Resolves: RHEL-176221 - nginx: NGINX: Arbitrary Code Execution

Vulnerability (CVE-2026-42945)
2026-05-21 11:46:01 +02:00 · 2026-05-21 11:46:01 +02:00 · 73046468c4
commit 73046468c4
parent 7b54278843
2 changed files with 51 additions and 1 deletions
--- a/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+++ b/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
@ -0,0 +1,42 @@
+From 3a743478999c0e2a021855f1685caedfa8b7ace6 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Wed, 22 Apr 2026 09:39:31 +0400
+Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
+
+The following code resulted in incorrect escaping of $1 and possible
+segfault:
+
+    location / {
+        rewrite ^(.*) /new?c=1;
+        set $myvar $1;
+        return 200 $myvar;
+    }
+
+If there were arguments in a rewrite's replacement string, the is_args flag
+was set and incorrectly never cleared.  This resulted in escaping applied
+to any captures evaluated afterwards in set or if.  Additionally buffer was
+allocated by ngx_http_script_complex_value_code() without escaping expected,
+thus this also resulted in buffer overrun and possible segfault.
+
+A similar issue was fixed in 74d939974d43.
+
+Reported by Leo Lin.
+---
+ src/http/ngx_http_script.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+index 13c57d6..302f842 100644
+--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
+@@ -1164,6 +1164,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
+ 
+     r = e->request;
+ 
+    e->is_args = 0;
+     e->quote = 0;
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+-- 
+2.44.0
+
--- a/nginx.spec
+++ b/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           29%{?dist}
+Release:           30%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -140,6 +140,10 @@ Patch18:           0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
 Patch19:           0019-Mp4-avoid-zero-size-buffers-in-output.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945
+# upstream patch - https://github.com/nginx/nginx/commit/524977e7
+Patch20:           0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -656,6 +660,10 @@ fi


 %changelog
+* Thu May 21 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-30
+- Resolves: RHEL-176221 - nginx: NGINX: Arbitrary Code Execution
+  Vulnerability (CVE-2026-42945)
+
 * Tue Apr 14 2026 Petr Dancak <pdancak@redhat.com> - 2:1.20.1-29
 - Resolves: RHEL-159563 - CVE-2026-27654 nginx: NGINX: Denial of Service
  or file modification via buffer overflow in ngx_http_dav_module