rpms/nginx
7
0
Fork 2
Code Issues Pull Requests Releases Activity

Debrand for AlmaLinux

Browse Source
This commit is contained in:
Eduard Abdullin 2026-04-10 07:25:49 +00:00 committed by root
commit b0c2ccf12f
5 changed files with 245 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
SOURCES/0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch Normal file
View File

@ -0,0 +1,31 @@
diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
index cfb9892..6bf438a 100644
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
ngx_ext_rename_file_t ext;
ngx_http_dav_copy_ctx_t copy;
ngx_http_dav_loc_conf_t *dlcf;
+ ngx_http_core_loc_conf_t *clcf;
if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
@@ -644,6 +645,18 @@ destination_done:
return NGX_HTTP_CONFLICT;
}
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (clcf->alias
+ && clcf->alias != NGX_MAX_SIZE_T_VALUE
+ && duri.len < clcf->alias)
+ {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "client sent invalid \"Destination\" header: \"%V\"",
+ &dest->value);
+ return NGX_HTTP_BAD_REQUEST;
+ }
+
depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {

84
SOURCES/0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch Normal file
View File

@ -0,0 +1,84 @@
From 3568812cf98dfd7661cd7516ecf9b398c134ab3c Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Mon, 2 Mar 2026 21:12:34 +0400
Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
Previously, a 32-bit overflow could happen while validating atom entries
count. This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.
Reported by Prabhav Srinath (sprabhav7).
---
src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 173d8ad54..678d6296c 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"mp4 time-to-sample entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stts atom too small", mp4->file.name.data);
@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stss atom too small", mp4->file.name.data);
@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 ctts atom too small", mp4->file.name.data);
@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sample-to-chunk entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsc atom too small", mp4->file.name.data);
@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
if (size == 0) {
if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsz atom too small",
@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stco atom too small", mp4->file.name.data);
@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
- + entries * sizeof(uint64_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 co64 atom too small", mp4->file.name.data);
--
2.53.0

31
SOURCES/0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch Normal file
View File

@ -0,0 +1,31 @@
From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed, 18 Mar 2026 16:39:37 +0400
Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests.
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response. This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.
Reported by Arkadi Vainbrand.
---
src/mail/ngx_mail_auth_http_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
index 4ca6d6e24..3e5095a2d 100644
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool,
b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1);
b->last = ngx_copy(b->last, s->salt.data, s->salt.len);
- s->passwd.data = NULL;
+ ngx_str_null(&s->passwd);
}
b->last = ngx_cpymem(b->last, "Auth-Protocol: ",
--
2.53.0

74
SOURCES/0018-Mp4-avoid-zero-size-buffers-in-output.patch Normal file
View File

@ -0,0 +1,74 @@
From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Sat, 21 Feb 2026 12:04:36 +0400
Subject: [PATCH] Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers. Such buffers are considered illegal and produce
"zero size buf in output" alerts. The change rejects the mp4 files which
produce such alerts.
Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
---
src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 445fab1cd..173d8ad54 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
}
}
- if (end_offset < start_offset) {
- end_offset = start_offset;
+ if (end_offset <= start_offset) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "no data between start time and end time in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
}
mp4->moov_size += 8;
@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
*prev = &mp4->mdat_atom;
- if (start_offset > mp4->mdat_data.buf->file_last) {
+ if (start_offset >= mp4->mdat_data.buf->file_last) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 mdat atom in \"%s\"",
mp4->file.name.data);
@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
if (data) {
entries = trak->sample_sizes_entries;
- if (trak->start_sample > entries) {
+ if (trak->start_sample >= entries) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stsz samples in \"%s\"",
mp4->file.name.data);
@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
--
2.53.0

27
SPECS/nginx.spec
View File

@ -41,7 +41,7 @@
Name: nginx
Epoch: 2
Version: 1.20.1
Release: 24%{?dist}.1.alma.1
Release: 24%{?dist}.2.alma.1
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -118,6 +118,23 @@ Patch13: 0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
Patch14: 0014-Upstream-detect-premature-plain-text-response-from-S.patch
# https://redhat.atlassian.net/browse/RHEL-159557
# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
# whitespace were removed from the patch
Patch15: 0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch
# https://redhat.atlassian.net/browse/RHEL-159536
# upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
Patch16: 0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
# https://redhat.atlassian.net/browse/RHEL-159444
# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
Patch17: 0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
# https://redhat.atlassian.net/browse/RHEL-157885
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
Patch18: 0018-Mp4-avoid-zero-size-buffers-in-output.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -627,9 +644,15 @@ fi
%changelog
* Thu Mar 26 2026 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-24.1.alma.1
* Fri Apr 10 2026 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-24.2.alma.1
- Debrand for AlmaLinux
* Tue Mar 31 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.20.1-24.2
- Resolves: RHEL-159557 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module
- Resolves: RHEL-159536 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file
- Resolves: RHEL-159444 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-157885 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files
* Thu Feb 19 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24.1
- Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle
attack on TLS proxied connections (CVE-2026-1642)