Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol

Confusion Analyzing and Mitigating Cracks in TLS Authentication
This commit is contained in:
Luboš Uhliarik 2022-02-02 20:47:07 +01:00
parent 64bb1908b9
commit eadc7868df
2 changed files with 104 additions and 1 deletions

View File

@ -0,0 +1,96 @@
From ee8ea4f1c88a0393206769cd30a545dc3375f868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 2 Feb 2022 20:14:55 +0100
Subject: [PATCH] Fix ALPACA security issue
---
src/mail/ngx_mail.h | 3 +++
src/mail/ngx_mail_core_module.c | 10 ++++++++++
src/mail/ngx_mail_handler.c | 15 ++++++++++++++-
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index b865a3b..76cae37 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -115,6 +115,8 @@ typedef struct {
ngx_msec_t timeout;
ngx_msec_t resolver_timeout;
+ ngx_uint_t max_errors;
+
ngx_str_t server_name;
u_char *file_name;
@@ -231,6 +233,7 @@ typedef struct {
ngx_uint_t command;
ngx_array_t args;
+ ngx_uint_t errors;
ngx_uint_t login_attempt;
/* used to parse POP3/IMAP/SMTP command */
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index 4083124..115671c 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
NULL },
+ { ngx_string("max_errors"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
+ NULL },
+
ngx_null_command
};
@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
cscf->timeout = NGX_CONF_UNSET_MSEC;
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ cscf->max_errors = NGX_CONF_UNSET_UINT;
+
cscf->resolver = NGX_CONF_UNSET_PTR;
cscf->file_name = cf->conf_file->file.name.data;
@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
30000);
+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index 0aaa0e7..71b8151 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+ s->errors++;
+
+ if (s->errors >= cscf->max_errors) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many invalid commands");
+ s->quit = 1;
+ }
+
+ return rc;
+ }
+
+ if (rc == NGX_IMAP_NEXT) {
return rc;
}
--
2.31.1

View File

@ -41,7 +41,7 @@
Name: nginx
Epoch: 1
Version: 1.20.1
Release: 9%{?dist}
Release: 10%{?dist}
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -85,6 +85,9 @@ Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.pat
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420
Patch4: 0005-Init-openssl-engine-properly.patch
# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
Patch5: 0006-Fix-ALPACA-security-issue.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -584,6 +587,10 @@ fi
%changelog
* Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
Confusion - Analyzing and Mitigating Cracks in TLS Authentication
* Thu Dec 2 2021 Joe Orton <jorton@redhat.com> - 1:1.20.1-9
- add delaycompress to logrotate config (#2015250)