From f86097687102da4b5b019416748220d916995ebb Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 16 Apr 2026 06:41:31 -0400 Subject: [PATCH] import CS nginx-1.26.3-8.module_el9+1337+df4f836a --- ...Clarify-binding-behavior-of-t-option.patch | 37 ++++++++ ...premature-plain-text-response-from-S.patch | 45 ++++++++++ ...-length-validation-for-COPY-and-MOVE.patch | 31 +++++++ ...le-integer-overflow-on-32-bit-platfo.patch | 84 +++++++++++++++++++ ...aring-s-passwd-in-auth-http-requests.patch | 31 +++++++ ...p4-avoid-zero-size-buffers-in-output.patch | 74 ++++++++++++++++ SOURCES/nginx.tmpfiles | 3 + SPECS/nginx.spec | 59 ++++++++++++- 8 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0009-Clarify-binding-behavior-of-t-option.patch create mode 100644 SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch create mode 100644 SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch create mode 100644 SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch create mode 100644 SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch create mode 100644 SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch create mode 100644 SOURCES/nginx.tmpfiles diff --git a/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch b/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch new file mode 100644 index 0000000..dee159f --- /dev/null +++ b/SOURCES/0009-Clarify-binding-behavior-of-t-option.patch @@ -0,0 +1,37 @@ +From dc847f7aedf0b4f8bbf9d7f9ba983541c6ca88c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Tue, 20 Jan 2026 19:27:05 +0100 +Subject: [PATCH] Clarify binding behavior of -t option. + +Configuration testing includes binding to configured listen addresses +when opening referenced files. +--- + man/nginx.8 | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/man/nginx.8 b/man/nginx.8 +index 10db3e6..64d9ae7 100644 +--- a/man/nginx.8 ++++ b/man/nginx.8 +@@ -25,7 +25,7 @@ + .\" SUCH DAMAGE. + .\" + .\" +-.Dd November 5, 2020 ++.Dd January 21, 2026 + .Dt NGINX 8 + .Os + .Sh NAME +@@ -98,7 +98,8 @@ but additionally dump configuration files to standard output. + Do not run, just test the configuration file. + .Nm + checks the configuration file syntax and then tries to open files +-referenced in the configuration file. ++referenced in the configuration file, including binding to configured ++listen addresses. + .It Fl V + Print the + .Nm +-- +2.44.0 + diff --git a/SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch b/SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch new file mode 100644 index 0000000..ba85cc4 --- /dev/null +++ b/SOURCES/0010-Upstream-detect-premature-plain-text-response-from-S.patch @@ -0,0 +1,45 @@ +From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 2ce9f21..70c3b46 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; +-- +2.44.0 + diff --git a/SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch new file mode 100644 index 0000000..615a70b --- /dev/null +++ b/SOURCES/0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch @@ -0,0 +1,31 @@ +diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c +index cfb9892..6bf438a 100644 +--- a/src/http/modules/ngx_http_dav_module.c ++++ b/src/http/modules/ngx_http_dav_module.c +@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r) + ngx_ext_rename_file_t ext; + ngx_http_dav_copy_ctx_t copy; + ngx_http_dav_loc_conf_t *dlcf; ++ ngx_http_core_loc_conf_t *clcf; + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, +@@ -644,6 +645,18 @@ destination_done: + return NGX_HTTP_CONFLICT; + } + ++ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ++ ++ if (clcf->alias ++ && clcf->alias != NGX_MAX_SIZE_T_VALUE ++ && duri.len < clcf->alias) ++ { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "client sent invalid \"Destination\" header: \"%V\"", ++ &dest->value); ++ return NGX_HTTP_BAD_REQUEST; ++ } ++ + depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH); + + if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) { diff --git a/SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch b/SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch new file mode 100644 index 0000000..2dd1718 --- /dev/null +++ b/SOURCES/0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch @@ -0,0 +1,84 @@ +From 3568812cf98dfd7661cd7516ecf9b398c134ab3c Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 2 Mar 2026 21:12:34 +0400 +Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms. + +Previously, a 32-bit overflow could happen while validating atom entries +count. This allowed processing of an invalid atom with entrires beyond +its boundaries with reads and writes outside of the allocated mp4 buffer. + +Reported by Prabhav Srinath (sprabhav7). +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 173d8ad54..678d6296c 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "mp4 time-to-sample entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t) +- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stts atom too small", mp4->file.name.data); +@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stss atom too small", mp4->file.name.data); +@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t) +- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 ctts atom too small", mp4->file.name.data); +@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample-to-chunk entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t) +- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsc atom too small", mp4->file.name.data); +@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + if (size == 0) { + if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsz atom too small", +@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stco atom too small", mp4->file.name.data); +@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t) +- + entries * sizeof(uint64_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 co64 atom too small", mp4->file.name.data); +-- +2.53.0 + diff --git a/SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch b/SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch new file mode 100644 index 0000000..1f6476a --- /dev/null +++ b/SOURCES/0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch @@ -0,0 +1,31 @@ +From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 18 Mar 2026 16:39:37 +0400 +Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests. + +Previously, it was not properly cleared retaining length as part of +authenticating with CRAM-MD5 and APOP methods that expect to receive +password in auth response. This resulted in null pointer dereference +and worker process crash in subsequent auth attempts with CRAM-MD5. + +Reported by Arkadi Vainbrand. +--- + src/mail/ngx_mail_auth_http_module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 4ca6d6e24..3e5095a2d 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +- s->passwd.data = NULL; ++ ngx_str_null(&s->passwd); + } + + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", +-- +2.53.0 + diff --git a/SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch b/SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch new file mode 100644 index 0000000..f4edbf9 --- /dev/null +++ b/SOURCES/0014-Mp4-avoid-zero-size-buffers-in-output.patch @@ -0,0 +1,74 @@ +From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Sat, 21 Feb 2026 12:04:36 +0400 +Subject: [PATCH] Mp4: avoid zero size buffers in output. + +Previously, data validation checks did not cover the cases when the output +contained empty buffers. Such buffers are considered illegal and produce +"zero size buf in output" alerts. The change rejects the mp4 files which +produce such alerts. + +Also, the change fixes possible buffer overread and overwrite that could +happen while processing empty stco and co64 atoms, as reported by +Pavel Kohout (Aisle Research) and Tim Becker. +--- + src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 445fab1cd..173d8ad54 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + } + } + +- if (end_offset < start_offset) { +- end_offset = start_offset; ++ if (end_offset <= start_offset) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "no data between start time and end time in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; + } + + mp4->moov_size += 8; +@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + + *prev = &mp4->mdat_atom; + +- if (start_offset > mp4->mdat_data.buf->file_last) { ++ if (start_offset >= mp4->mdat_data.buf->file_last) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 mdat atom in \"%s\"", + mp4->file.name.data); +@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, + if (data) { + entries = trak->sample_sizes_entries; + +- if (trak->start_sample > entries) { ++ if (trak->start_sample >= entries) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stsz samples in \"%s\"", + mp4->file.name.data); +@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stco chunks in \"%s\"", + mp4->file.name.data); +@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 co64 chunks in \"%s\"", + mp4->file.name.data); +-- +2.53.0 + diff --git a/SOURCES/nginx.tmpfiles b/SOURCES/nginx.tmpfiles new file mode 100644 index 0000000..1f84d81 --- /dev/null +++ b/SOURCES/nginx.tmpfiles @@ -0,0 +1,3 @@ +d /var/lib/nginx 770 nginx root - +d /var/lib/nginx/tmp 770 nginx root - +d /var/log/nginx 711 root root - diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index c691d98..b6ae375 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -2,7 +2,7 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 1; + release_number = 8; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -96,6 +96,7 @@ Source16: nginxmods.attr Source17: nginx-ssl-pass-dialog Source18: nginx@.service Source19: nginx.sysusers +Source20: nginx.tmpfiles Source102: nginx-logo.png Source200: README.dynamic Source210: UPGRADE-NOTES-1.6-to-1.10 @@ -128,6 +129,31 @@ Patch6: 0007-Support-loading-cert-hardware-token-PKC.patch # downstream patch - https://issues.redhat.com/browse/RHEL-40621 Patch7: 0008-defer-ENGINE_finish-calls-to-a-cleanup.patch +# https://issues.redhat.com/browse/RHEL-113229 +# upstream patch - https://github.com/nginx/nginx/pull/1089 +Patch8: 0009-Clarify-binding-behavior-of-t-option.patch + +# https://issues.redhat.com/browse/RHEL-146516 +# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e +Patch9: 0010-Upstream-detect-premature-plain-text-response-from-S.patch + +# https://redhat.atlassian.net/browse/RHEL-159565 +# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17 +# whitespace was removed from the patch +Patch10: 0011-Dav-destination-length-validation-for-COPY-and-MOVE.patch + +# https://redhat.atlassian.net/browse/RHEL-159544 +# upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df +Patch11: 0012-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch + +# https://redhat.atlassian.net/browse/RHEL-159452 +# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45 +Patch12: 0013-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch + +# https://redhat.atlassian.net/browse/RHEL-157893 +# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f +Patch13: 0014-Mp4-avoid-zero-size-buffers-in-output.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -506,6 +532,10 @@ install -m755 $RPM_SOURCE_DIR/nginx-ssl-pass-dialog \ # install sysusers file install -p -D -m 0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/nginx.conf +# tmpfiles.d configuration +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 644 -p %{SOURCE20} %{buildroot}%{_tmpfilesdir}/nginx.conf + %pre filesystem %sysusers_create_compat %{SOURCE19} @@ -595,6 +625,7 @@ fi %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp %attr(711,root,root) %dir %{_localstatedir}/log/nginx +%{_tmpfilesdir}/nginx.conf %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log %dir %{nginx_moduledir} @@ -649,6 +680,32 @@ fi %changelog ## START: Generated by rpmautospec +* Tue Apr 14 2026 pdancak - 2:1.26.3-8 +- RHEL-157893 CVE-2026-32647 nginx: NGINX: Denial of Service or Code + Execution via specially crafted MP4 files + +* Tue Apr 14 2026 pdancak - 2:1.26.3-7 +- RHEL-159452 CVE-2026-27651 nginx: NGINX: Denial of Service via + undisclosed requests when ngx_mail_auth_http_module is enabled + +* Tue Apr 14 2026 pdancak - 2:1.26.3-6 +- RHEL-159544 - CVE-2026-27784 nginx: NGINX: Denial of Service due to + memory corruption via crafted MP4 file + +* Tue Apr 14 2026 pdancak - 2:1.26.3-5 +- RHEL-159565 CVE-2026-27654 nginx: NGINX: Denial of Service or file + modification via buffer overflow in ngx_http_dav_module + +* Tue Feb 17 2026 Luboš Uhliarik - 2:1.26.3-4 +- CVE-2026-1642 nginx: NGINX: Data injection via man-in-the-middle attack + on TLS proxied connections + +* Mon Feb 16 2026 Luboš Uhliarik - 2:1.26.3-3 +- Resolves: RHEL-144454 - Clarify binding behavior of -t option + +* Wed Dec 03 2025 Luboš Uhliarik - 2:1.26.3-2 +- Add tmpfiles.d rules for /var directories (bootc compatibility) + * Fri Feb 07 2025 Luboš Uhliarik - 2:1.26.3-1 - New version 1.26.3