From 02283bf3542c228b677d7455a46a1b0c16767a09 Mon Sep 17 00:00:00 2001
From: Jonathan Wright <jonathan@almalinux.org>
Date: Thu, 14 May 2026 09:49:26 -0500
Subject: [PATCH] Fix CVE-2026-42945 Buffer overrun in rewrite module via
 arguments in replacement strings

---
 SOURCES/nginx-1.20.1-CVE-2026-42945.patch | 42 +++++++++++++++++++++++
 SPECS/nginx.spec                          | 11 +++++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/nginx-1.20.1-CVE-2026-42945.patch

diff --git a/SOURCES/nginx-1.20.1-CVE-2026-42945.patch b/SOURCES/nginx-1.20.1-CVE-2026-42945.patch
new file mode 100644
index 0000000..aaab5fe
--- /dev/null
+++ b/SOURCES/nginx-1.20.1-CVE-2026-42945.patch
@@ -0,0 +1,42 @@
+From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Wed, 22 Apr 2026 09:39:31 +0400
+Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
+
+The following code resulted in incorrect escaping of $1 and possible
+segfault:
+
+    location / {
+        rewrite ^(.*) /new?c=1;
+        set $myvar $1;
+        return 200 $myvar;
+    }
+
+If there were arguments in a rewrite's replacement string, the is_args flag
+was set and incorrectly never cleared.  This resulted in escaping applied
+to any captures evaluated afterwards in set or if.  Additionally buffer was
+allocated by ngx_http_script_complex_value_code() without escaping expected,
+thus this also resulted in buffer overrun and possible segfault.
+
+A similar issue was fixed in 74d939974d43.
+
+Reported by Leo Lin.
+---
+ src/http/ngx_http_script.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+index a2b9f1b7bf..2ea6113735 100644
+--- a/src/http/ngx_http_script.c
++++ b/src/http/ngx_http_script.c
+@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
+
+     r = e->request;
+
++    e->is_args = 0;
+     e->quote = 0;
+
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+--
+2.53.0
+
diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec
index 5a446ef..4a5da17 100644
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@@ -30,7 +30,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           1%{?dist}.1.alma.1
+Release:           1%{?dist}.1.alma.2
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -77,6 +77,10 @@ Patch5:            nginx-1.18.0-pkcs11-cert.patch
 # https://issues.redhat.com/browse/RHEL-12730
 Patch6:            nginx-1.20-CVE-2023-44487.patch
 
+# CVE-2026-42945
+# upstream patch - https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
+Patch7:            nginx-1.20.1-CVE-2026-42945.patch
+
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
@@ -234,6 +238,7 @@ Requires:          zlib-devel
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
 
@@ -543,6 +548,10 @@ fi
 %{nginx_srcdir}/
 
 %changelog
+* Thu May 14 2026 Jonathan Wright <jonathan@almalinux.org> - 1:1.20.1-1.1.alma.2
+- Fix CVE-2026-42945 nginx: NGINX: Buffer overrun in rewrite module via
+  arguments in replacement strings
+
 * Tue Oct 17 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-1.1.alma.1
 - Debrand For AlmaLinux