From ac2e3f2a17a13895bc7ac7b4c20954371016f248 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 28 Mar 2025 10:46:54 +0000 Subject: [PATCH] import UBI nginx-1.24.0-4.module+el9.5.0+22954+e2d70a1c.1 --- ...47-Buffer-overread-in-the-mp4-module.patch | 56 +++++++++++++++++++ SPECS/nginx.spec | 9 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch diff --git a/SOURCES/0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch b/SOURCES/0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch new file mode 100644 index 0000000..13cfa31 --- /dev/null +++ b/SOURCES/0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch @@ -0,0 +1,56 @@ +From b7e3c8bcfbee27061efdd40ffb3a8479a9bcd9c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Fri, 21 Mar 2025 04:12:14 +0100 +Subject: [PATCH] CVE-2024-7347: Buffer overread in the mp4 module + +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 0e93fbd..a6e3e80 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2789,7 +2789,8 @@ static ngx_int_t + ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + ngx_http_mp4_trak_t *trak, ngx_uint_t start) + { +- uint32_t start_sample, chunk, samples, id, next_chunk, n, ++ uint64_t n; ++ uint32_t start_sample, chunk, samples, id, next_chunk, + prev_samples; + ngx_buf_t *data, *buf; + ngx_uint_t entries, target_chunk, chunk_samples; +@@ -2845,12 +2846,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + + next_chunk = ngx_mp4_get_32value(entry->chunk); + ++ if (next_chunk < chunk) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "unordered mp4 stsc chunks in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, + "sample:%uD, chunk:%uD, chunks:%uD, " + "samples:%uD, id:%uD", + start_sample, chunk, next_chunk - chunk, samples, id); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample < n) { + goto found; +@@ -2872,7 +2880,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", + start_sample, chunk, next_chunk - chunk, samples); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample > n) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, +-- +2.44.0 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 7b8dd2a..26e5dd9 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -56,7 +56,7 @@ Name: nginx Epoch: 1 Version: 1.24.0 -Release: 4%{?dist} +Release: 4%{?dist}.1 Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -120,6 +120,9 @@ Patch8: 0010-defer-ENGINE_finish-calls-to-a-cleanup.patch # upstream patch - https://issues.redhat.com/browse/RHEL-40075 Patch9: 0011-Optimized-chain-link-usage.patch +# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966 +Patch10: 0012-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -632,6 +635,10 @@ fi %changelog +* Mon Mar 24 2025 Luboš Uhliarik - 1:1.24.0-4.1 +- Resolves: RHEL-84478 - nginx:1.24/nginx: specially crafted MP4 file may cause + denial of service (CVE-2024-7347) + * Tue Jul 16 2024 Luboš Uhliarik - 1:1.24.0-4 - Resolves: RHEL-49350 - nginx worker processes memory leak