From c094af1fd2ef2ebb7179e1104e9ea20817720404 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 18 May 2026 08:25:21 -0400 Subject: [PATCH] import CS git nginx-1.24.0-3.el8.1 --- ...escaping-and-possible-buffer-overrun.patch | 42 +++++++++++++++++++ SPECS/nginx.spec | 11 ++++- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch diff --git a/SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch b/SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch new file mode 100644 index 0000000..3600a87 --- /dev/null +++ b/SOURCES/0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch @@ -0,0 +1,42 @@ +From df738cca1e5b2bc0d3e0845648273d752c5cd8ff Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 22 Apr 2026 09:39:31 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +A similar issue was fixed in 74d939974d43. + +Reported by Leo Lin. +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +index a2b9f1b..2ea6113 100644 +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 51b91c6..e319b9f 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -30,7 +30,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 3%{?dist} +Release: 3%{?dist}.1 Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -98,6 +98,10 @@ Patch10: 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f Patch11: 0011-Mp4-avoid-zero-size-buffers-in-output.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945 +# upstream patch - https://github.com/nginx/nginx/commit/524977e7 +Patch12: 0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch + %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif @@ -260,6 +264,7 @@ Requires: zlib-devel %patch -P9 -p1 %patch -P10 -p1 %patch -P11 -p1 +%patch -P12 -p1 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . @@ -572,6 +577,10 @@ fi %{nginx_srcdir}/ %changelog +* Thu May 14 2026 Luboš Uhliarik - 1:1.24.0-3.1 +- Resolves: RHEL-176224 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution + Vulnerability (CVE-2026-42945) + * Fri Mar 27 2026 Zdenek Dohnal - 1:1.24.0-3 - Resolves: RHEL-157877 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files