From 48712730b3ee90cd82063ac549ebf58092b42daf Mon Sep 17 00:00:00 2001
From: pdancak <pdancak@redhat.com>
Date: Fri, 10 Apr 2026 13:21:39 +0200
Subject: [PATCH] RHEL-159548 - CVE-2026-27654 nginx: NGINX: Denial of Service
 or file modification via buffer overflow in ngx_http_dav_module

Resolves: RHEL-159548

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 ...-length-validation-for-COPY-and-MOVE.patch | 31 +++++++++++++++++++
 nginx.spec                                    |  5 +++
 2 files changed, 36 insertions(+)
 create mode 100644 0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch

diff --git a/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch
new file mode 100644
index 0000000..615a70b
--- /dev/null
+++ b/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch
@@ -0,0 +1,31 @@
+diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
+index cfb9892..6bf438a 100644
+--- a/src/http/modules/ngx_http_dav_module.c
++++ b/src/http/modules/ngx_http_dav_module.c
+@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
+     ngx_ext_rename_file_t     ext;
+     ngx_http_dav_copy_ctx_t   copy;
+     ngx_http_dav_loc_conf_t  *dlcf;
++    ngx_http_core_loc_conf_t  *clcf;
+ 
+     if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+@@ -644,6 +645,18 @@ destination_done:
+         return NGX_HTTP_CONFLICT;
+     }
+ 
++    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
++
++    if (clcf->alias
++        && clcf->alias != NGX_MAX_SIZE_T_VALUE
++        && duri.len < clcf->alias)
++    {
++        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                      "client sent invalid \"Destination\" header: \"%V\"",
++                      &dest->value);
++        return NGX_HTTP_BAD_REQUEST;
++    }
++
+     depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
+ 
+     if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
diff --git a/nginx.spec b/nginx.spec
index 675c955..b139a93 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -118,6 +118,11 @@ Patch5:            0006-Clarify-binding-behavior-of-t-option.patch
 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
 Patch6:            0007-Upstream-detect-premature-plain-text-response-from-S.patch
 
+# https://redhat.atlassian.net/browse/RHEL-159548
+# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
+# whitespace were removed from the patch
+Patch7:            0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2