From dc9dfb7a271948fee171545c438257a29afb6f73 Mon Sep 17 00:00:00 2001
From: Felix Kaechele <heffer@fedoraproject.org>
Date: Thu, 24 Jun 2021 21:31:53 -0400
Subject: [PATCH] fix for CVE-2021-3618 (rhbz#1975651)
Signed-off-by: Felix Kaechele <heffer@fedoraproject.org>
---
ec1071830799 | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++
nginx.spec | 8 ++++-
2 files changed, 98 insertions(+), 1 deletion(-)
create mode 100644 ec1071830799
diff --git a/ec1071830799 b/ec1071830799
new file mode 100644
index 0000000..3f46b6d
--- /dev/null
+++ b/ec1071830799
@@ -0,0 +1,91 @@
+
+# HG changeset patch
+# User Maxim Dounin <mdounin@mdounin.ru>
+# Date 1621383211 -10800
+# Node ID ec107183079903013faee7e67e8721262fd95552
+# Parent b38728495e1aa06b685dc42c909fb02d3cddecfa
+Mail: max_errors directive.
+
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail.h
+--- a/src/mail/ngx_mail.h Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail.h Wed May 19 03:13:31 2021 +0300
+@@ -115,6 +115,8 @@
+ ngx_msec_t timeout;
+ ngx_msec_t resolver_timeout;
+
++ ngx_uint_t max_errors;
++
+ ngx_str_t server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@
+ ngx_uint_t command;
+ ngx_array_t args;
+
++ ngx_uint_t errors;
+ ngx_uint_t login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_core_module.c
+--- a/src/mail/ngx_mail_core_module.c Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail_core_module.c Wed May 19 03:13:31 2021 +0300
+@@ -85,6 +85,13 @@
+ offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+ NULL },
+
++ { ngx_string("max_errors"),
++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++ ngx_conf_set_num_slot,
++ NGX_MAIL_SRV_CONF_OFFSET,
++ offsetof(ngx_mail_core_srv_conf_t, max_errors),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++ cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver = NGX_CONF_UNSET_PTR;
+
+ cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+ ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+ 30000);
+
++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+ ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_handler.c
+--- a/src/mail/ngx_mail_handler.c Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail_handler.c Wed May 19 03:13:31 2021 +0300
+@@ -874,7 +874,20 @@
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++ s->errors++;
++
++ if (s->errors >= cscf->max_errors) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client sent too many invalid commands");
++ s->quit = 1;
++ }
++
++ return rc;
++ }
++
++ if (rc == NGX_IMAP_NEXT) {
+ return rc;
+ }
+
+
diff --git a/nginx.spec b/nginx.spec
index 03ce7b9..f6e90eb 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -29,7 +29,7 @@
Name: nginx
Epoch: 1
Version: 1.20.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@@ -62,6 +62,9 @@ Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch
# rejected upstream: https://trac.nginx.org/nginx/ticket/1897
Patch1: 0002-fix-PIDFile-handling.patch
+# Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
+Patch2: http://hg.nginx.org/nginx/raw-rev/ec1071830799
+
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@@ -503,6 +506,9 @@ fi
%changelog
+* Fri Jun 25 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-3
+- fix for CVE-2021-3618 (rhbz#1975651)
+
* Tue Jun 01 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-2
- use different fix for rhbz#1683388 as it introduced permissions issues in 1:1.20.0-2