forked from rpms/nginx
Fix CVE-2026-42945 Buffer overrun in rewrite module via arguments in replacement strings
This commit is contained in:
parent
d3612a5750
commit
0ce4dec3a1
@ -0,0 +1,42 @@
|
|||||||
|
From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Wed, 22 Apr 2026 09:39:31 +0400
|
||||||
|
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
|
||||||
|
|
||||||
|
The following code resulted in incorrect escaping of $1 and possible
|
||||||
|
segfault:
|
||||||
|
|
||||||
|
location / {
|
||||||
|
rewrite ^(.*) /new?c=1;
|
||||||
|
set $myvar $1;
|
||||||
|
return 200 $myvar;
|
||||||
|
}
|
||||||
|
|
||||||
|
If there were arguments in a rewrite's replacement string, the is_args flag
|
||||||
|
was set and incorrectly never cleared. This resulted in escaping applied
|
||||||
|
to any captures evaluated afterwards in set or if. Additionally buffer was
|
||||||
|
allocated by ngx_http_script_complex_value_code() without escaping expected,
|
||||||
|
thus this also resulted in buffer overrun and possible segfault.
|
||||||
|
|
||||||
|
A similar issue was fixed in 74d939974d43.
|
||||||
|
|
||||||
|
Reported by Leo Lin.
|
||||||
|
---
|
||||||
|
src/http/ngx_http_script.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
|
||||||
|
index a2b9f1b7bf..2ea6113735 100644
|
||||||
|
--- a/src/http/ngx_http_script.c
|
||||||
|
+++ b/src/http/ngx_http_script.c
|
||||||
|
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
|
||||||
|
|
||||||
|
r = e->request;
|
||||||
|
|
||||||
|
+ e->is_args = 0;
|
||||||
|
e->quote = 0;
|
||||||
|
|
||||||
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||||
|
--
|
||||||
|
2.53.0
|
||||||
|
|
||||||
@ -67,7 +67,7 @@
|
|||||||
Name: nginx
|
Name: nginx
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Version: 1.26.3
|
Version: 1.26.3
|
||||||
Release: 2%{?dist}.1
|
Release: 2%{?dist}.1.alma.1
|
||||||
|
|
||||||
Summary: A high performance web server and reverse proxy server
|
Summary: A high performance web server and reverse proxy server
|
||||||
License: BSD-2-Clause
|
License: BSD-2-Clause
|
||||||
@ -144,6 +144,10 @@ Patch11: 0012-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
|
|||||||
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
|
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
|
||||||
Patch12: 0013-Mp4-avoid-zero-size-buffers-in-output.patch
|
Patch12: 0013-Mp4-avoid-zero-size-buffers-in-output.patch
|
||||||
|
|
||||||
|
# CVE-2026-42945
|
||||||
|
# upstream patch - https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
|
||||||
|
Patch13: 0014-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -666,6 +670,10 @@ fi
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
## START: Generated by rpmautospec
|
## START: Generated by rpmautospec
|
||||||
|
* Thu May 14 2026 Jonathan Wright <jonathan@almalinux.org> - 2:1.26.3-2.1.alma.1
|
||||||
|
- Fix CVE-2026-42945 nginx: NGINX: Buffer overrun in rewrite module via
|
||||||
|
arguments in replacement strings
|
||||||
|
|
||||||
* Wed Apr 01 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.26.3-6
|
* Wed Apr 01 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.26.3-6
|
||||||
- Resolves: RHEL-157887 - CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of
|
- Resolves: RHEL-157887 - CVE-2026-32647 nginx:1.26/nginx: NGINX: Denial of
|
||||||
Service or Code Execution via specially crafted MP4 files
|
Service or Code Execution via specially crafted MP4 files
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user