From c9190f2b0622600f7fe8e8f6193352b61c2a793a Mon Sep 17 00:00:00 2001 From: pdancak Date: Fri, 10 Apr 2026 13:56:47 +0200 Subject: [PATCH] RHEL-159435 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled Resolves: RHEL-159435 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- ...aring-s-passwd-in-auth-http-requests.patch | 31 +++++++++++++++++++ nginx.spec | 4 +++ 2 files changed, 35 insertions(+) create mode 100644 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch diff --git a/0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch b/0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch new file mode 100644 index 0000000..1f6476a --- /dev/null +++ b/0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch @@ -0,0 +1,31 @@ +From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 18 Mar 2026 16:39:37 +0400 +Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests. + +Previously, it was not properly cleared retaining length as part of +authenticating with CRAM-MD5 and APOP methods that expect to receive +password in auth response. This resulted in null pointer dereference +and worker process crash in subsequent auth attempts with CRAM-MD5. + +Reported by Arkadi Vainbrand. +--- + src/mail/ngx_mail_auth_http_module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 4ca6d6e24..3e5095a2d 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +- s->passwd.data = NULL; ++ ngx_str_null(&s->passwd); + } + + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", +-- +2.53.0 + diff --git a/nginx.spec b/nginx.spec index 9685821..7ab7b7f 100644 --- a/nginx.spec +++ b/nginx.spec @@ -127,6 +127,10 @@ Patch7: 0008-Dav-destination-length-validation-for-COPY-and-MOVE.patc # upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df Patch8: 0009-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch +# https://redhat.atlassian.net/browse/RHEL-159435 +# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45 +Patch9: 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2