diff --git a/debian/changelog b/debian/changelog index 3bf98db..6b37bd7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +nginx (1.22.1-9+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Team. + * Add upstream patches for CVE-2024-7347: + - mp4: fix buffer underread while updating stsz atom + - mp4: reject unordered chunks in stsc atom + + -- Andrej Shadura Wed, 12 Mar 2025 18:55:08 +0100 + +nginx (1.22.1-9+deb12u1) bookworm; urgency=medium + + * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix. + + -- Jan Mojžíš Mon, 17 Feb 2025 20:40:29 +0100 + nginx (1.22.1-9) unstable; urgency=medium * d/control: nginx-common Breaks+Replaces: nginx (<< 1.22.1-8) diff --git a/debian/patches/CVE-2024-7347-1.patch b/debian/patches/CVE-2024-7347-1.patch new file mode 100644 index 0000000..a392404 --- /dev/null +++ b/debian/patches/CVE-2024-7347-1.patch @@ -0,0 +1,49 @@ +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:43 +0400 +Subject: Mp4: fixed buffer underread while updating stsz atom. + +While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer +overflow could happen, which could result in incorrect seeking and a very large +value stored in "samples". This resulted in a large invalid value of +trak->end_chunk_samples. This value is further used to calculate the value of +trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing +this, a large invalid value of trak->end_chunk_samples could result in reading +memory before stsz atom start. This could potentially result in a segfault. + +Origin: upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4 +--- + src/http/modules/ngx_http_mp4_module.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 4eff01e..460d091 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3098,7 +3098,8 @@ static ngx_int_t + ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + ngx_http_mp4_trak_t *trak, ngx_uint_t start) + { +- uint32_t start_sample, chunk, samples, id, next_chunk, n, ++ uint64_t n; ++ uint32_t start_sample, chunk, samples, id, next_chunk, + prev_samples; + ngx_buf_t *data, *buf; + ngx_uint_t entries, target_chunk, chunk_samples; +@@ -3159,7 +3160,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "samples:%uD, id:%uD", + start_sample, chunk, next_chunk - chunk, samples, id); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample < n) { + goto found; +@@ -3181,7 +3182,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", + start_sample, chunk, next_chunk - chunk, samples); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample > n) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, diff --git a/debian/patches/CVE-2024-7347-2.patch b/debian/patches/CVE-2024-7347-2.patch new file mode 100644 index 0000000..7ea27a2 --- /dev/null +++ b/debian/patches/CVE-2024-7347-2.patch @@ -0,0 +1,31 @@ +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:45 +0400 +Subject: Mp4: rejecting unordered chunks in stsc atom. + +Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk +in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() +this caused buffer overread while trying to calculate trak->end_offset. + +Origin: upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f +--- + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 460d091..dfada7c 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3155,6 +3155,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + + next_chunk = ngx_mp4_get_32value(entry->chunk); + ++ if (next_chunk < chunk) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "unordered mp4 stsc chunks in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, + "sample:%uD, chunk:%uD, chunks:%uD, " + "samples:%uD, id:%uD", diff --git a/debian/patches/CVE-2025-23419.patch b/debian/patches/CVE-2025-23419.patch new file mode 100644 index 0000000..b26bdc2 --- /dev/null +++ b/debian/patches/CVE-2025-23419.patch @@ -0,0 +1,70 @@ +From: =?utf-8?b?SmFuIE1vasW+w63FoQ==?= +Date: Mon, 17 Feb 2025 20:39:22 +0100 +Subject: CVE-2025-23419 +Origin: https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e + +SNI: added restriction for TLSv1.3 cross-SNI session resumption. +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f65 insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f65, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. + +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index a999ff5..4708719 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { diff --git a/debian/patches/series b/debian/patches/series index 21a2a69..54d8c4b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,6 @@ nginx-fix-pidfile.patch nginx-ssl_cert_cb_yield.patch bug-1024605.patch bug-973861.patch +CVE-2025-23419.patch +CVE-2024-7347-1.patch +CVE-2024-7347-2.patch