From 5302c7a43ec70e4d4d7a3c619ee4210e23309f6a Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Tue, 19 May 2026 20:49:26 -0400
Subject: [PATCH] import UBI nginx-1.24.0-7.module+el9.8.0+24289+833e4c02.1

---
 ...escaping-and-possible-buffer-overrun.patch | 42 +++++++++++++++++++
 SPECS/nginx.spec                              | 26 ++++++++----
 2 files changed, 59 insertions(+), 9 deletions(-)
 create mode 100644 SOURCES/0018-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch

diff --git a/SOURCES/0018-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch b/SOURCES/0018-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
new file mode 100644
index 0000000..d992599
--- /dev/null
+++ b/SOURCES/0018-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
@@ -0,0 +1,42 @@
+From d4ab10c9ccbae391a5152220d1b019656477b58f Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Wed, 22 Apr 2026 09:39:31 +0400
+Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
+
+The following code resulted in incorrect escaping of $1 and possible
+segfault:
+
+    location / {
+        rewrite ^(.*) /new?c=1;
+        set $myvar $1;
+        return 200 $myvar;
+    }
+
+If there were arguments in a rewrite's replacement string, the is_args flag
+was set and incorrectly never cleared.  This resulted in escaping applied
+to any captures evaluated afterwards in set or if.  Additionally buffer was
+allocated by ngx_http_script_complex_value_code() without escaping expected,
+thus this also resulted in buffer overrun and possible segfault.
+
+A similar issue was fixed in 74d939974d43.
+
+Reported by Leo Lin.
+---
+ src/http/ngx_http_script.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+index a2b9f1b..2ea6113 100644
+--- a/src/http/ngx_http_script.c
++++ b/src/http/ngx_http_script.c
+@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
+ 
+     r = e->request;
+ 
++    e->is_args = 0;
+     e->quote = 0;
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+-- 
+2.44.0
+
diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec
index 31ead6c..f094deb 100644
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@@ -56,7 +56,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.24.0
-Release:           5%{?dist}.2
+Release:           7%{?dist}.1
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -144,6 +144,10 @@ Patch14:           0016-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
 Patch15:           0017-Mp4-avoid-zero-size-buffers-in-output.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945
+# upstream patch - https://github.com/nginx/nginx/commit/524977e7
+Patch16:           0018-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+
 
 BuildRequires:     make
 BuildRequires:     gcc
@@ -657,19 +661,23 @@ fi
 
 
 %changelog
-* Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 1:1.24.0-5.2
-- Resolves: RHEL-157886 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
+* Thu May 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-7.1
+- Resolves: RHEL-176234 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution
+  Vulnerability (CVE-2026-42945)
+
+* Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 1:1.24.0-7
+- Resolves: RHEL-157889 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
   Service or Code Execution via specially crafted MP4 files
-- Resolves: RHEL-159445 CVE-2026-27651 nginx:1.24/nginx: NGINX: Denial of
+- Resolves: RHEL-159448 CVE-2026-27651 nginx:1.24/nginx: NGINX: Denial of
   Service via undisclosed requests when ngx_mail_auth_http_module is enabled
-- Resolves: RHEL-159558 CVE-2026-27654 nginx:1.24/nginx: NGINX: Denial of
+- Resolves: RHEL-159561 CVE-2026-27654 nginx:1.24/nginx: NGINX: Denial of
   Service or file modification via buffer overflow in ngx_http_dav_module
-- Resolves: RHEL-159537 CVE-2026-27784 nginx:1.24/nginx: NGINX: Denial of
+- Resolves: RHEL-159540 CVE-2026-27784 nginx:1.24/nginx: NGINX: Denial of
   Service due to memory corruption via crafted MP4 file
 
-* Thu Feb 19 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-5.1
-- Resolves: RHEL-146526 - nginx:1.24/nginx: NGINX: Data injection via
-  man-in-the-middle attack on TLS proxied connections (CVE-2026-1642)
+* Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-6
+- Resolves: RHEL-146529 -  CVE-2026-1642 nginx: NGINX: Data injection via
+  man-in-the-middle attack on TLS proxied connections
 
 * Thu Mar 27 2025 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-5
 - Resolves: RHEL-84480 - nginx:1.24/nginx: specially crafted MP4 file may cause