jonathan/nginx
1
0
Fork 0
forked from rpms/nginx
Code Pull Requests Activity

import CS nginx-1.24.0-7.module_el9+1340+77d2f868

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-04-20 03:33:46 -04:00
parent d3764cc0a0
commit 17efb4dfc8
7 changed files with 364 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SOURCES/0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch Normal file
View File

@ -0,0 +1,56 @@
From b7e3c8bcfbee27061efdd40ffb3a8479a9bcd9c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Fri, 21 Mar 2025 04:12:14 +0100
Subject: [PATCH] CVE-2024-7347: Buffer overread in the mp4 module
---
src/http/modules/ngx_http_mp4_module.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 0e93fbd..a6e3e80 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2789,7 +2789,8 @@ static ngx_int_t
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
{
- uint32_t start_sample, chunk, samples, id, next_chunk, n,
+ uint64_t n;
+ uint32_t start_sample, chunk, samples, id, next_chunk,
prev_samples;
ngx_buf_t *data, *buf;
ngx_uint_t entries, target_chunk, chunk_samples;
@@ -2845,12 +2846,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
next_chunk = ngx_mp4_get_32value(entry->chunk);
+ if (next_chunk < chunk) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "unordered mp4 stsc chunks in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"sample:%uD, chunk:%uD, chunks:%uD, "
"samples:%uD, id:%uD",
start_sample, chunk, next_chunk - chunk, samples, id);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample < n) {
goto found;
@@ -2872,7 +2880,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
start_sample, chunk, next_chunk - chunk, samples);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample > n) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
--
2.44.0

45
SOURCES/0013-Upstream-detect-premature-plain-text-response-from-S.patch Normal file
View File

@ -0,0 +1,45 @@
From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Thu, 29 Jan 2026 13:27:32 +0400
Subject: [PATCH] Upstream: detect premature plain text response from SSL
backend.
When connecting to a backend, the connection write event is triggered
first in most cases. However if a response arrives quickly enough, both
read and write events can be triggered together within the same event loop
iteration. In this case the read event handler is called first and the
write event handler is called after it.
SSL initialization for backend connections happens only in the write event
handler since SSL handshake starts with sending Client Hello. Previously,
if a backend sent a quick plain text response, it could be parsed by the
read event handler prior to starting SSL handshake on the connection.
The change adds protection against parsing such responses on SSL-enabled
connections.
---
src/http/ngx_http_upstream.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 2ce9f21..70c3b46 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
return;
}
+#if (NGX_HTTP_SSL)
+ if (u->ssl && c->ssl == NULL) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "upstream prematurely sent response");
+ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
+ return;
+ }
+#endif
+
u->state->bytes_received += n;
u->buffer.last += n;
--
2.44.0

31
SOURCES/0014-Dav-destination-length-validation-for-COPY-and-MOVE.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
index cfb9892..6bf438a 100644
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
ngx_ext_rename_file_t ext;
ngx_http_dav_copy_ctx_t copy;
ngx_http_dav_loc_conf_t *dlcf;
+ ngx_http_core_loc_conf_t *clcf;
if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
@@ -644,6 +645,18 @@ destination_done:
return NGX_HTTP_CONFLICT;
}
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (clcf->alias
+ && clcf->alias != NGX_MAX_SIZE_T_VALUE
+ && duri.len < clcf->alias)
+ {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "client sent invalid \"Destination\" header: \"%V\"",
+ &dest->value);
+ return NGX_HTTP_BAD_REQUEST;
+ }
+
depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {

84
SOURCES/0015-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch Normal file
View File

@ -0,0 +1,84 @@
From 3568812cf98dfd7661cd7516ecf9b398c134ab3c Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Mon, 2 Mar 2026 21:12:34 +0400
Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
Previously, a 32-bit overflow could happen while validating atom entries
count. This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.
Reported by Prabhav Srinath (sprabhav7).
---
src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 173d8ad54..678d6296c 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"mp4 time-to-sample entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stts atom too small", mp4->file.name.data);
@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stss atom too small", mp4->file.name.data);
@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 ctts atom too small", mp4->file.name.data);
@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sample-to-chunk entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsc atom too small", mp4->file.name.data);
@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
if (size == 0) {
if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsz atom too small",
@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stco atom too small", mp4->file.name.data);
@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
- + entries * sizeof(uint64_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 co64 atom too small", mp4->file.name.data);
--
2.53.0

31
SOURCES/0016-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch Normal file
View File

@ -0,0 +1,31 @@
From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed, 18 Mar 2026 16:39:37 +0400
Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response. This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.
Reported by Arkadi Vainbrand.
---
src/mail/ngx_mail_auth_http_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
index 4ca6d6e24..3e5095a2d 100644
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
- s->passwd.data = NULL;
+ ngx_str_null(&s->passwd);
}
b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
--
2.53.0

74
SOURCES/0017-Mp4-avoid-zero-size-buffers-in-output.patch Normal file
View File

@ -0,0 +1,74 @@
From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Sat, 21 Feb 2026 12:04:36 +0400
Subject: [PATCH] Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers. Such buffers are considered illegal and produce
"zero size buf in output" alerts. The change rejects the mp4 files which
produce such alerts.
Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
---
src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 445fab1cd..173d8ad54 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
}
}
- if (end_offset < start_offset) {
- end_offset = start_offset;
+ if (end_offset <= start_offset) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "no data between start time and end time in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
}
mp4->moov_size += 8;
@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
*prev = &mp4->mdat_atom;
- if (start_offset > mp4->mdat_data.buf->file_last) {
+ if (start_offset >= mp4->mdat_data.buf->file_last) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 mdat atom in \"%s\"",
mp4->file.name.data);
@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
if (data) {
entries = trak->sample_sizes_entries;
- if (trak->start_sample > entries) {
+ if (trak->start_sample >= entries) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stsz samples in \"%s\"",
mp4->file.name.data);
@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
--
2.53.0

44
SPECS/nginx.spec
View File

@ -56,7 +56,7 @@
Name: nginx
Epoch: 1
Version: 1.24.0
Release: 4%{?dist}
Release: 7%{?dist}
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -120,6 +120,30 @@ Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-40075
Patch9: 0011-Optimized-chain-link-usage.patch
# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966
Patch10: 0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
# https://issues.redhat.com/browse/RHEL-146516
# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
Patch11: 0013-Upstream-detect-premature-plain-text-response-from-S.patch
# https://redhat.atlassian.net/browse/RHEL-159564
# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
# whitespace were removed from the patch
Patch12: 0014-Dav-destination-length-validation-for-COPY-and-MOVE.patch
# https://redhat.atlassian.net/browse/RHEL-159543
# upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
Patch13: 0015-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
# https://redhat.atlassian.net/browse/RHEL-159451
# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
Patch14: 0016-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
# https://redhat.atlassian.net/browse/RHEL-157892
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
Patch15: 0017-Mp4-avoid-zero-size-buffers-in-output.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -632,6 +656,24 @@ fi
%changelog
* Tue Apr 14 2026 Petr Dancak <pdancak@redhat.com> - 1:1.24.0-7
- Resolves: RHEL-159564 - CVE-2026-27654 nginx: NGINX: Denial of Service
or file modification via buffer overflow in ngx_http_dav_module
- Resolves: RHEL-159543 - CVE-2026-27784 nginx: NGINX: Denial of Service
due to memory corruption via crafted MP4 file
- Resolves: RHEL-159451 - CVE-2026-27651 nginx: NGINX: Denial of Service
via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-157892 - CVE-2026-32647 nginx: NGINX: Denial of Service
or Code Execution via specially crafted MP4 files
* Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-6
- Resolves: RHEL-146529 - CVE-2026-1642 nginx: NGINX: Data injection via
man-in-the-middle attack on TLS proxied connections
* Thu Mar 27 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-5
- Resolves: RHEL-84480 - nginx:1.24/nginx: specially crafted MP4 file may cause
denial of service (CVE-2024-7347)
* Tue Jul 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-4
- Resolves: RHEL-49350 - nginx worker processes memory leak