import CS git nginx-1.24.0-3.el8.1
This commit is contained in:
AlmaLinux RelEng Bot
parent
3a50ed134f
commit
c094af1fd2
@ -0,0 +1,42 @@
|
||||
From df738cca1e5b2bc0d3e0845648273d752c5cd8ff Mon Sep 17 00:00:00 2001
|
||||
From: Roman Arutyunyan <arut@nginx.com>
|
||||
Date: Wed, 22 Apr 2026 09:39:31 +0400
|
||||
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
|
||||
|
||||
The following code resulted in incorrect escaping of $1 and possible
|
||||
segfault:
|
||||
|
||||
location / {
|
||||
rewrite ^(.*) /new?c=1;
|
||||
set $myvar $1;
|
||||
return 200 $myvar;
|
||||
}
|
||||
|
||||
If there were arguments in a rewrite's replacement string, the is_args flag
|
||||
was set and incorrectly never cleared. This resulted in escaping applied
|
||||
to any captures evaluated afterwards in set or if. Additionally buffer was
|
||||
allocated by ngx_http_script_complex_value_code() without escaping expected,
|
||||
thus this also resulted in buffer overrun and possible segfault.
|
||||
|
||||
A similar issue was fixed in 74d939974d43.
|
||||
|
||||
Reported by Leo Lin.
|
||||
---
|
||||
src/http/ngx_http_script.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
|
||||
index a2b9f1b..2ea6113 100644
|
||||
--- a/src/http/ngx_http_script.c
|
||||
+++ b/src/http/ngx_http_script.c
|
||||
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
|
||||
|
||||
r = e->request;
|
||||
|
||||
+ e->is_args = 0;
|
||||
e->quote = 0;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -30,7 +30,7 @@
|
||||
Name: nginx
|
||||
Epoch: 1
|
||||
Version: 1.24.0
|
||||
Release: 3%{?dist}
|
||||
Release: 3%{?dist}.1
|
||||
|
||||
Summary: A high performance web server and reverse proxy server
|
||||
Group: System Environment/Daemons
|
||||
@ -98,6 +98,10 @@ Patch10: 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
|
||||
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
|
||||
Patch11: 0011-Mp4-avoid-zero-size-buffers-in-output.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945
|
||||
# upstream patch - https://github.com/nginx/nginx/commit/524977e7
|
||||
Patch12: 0012-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
|
||||
|
||||
%if 0%{?with_gperftools}
|
||||
BuildRequires: gperftools-devel
|
||||
%endif
|
||||
@ -260,6 +264,7 @@ Requires: zlib-devel
|
||||
%patch -P9 -p1
|
||||
%patch -P10 -p1
|
||||
%patch -P11 -p1
|
||||
%patch -P12 -p1
|
||||
|
||||
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
|
||||
|
||||
@ -572,6 +577,10 @@ fi
|
||||
%{nginx_srcdir}/
|
||||
|
||||
%changelog
|
||||
* Thu May 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 1:1.24.0-3.1
|
||||
- Resolves: RHEL-176224 - nginx:1.24/nginx: NGINX: Arbitrary Code Execution
|
||||
Vulnerability (CVE-2026-42945)
|
||||
|
||||
* Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 1:1.24.0-3
|
||||
- Resolves: RHEL-157877 CVE-2026-32647 nginx:1.24/nginx: NGINX: Denial of
|
||||
Service or Code Execution via specially crafted MP4 files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user