rpms/nginx
7
0
Fork 2
Code Issues Pull Requests Releases Activity

Fix CVE-2026-42945 Buffer overrun in rewrite module via arguments in replacement strings #7

Merged
eabdullin merged 1 commits from jonathan/nginx:a8-stream-1.20 into a8-stream-1.20 2026-05-14 14:57:22 +00:00
Conversation 0 Commits 1 Files Changed 2 +52 -1
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
SOURCES/nginx-1.20.1-CVE-2026-42945.patch Normal file
View File

@ -0,0 +1,42 @@
From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 22 Apr 2026 09:39:31 +0400
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
The following code resulted in incorrect escaping of $1 and possible
segfault:
location / {
rewrite ^(.*) /new?c=1;
set $myvar $1;
return 200 $myvar;
}
If there were arguments in a rewrite's replacement string, the is_args flag
was set and incorrectly never cleared. This resulted in escaping applied
to any captures evaluated afterwards in set or if. Additionally buffer was
allocated by ngx_http_script_complex_value_code() without escaping expected,
thus this also resulted in buffer overrun and possible segfault.
A similar issue was fixed in 74d939974d43.
Reported by Leo Lin.
---
src/http/ngx_http_script.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index a2b9f1b7bf..2ea6113735 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
r = e->request;
+ e->is_args = 0;
e->quote = 0;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
--
2.53.0

11
SPECS/nginx.spec
View File

@ -30,7 +30,7 @@
Name: nginx
Epoch: 1
Version: 1.20.1
Release: 1%{?dist}.1.alma.1
Release: 1%{?dist}.1.alma.2
Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons
@ -77,6 +77,10 @@ Patch5: nginx-1.18.0-pkcs11-cert.patch
# https://issues.redhat.com/browse/RHEL-12730
Patch6: nginx-1.20-CVE-2023-44487.patch
# CVE-2026-42945
# upstream patch - https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
Patch7: nginx-1.20.1-CVE-2026-42945.patch
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
%endif
@ -234,6 +238,7 @@ Requires: zlib-devel
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@ -543,6 +548,10 @@ fi
%{nginx_srcdir}/
%changelog
* Thu May 14 2026 Jonathan Wright <jonathan@almalinux.org> - 1:1.20.1-1.1.alma.2
- Fix CVE-2026-42945 nginx: NGINX: Buffer overrun in rewrite module via
arguments in replacement strings
* Tue Oct 17 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-1.1.alma.1
- Debrand For AlmaLinux