jonathan/nginx
1
0
Fork 0
forked from rpms/nginx
Code Pull Requests Activity

RHEL-159435 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled

Browse Source 
Resolves: RHEL-159435

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
This commit is contained in:
pdancak 2026-04-10 13:56:47 +02:00
parent dcc7f61185
commit c9190f2b06
2 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch Normal file
View File

@ -0,0 +1,31 @@
From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed, 18 Mar 2026 16:39:37 +0400
Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response. This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.
Reported by Arkadi Vainbrand.
---
src/mail/ngx_mail_auth_http_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
index 4ca6d6e24..3e5095a2d 100644
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
- s->passwd.data = NULL;
+ ngx_str_null(&s->passwd);
}
b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
--
2.53.0

4
nginx.spec
View File

@ -127,6 +127,10 @@ Patch7: 0008-Dav-destination-length-validation-for-COPY-and-MOVE.patc
# upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
Patch8: 0009-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
# https://redhat.atlassian.net/browse/RHEL-159435
# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
Patch9: 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2