheezy's packages
> (1.2.1) but won't be accepted in the repositories because the patch can
> create new security issues.

The patch can't create new security issues as in worst 
(theoretical) case the check added will be optimized out by a 
compiler.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list