Changes with nginx 1.1.19 12 Apr 2012

*) Security: specially crafted mp4 file might allow to overwrite memory
locations in a worker process if the ngx_http_mp4_module was used,
potentially resulting in arbitrary code execution (CVE-2012-2089).
Thanks to Matthew Daley.

*) Bugfix: nginx/Windows might be terminated abnormally.
Thanks to Vincent Lee.

*) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
"backup".

*) Bugfix: the "allow" and "deny" directives might be inherited
incorrectly if they were used with IPv6 addresses.

*) Bugfix: the "modern_browser" and "ancient_browser" directives might
be inherited incorrectly.

*) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC.

*) Bugfix: in the ngx_http_mp4_module.

CHANGES

@@ -1,4 +1,28 @@
 
+Changes with nginx 1.1.19                                        12 Apr 2012
+
+    *) Security: specially crafted mp4 file might allow to overwrite memory
+       locations in a worker process if the ngx_http_mp4_module was used,
+       potentially resulting in arbitrary code execution (CVE-2012-2089).
+       Thanks to Matthew Daley.
+
+    *) Bugfix: nginx/Windows might be terminated abnormally.
+       Thanks to Vincent Lee.
+
+    *) Bugfix: nginx hogged CPU if all servers in an upstream were marked as
+       "backup".
+
+    *) Bugfix: the "allow" and "deny" directives might be inherited
+       incorrectly if they were used with IPv6 addresses.
+
+    *) Bugfix: the "modern_browser" and "ancient_browser" directives might
+       be inherited incorrectly.
+
+    *) Bugfix: timeouts might be handled incorrectly on Solaris/SPARC.
+
+    *) Bugfix: in the ngx_http_mp4_module.
+
+
 Changes with nginx 1.1.18                                        28 Mar 2012
 
     *) Change: keepalive connections are no longer disabled for Safari by

CHANGES.ru

@@ -1,4 +1,29 @@
 
+Изменения в nginx 1.1.19                                          12.04.2012
+
+    *) Безопасность: при обработке специально созданного mp4 файла модулем
+       ngx_http_mp4_module могли перезаписываться области памяти рабочего
+       процесса, что могло приводить к выполнению произвольного кода
+       (CVE-2012-2089).
+       Спасибо Matthew Daley.
+
+    *) Исправление: nginx/Windows мог завершаться аварийно.
+       Спасибо Vincent Lee.
+
+    *) Исправление: nginx нагружал процессор, если все серверы в upstream'е
+       были помечены флагом backup.
+
+    *) Исправление: директивы allow и deny могли наследоваться некорректно,
+       если в них использовались IPv6 адреса.
+
+    *) Исправление: директивы modern_browser и ancient_browser могли
+       наследоваться некорректно.
+
+    *) Исправление: таймауты могли работать некорректно на Solaris/SPARC.
+
+    *) Исправление: в модуле ngx_http_mp4_module.
+
+
 Изменения в nginx 1.1.18                                          28.03.2012
 
     *) Изменение: теперь keepalive соединения не запрещены для Safari по

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1001018
-#define NGINX_VERSION      "1.1.18"
+#define nginx_version      1001019
+#define NGINX_VERSION      "1.1.19"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"

src/core/ngx_conf_file.h

@@ -14,7 +14,7 @@
 
 
 /*
- *        AAAA  number of agruments
+ *        AAAA  number of arguments
  *      FF      command flags
  *    TT        command type, i.e. HTTP "location" or "server" command
  */

src/core/ngx_connection.c

@@ -708,7 +708,7 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle)
                     /*
                      * it seems that Linux-2.6.x OpenVZ sends events
                      * for closed shared listening sockets unless
-                     * the events was explicity deleted
+                     * the events was explicitly deleted
                      */
 
                     ngx_del_event(c->read, NGX_READ_EVENT, 0);

src/core/ngx_file.c

@@ -808,7 +808,7 @@ ngx_copy_file(u_char *from, u_char *to, ngx_copy_file_t *cf)
  *     reallocated if ctx->alloc is nonzero
  *
  * ctx->alloc - a size of data structure that is allocated at every level
- *     and is initilialized by ctx->init_handler()
+ *     and is initialized by ctx->init_handler()
  *
  * ctx->log - a log
  *

src/core/ngx_inet.c

@@ -44,11 +44,7 @@ ngx_inet_addr(u_char *text, size_t len)
         return INADDR_NONE;
     }
 
-    if (n != 3) {
-        return INADDR_NONE;
-    }
-
-    if (octet < 256) {
+    if (n == 3 && octet < 256) {
         addr = (addr << 8) + octet;
         return htonl(addr);
     }
@@ -407,6 +403,10 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
+        if (shift > 128) {
+            return NGX_ERROR;
+        }
+
         addr = cidr->u.in6.addr.s6_addr;
         mask = cidr->u.in6.mask.s6_addr;
         rc = NGX_OK;
@@ -416,7 +416,7 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
             s = (shift > 8) ? 8 : shift;
             shift -= s;
 
-            mask[i] = (u_char) (0 - (1 << (8 - s)));
+            mask[i] = (u_char) (0xffu << (8 - s));
 
             if (addr[i] != (addr[i] & mask[i])) {
                 rc = NGX_DONE;
@@ -428,9 +428,12 @@ ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr)
 #endif
 
     default: /* AF_INET */
+        if (shift > 32) {
+            return NGX_ERROR;
+        }
 
         if (shift) {
-            cidr->u.in.mask = htonl((ngx_uint_t) (0 - (1 << (32 - shift))));
+            cidr->u.in.mask = htonl((uint32_t) (0xffffffffu << (32 - shift)));
 
         } else {
             /* x86 compilers use a shl instruction that shifts by modulo 32 */
@@ -459,7 +462,7 @@ ngx_parse_addr(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text, size_t len)
     struct sockaddr_in6  *sin6;
 
     /*
-     * prevent MSVC8 waring:
+     * prevent MSVC8 warning:
      *    potentially uninitialized local variable 'inaddr6' used
      */
     ngx_memzero(inaddr6.s6_addr, sizeof(struct in6_addr));

src/core/ngx_murmurhash.h

@@ -16,4 +16,4 @@
 uint32_t ngx_murmur_hash2(u_char *data, size_t len);
 
 
-#endif /* _NGX_CRC_H_INCLUDED_ */
+#endif /* _NGX_MURMURHASH_H_INCLUDED_ */

src/core/ngx_rbtree.c

@@ -136,8 +136,7 @@ ngx_rbtree_insert_timer_value(ngx_rbtree_node_t *temp, ngx_rbtree_node_t *node,
 
         /*  node->key < temp->key */
 
-        p = ((ngx_rbtree_key_int_t) node->key - (ngx_rbtree_key_int_t) temp->key
-              < 0)
+        p = ((ngx_rbtree_key_int_t) (node->key - temp->key) < 0)
             ? &temp->left : &temp->right;
 
         if (*p == sentinel) {

src/core/ngx_times.c

@@ -33,7 +33,7 @@ volatile ngx_str_t       ngx_cached_http_log_iso8601;
 #if !(NGX_WIN32)
 
 /*
- * locatime() and localtime_r() are not Async-Signal-Safe functions, therefore,
+ * localtime() and localtime_r() are not Async-Signal-Safe functions, therefore,
  * they must not be called by a signal handler, so we use the cached
  * GMT offset value. Fortunately the value is changed only two times a year.
  */
@@ -308,7 +308,7 @@ ngx_gmtime(time_t t, ngx_tm_t *tp)
     /*
      * The "days" should be adjusted to 1 only, however, some March 1st's go
      * to previous year, so we adjust them to 2.  This causes also shift of the
-     * last Feburary days to next year, but we catch the case when "yday"
+     * last February days to next year, but we catch the case when "yday"
      * becomes negative.
      */
 

src/event/modules/ngx_epoll_module.c

@@ -445,7 +445,7 @@ ngx_epoll_del_event(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags)
 
     /*
      * when the file descriptor is closed, the epoll automatically deletes
-     * it from its queue, so we do not need to delete explicity the event
+     * it from its queue, so we do not need to delete explicitly the event
      * before the closing the file descriptor
      */
 
@@ -524,7 +524,7 @@ ngx_epoll_del_connection(ngx_connection_t *c, ngx_uint_t flags)
 
     /*
      * when the file descriptor is closed the epoll automatically deletes
-     * it from its queue so we do not need to delete explicity the event
+     * it from its queue so we do not need to delete explicitly the event
      * before the closing the file descriptor
      */
 

src/event/modules/ngx_eventport_module.c

@@ -322,7 +322,7 @@ ngx_eventport_del_event(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags)
 
     /*
      * when the file descriptor is closed, the event port automatically
-     * dissociates it from the port, so we do not need to dissociate explicity
+     * dissociates it from the port, so we do not need to dissociate explicitly
      * the event before the closing the file descriptor
      */
 

src/event/modules/ngx_kqueue_module.c

@@ -377,7 +377,7 @@ ngx_kqueue_del_event(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags)
 
     /*
      * when the file descriptor is closed the kqueue automatically deletes
-     * its filters so we do not need to delete explicity the event
+     * its filters so we do not need to delete explicitly the event
      * before the closing the file descriptor.
      */
 

src/event/ngx_event_openssl.c

@@ -489,7 +489,7 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
 
     /*
      * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
-     * from RFC 4492 section 5.1.1, or explicitely described curves over
+     * from RFC 4492 section 5.1.1, or explicitly described curves over
      * binary fields. OpenSSL only supports the "named curves", which provide
      * maximum interoperability.
      */

src/event/ngx_event_timer.c

@@ -67,7 +67,7 @@ ngx_event_find_timer(void)
 
     ngx_mutex_unlock(ngx_event_timer_mutex);
 
-    timer = (ngx_msec_int_t) node->key - (ngx_msec_int_t) ngx_current_msec;
+    timer = (ngx_msec_int_t) (node->key - ngx_current_msec);
 
     return (ngx_msec_t) (timer > 0 ? timer : 0);
 }
@@ -95,8 +95,7 @@ ngx_event_expire_timers(void)
 
         /* node->key <= ngx_current_time */
 
-        if ((ngx_msec_int_t) node->key - (ngx_msec_int_t) ngx_current_msec <= 0)
-        {
+        if ((ngx_msec_int_t) (node->key - ngx_current_msec) <= 0) {
             ev = (ngx_event_t *) ((char *) node - offsetof(ngx_event_t, timer));
 
 #if (NGX_THREADS)

src/http/modules/ngx_http_access_module.c

@@ -351,14 +351,19 @@ ngx_http_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_http_access_loc_conf_t  *prev = parent;
     ngx_http_access_loc_conf_t  *conf = child;
 
-    if (conf->rules == NULL) {
+#if (NGX_HAVE_INET6)
+
+    if (conf->rules == NULL && conf->rules6 == NULL) {
         conf->rules = prev->rules;
+        conf->rules6 = prev->rules6;
     }
 
-#if (NGX_HAVE_INET6)
-    if (conf->rules6 == NULL) {
-        conf->rules6 = prev->rules6;
+#else
+
+    if (conf->rules == NULL) {
+        conf->rules = prev->rules;
     }
+
 #endif
 
     return NGX_CONF_OK;

src/http/modules/ngx_http_browser_module.c

@@ -458,10 +458,11 @@ ngx_http_browser_merge_conf(ngx_conf_t *cf, void *parent, void *child)
      * with a real skip value.  The zero value means Opera.
      */
 
-    if (conf->modern_browsers == NULL) {
+    if (conf->modern_browsers == NULL && conf->modern_unlisted_browsers == 0) {
         conf->modern_browsers = prev->modern_browsers;
+        conf->modern_unlisted_browsers = prev->modern_unlisted_browsers;
 
-    } else {
+    } else if (conf->modern_browsers != NULL) {
         browsers = conf->modern_browsers->elts;
 
         for (i = 0; i < conf->modern_browsers->nelts; i++) {
@@ -501,8 +502,9 @@ ngx_http_browser_merge_conf(ngx_conf_t *cf, void *parent, void *child)
         }
     }
 
-    if (conf->ancient_browsers == NULL) {
+    if (conf->ancient_browsers == NULL && conf->netscape4 == 0) {
         conf->ancient_browsers = prev->ancient_browsers;
+        conf->netscape4 = prev->netscape4;
     }
 
     if (conf->modern_browser_value == NULL) {

src/http/modules/ngx_http_degradation_module.c

@@ -126,7 +126,7 @@ ngx_http_degraded(ngx_http_request_t *r)
              * ELF/i386 is loaded at 0x08000000, 128M
              * ELF/amd64 is loaded at 0x00400000, 4M
              *
-             * use a function address to substract the loading address
+             * use a function address to subtract the loading address
              */
 
             sbrk_size = (size_t) sbrk(0) - ((uintptr_t) ngx_palloc & ~0x3FFFFF);