Updated patch for CVE-2013-2070 ?
Maxim Dounin
mdounin at mdounin.ru
Fri Jun 7 13:28:55 UTC 2013
Hello!
On Fri, Jun 07, 2013 at 08:37:49AM +0200, Cyril Lavier wrote:
> Hello.
>
> As stated here
> (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164), the patch
> nginx developers wrote for fixing CVE-2013-2070 is not 100% correct C.
>From standards point of view - yes, the patch in question might
not be enough and the check might be, in theory, optimized out by
a compiler.
It's not a practical problem though.
> This is a big issue for us (I'm part of the nginx debian packaging
> team), because this patch can be applied on the Debian Wheezy's packages
> (1.2.1) but won't be accepted in the repositories because the patch can
> create new security issues.
The patch can't create new security issues as in worst
(theoretical) case the check added will be optimized out by a
compiler.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list