From e3f6ed2d6547bf910fe5e6a21ea660ea83b0e7b7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Thu, 27 Dec 2018 14:44:09 +0200 Subject: [PATCH 1/5] Add missing changelog entries Those were forgotten during the upload, but let's add them for completeness. Gbp-Dch: Ignore --- debian/changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index be5df64..93a36f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ nginx (1.14.2-2) unstable; urgency=medium [ Christos Trochalakis ] * http-dav-ext: Upgrade to 3.0.0 (Closes: #851651) + * Use a minimal export of the upstream signing key + * Bump Standards-Version, no changes needed -- Christos Trochalakis Thu, 27 Dec 2018 12:49:34 +0200 From ccedd1185b2471d7b50d5617b5383fb021001888 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Tue, 13 Aug 2019 21:04:39 +0300 Subject: [PATCH 2/5] gbp: setup for buster Gbp-Dch: Ignore --- debian/gbp.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/gbp.conf b/debian/gbp.conf index a14a699..b5fb2c9 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -2,3 +2,5 @@ pristine-tar = True upstream-branch = upstream upstream-tag = upstream/%(version)s +dist=buster +debian-branch=buster From fce697b5bc7fca3b89cfc8ebd941f8dfc5b13388 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Mon, 19 Aug 2019 11:33:14 +0300 Subject: [PATCH 3/5] Handle CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. --- debian/patches/CVE-2019-9511.patch | 87 ++++++++++++++++++++++++++++++ debian/patches/CVE-2019-9513.patch | 62 +++++++++++++++++++++ debian/patches/CVE-2019-9516.patch | 45 ++++++++++++++++ debian/patches/series | 3 ++ 4 files changed, 197 insertions(+) create mode 100644 debian/patches/CVE-2019-9511.patch create mode 100644 debian/patches/CVE-2019-9513.patch create mode 100644 debian/patches/CVE-2019-9516.patch diff --git a/debian/patches/CVE-2019-9511.patch b/debian/patches/CVE-2019-9511.patch new file mode 100644 index 0000000..3b48e0c --- /dev/null +++ b/debian/patches/CVE-2019-9511.patch @@ -0,0 +1,87 @@ +From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index be2ef82b..1b01f271 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index bec22160..715b7d30 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 029e8ece..c7ee5536 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9513.patch b/debian/patches/CVE-2019-9513.patch new file mode 100644 index 0000000..edc1c2b --- /dev/null +++ b/debian/patches/CVE-2019-9513.patch @@ -0,0 +1,62 @@ +From bbdc81631b6d322785d8e92788fd400e25a931e6 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:40 +0300 +Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames. + +Fixed excessive CPU usage caused by a peer that continuously shuffles +priority of streams. Fix is to limit the number of PRIORITY frames. +--- + src/http/v2/ngx_http_v2.c | 10 ++++++++++ + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 1b01f271..fd6ecb05 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev) + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + + h2c->concurrent_pushes = h2scf->concurrent_pushes; ++ h2c->priority_limit = h2scf->concurrent_streams; + + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { +@@ -1806,6 +1807,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) + h2c->processing++; + } + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 715b7d30..69d55d1c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9516.patch b/debian/patches/CVE-2019-9516.patch new file mode 100644 index 0000000..0d5ec77 --- /dev/null +++ b/debian/patches/CVE-2019-9516.patch @@ -0,0 +1,45 @@ +From 840d8a3e2f126384eb4ee3e5dd7ffe875a5634c5 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 13 Aug 2019 15:43:32 +0300 +Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR. + +Fixed uncontrolled memory growth if peer sends a stream of +headers with a 0-length header name and 0-length header value. +Fix is to reject headers with zero name length. +--- + src/http/v2/ngx_http_v2.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 12214e15..be2ef82b 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1548,6 +1548,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 5b6b799..dfc20c1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,5 @@ 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch 0003-define_gnu_source-on-other-glibc-based-platforms.patch +CVE-2019-9516.patch +CVE-2019-9511.patch +CVE-2019-9513.patch From 117fc2156ffdf628d28bb469b920f7d4cbf19d2c Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Mon, 19 Aug 2019 13:03:31 +0300 Subject: [PATCH 4/5] Release 1.14.2-2+deb10u1 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index 93a36f2..b2c8dc3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +nginx (1.14.2-2+deb10u1) buster-security; urgency=high + + * Backport upstream fixes for 3 CVEs (Closes: #935037) + Those fixes affect Nginx HTTP/2 implementation, which might cause + excessive memory consumption and CPU usage. + (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + -- Christos Trochalakis Tue, 13 Aug 2019 21:10:28 +0300 + nginx (1.14.2-2) unstable; urgency=medium [ Kartik Mistry ] From 6d83f8075c79183864b3a5977772d93c46c5e0df Mon Sep 17 00:00:00 2001 From: Markus Koschany Date: Tue, 22 Nov 2022 23:03:15 +0100 Subject: [PATCH 5/5] Import Debian changes 1.14.2-2+deb10u5 nginx (1.14.2-2+deb10u5) buster-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-3618: ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. * Fix CVE-2022-41741 and CVE-2022-41742: It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file. . nginx (1.14.2-2+deb10u4) buster-security; urgency=medium . * CVE-2021-23017 (Closes: #989095) . nginx (1.14.2-2+deb10u3) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * bugfix: prevented request smuggling in the ngx.location.capture API (CVE-2020-11724) (Closes: #964950) . nginx (1.14.2-2+deb10u2) buster; urgency=medium . * Handle CVE-2019-20372, error page request smuggling (Closes: #948579) --- debian/changelog | 41 + debian/modules/http-lua/t/.gitignore | 2 - debian/modules/nchan/src/.gitignore | 2 - .../nchan/src/store/redis/scripts/.gitignore | 1 - ...-request-smuggling-in-the-ngx.locati.patch | 852 ++++++++++++++++++ debian/modules/patches/http-lua/series | 1 + debian/patches/CVE-2019-20372.patch | 31 + debian/patches/CVE-2021-23017.patch | 24 + debian/patches/CVE-2021-3618.patch | 94 ++ debian/patches/CVE-2022-41741.patch | 307 +++++++ debian/patches/series | 4 + 11 files changed, 1354 insertions(+), 5 deletions(-) delete mode 100644 debian/modules/http-lua/t/.gitignore delete mode 100644 debian/modules/nchan/src/.gitignore delete mode 100644 debian/modules/nchan/src/store/redis/scripts/.gitignore create mode 100644 debian/modules/patches/http-lua/bugfix-prevented-request-smuggling-in-the-ngx.locati.patch create mode 100644 debian/patches/CVE-2019-20372.patch create mode 100644 debian/patches/CVE-2021-23017.patch create mode 100644 debian/patches/CVE-2021-3618.patch create mode 100644 debian/patches/CVE-2022-41741.patch diff --git a/debian/changelog b/debian/changelog index b2c8dc3..2f1e32c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,44 @@ +nginx (1.14.2-2+deb10u5) buster-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2021-3618: + ALPACA is an application layer protocol content confusion attack, + exploiting TLS servers implementing different protocols but using + compatible certificates, such as multi-domain or wildcard certificates. A + MiTM attacker having access to victim's traffic at the TCP/IP layer can + redirect traffic from one subdomain to another, resulting in a valid TLS + session. This breaks the authentication of TLS and cross-protocol attacks + may be possible where the behavior of one protocol service may compromise + the other at the application layer. + * Fix CVE-2022-41741 and CVE-2022-41742: + It was discovered that parsing errors in the mp4 module of Nginx, a + high-performance web and reverse proxy server, could result in denial of + service, memory disclosure or potentially the execution of arbitrary code + when processing a malformed mp4 file. + + -- Markus Koschany Tue, 22 Nov 2022 23:03:15 +0100 + +nginx (1.14.2-2+deb10u4) buster-security; urgency=medium + + * CVE-2021-23017 (Closes: #989095) + + -- Moritz Mühlenhoff Fri, 28 May 2021 10:43:00 +0200 + +nginx (1.14.2-2+deb10u3) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * bugfix: prevented request smuggling in the ngx.location.capture API + (CVE-2020-11724) (Closes: #964950) + + -- Salvatore Bonaccorso Mon, 24 Aug 2020 12:18:43 +0200 + +nginx (1.14.2-2+deb10u2) buster; urgency=medium + + * Handle CVE-2019-20372, error page request smuggling + (Closes: #948579) + + -- Christos Trochalakis Sat, 11 Jan 2020 09:28:05 +0200 + nginx (1.14.2-2+deb10u1) buster-security; urgency=high * Backport upstream fixes for 3 CVEs (Closes: #935037) diff --git a/debian/modules/http-lua/t/.gitignore b/debian/modules/http-lua/t/.gitignore deleted file mode 100644 index 3170741..0000000 --- a/debian/modules/http-lua/t/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -servroot - diff --git a/debian/modules/nchan/src/.gitignore b/debian/modules/nchan/src/.gitignore deleted file mode 100644 index 67fd4b3..0000000 --- a/debian/modules/nchan/src/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -nginx -nginx-source \ No newline at end of file diff --git a/debian/modules/nchan/src/store/redis/scripts/.gitignore b/debian/modules/nchan/src/store/redis/scripts/.gitignore deleted file mode 100644 index b844b14..0000000 --- a/debian/modules/nchan/src/store/redis/scripts/.gitignore +++ /dev/null @@ -1 +0,0 @@ -Gemfile.lock diff --git a/debian/modules/patches/http-lua/bugfix-prevented-request-smuggling-in-the-ngx.locati.patch b/debian/modules/patches/http-lua/bugfix-prevented-request-smuggling-in-the-ngx.locati.patch new file mode 100644 index 0000000..dd277e2 --- /dev/null +++ b/debian/modules/patches/http-lua/bugfix-prevented-request-smuggling-in-the-ngx.locati.patch @@ -0,0 +1,852 @@ +From: Thibault Charbonnier +Date: Mon, 23 Mar 2020 19:40:47 -0700 +Subject: bugfix: prevented request smuggling in the ngx.location.capture API. +Origin: https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa +Bug-Debian: https://bugs.debian.org/964950 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-11724 + +Signed-off-by: Yichun Zhang (agentzh) +--- + src/ngx_http_lua_subrequest.c | 196 +++++-------- + t/020-subrequest.t | 520 +++++++++++++++++++++++++++++++++- + 2 files changed, 585 insertions(+), 131 deletions(-) + +--- a/src/ngx_http_lua_subrequest.c ++++ b/src/ngx_http_lua_subrequest.c +@@ -56,8 +56,6 @@ static ngx_str_t ngx_http_lua_content_l + ngx_string("Content-Length"); + + +-static ngx_int_t ngx_http_lua_set_content_length_header(ngx_http_request_t *r, +- off_t len); + static ngx_int_t ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr, + ngx_uint_t method, int forward_body, + ngx_http_request_body_t *body, unsigned vars_action, +@@ -78,7 +76,7 @@ static void ngx_http_lua_cancel_subreq(n + static ngx_int_t ngx_http_post_request_to_head(ngx_http_request_t *r); + static ngx_int_t ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r); + static ngx_int_t ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, +- ngx_http_request_t *r); ++ ngx_http_request_t *pr, int pr_not_chunked); + + + /* ngx.location.capture is just a thin wrapper around +@@ -628,8 +626,8 @@ ngx_http_lua_adjust_subrequest(ngx_http_ + unsigned vars_action, ngx_array_t *extra_vars) + { + ngx_http_request_t *r; +- ngx_int_t rc; + ngx_http_core_main_conf_t *cmcf; ++ int pr_not_chunked = 0; + size_t size; + + r = sr->parent; +@@ -639,46 +637,32 @@ ngx_http_lua_adjust_subrequest(ngx_http_ + if (body) { + sr->request_body = body; + +- rc = ngx_http_lua_set_content_length_header(sr, +- body->buf +- ? ngx_buf_size(body->buf) +- : 0); +- +- if (rc != NGX_OK) { +- return NGX_ERROR; +- } +- + } else if (!always_forward_body + && method != NGX_HTTP_PUT + && method != NGX_HTTP_POST + && r->headers_in.content_length_n > 0) + { +- rc = ngx_http_lua_set_content_length_header(sr, 0); +- if (rc != NGX_OK) { +- return NGX_ERROR; +- } +- +-#if 1 + sr->request_body = NULL; +-#endif + + } else { +- if (ngx_http_lua_copy_request_headers(sr, r) != NGX_OK) { +- return NGX_ERROR; ++ if (!r->headers_in.chunked) { ++ pr_not_chunked = 1; + } + +- if (sr->request_body) { ++ if (sr->request_body && sr->request_body->temp_file) { + + /* deep-copy the request body */ + +- if (sr->request_body->temp_file) { +- if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) { +- return NGX_ERROR; +- } ++ if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) { ++ return NGX_ERROR; + } + } + } + ++ if (ngx_http_lua_copy_request_headers(sr, r, pr_not_chunked) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ + sr->method = method; + + switch (method) { +@@ -1124,100 +1108,6 @@ ngx_http_lua_post_subrequest(ngx_http_re + } + + +-static ngx_int_t +-ngx_http_lua_set_content_length_header(ngx_http_request_t *r, off_t len) +-{ +- ngx_table_elt_t *h, *header; +- u_char *p; +- ngx_list_part_t *part; +- ngx_http_request_t *pr; +- ngx_uint_t i; +- +- r->headers_in.content_length_n = len; +- +- if (ngx_list_init(&r->headers_in.headers, r->pool, 20, +- sizeof(ngx_table_elt_t)) != NGX_OK) +- { +- return NGX_ERROR; +- } +- +- h = ngx_list_push(&r->headers_in.headers); +- if (h == NULL) { +- return NGX_ERROR; +- } +- +- h->key = ngx_http_lua_content_length_header_key; +- h->lowcase_key = ngx_pnalloc(r->pool, h->key.len); +- if (h->lowcase_key == NULL) { +- return NGX_ERROR; +- } +- +- ngx_strlow(h->lowcase_key, h->key.data, h->key.len); +- +- r->headers_in.content_length = h; +- +- p = ngx_palloc(r->pool, NGX_OFF_T_LEN); +- if (p == NULL) { +- return NGX_ERROR; +- } +- +- h->value.data = p; +- +- h->value.len = ngx_sprintf(h->value.data, "%O", len) - h->value.data; +- +- h->hash = ngx_http_lua_content_length_hash; +- +-#if 0 +- dd("content length hash: %lu == %lu", (unsigned long) h->hash, +- ngx_hash_key_lc((u_char *) "Content-Length", +- sizeof("Content-Length") - 1)); +-#endif +- +- dd("r content length: %.*s", +- (int) r->headers_in.content_length->value.len, +- r->headers_in.content_length->value.data); +- +- pr = r->parent; +- +- if (pr == NULL) { +- return NGX_OK; +- } +- +- /* forward the parent request's all other request headers */ +- +- part = &pr->headers_in.headers.part; +- header = part->elts; +- +- for (i = 0; /* void */; i++) { +- +- if (i >= part->nelts) { +- if (part->next == NULL) { +- break; +- } +- +- part = part->next; +- header = part->elts; +- i = 0; +- } +- +- if (header[i].key.len == sizeof("Content-Length") - 1 +- && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length", +- sizeof("Content-Length") - 1) == 0) +- { +- continue; +- } +- +- if (ngx_http_lua_set_input_header(r, header[i].key, +- header[i].value, 0) == NGX_ERROR) +- { +- return NGX_ERROR; +- } +- } +- +- return NGX_OK; +-} +- +- + static void + ngx_http_lua_handle_subreq_responses(ngx_http_request_t *r, + ngx_http_lua_ctx_t *ctx) +@@ -1732,11 +1622,17 @@ ngx_http_lua_copy_in_file_request_body(n + + + static ngx_int_t +-ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r) ++ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ++ ngx_http_request_t *pr, int pr_not_chunked) + { +- ngx_table_elt_t *header; ++ ngx_table_elt_t *clh, *header; + ngx_list_part_t *part; + ngx_uint_t i; ++ u_char *p; ++ off_t len; ++ ++ dd("before: parent req headers count: %d", ++ (int) pr->headers_in.headers.part.nelts); + + if (ngx_list_init(&sr->headers_in.headers, sr->pool, 20, + sizeof(ngx_table_elt_t)) != NGX_OK) +@@ -1744,10 +1640,46 @@ ngx_http_lua_copy_request_headers(ngx_ht + return NGX_ERROR; + } + +- dd("before: parent req headers count: %d", +- (int) r->headers_in.headers.part.nelts); ++ if (sr->request_body && !pr_not_chunked) { ++ ++ /* craft our own Content-Length */ ++ ++ len = sr->request_body->buf ? ngx_buf_size(sr->request_body->buf) : 0; ++ ++ clh = ngx_list_push(&sr->headers_in.headers); ++ if (clh == NULL) { ++ return NGX_ERROR; ++ } + +- part = &r->headers_in.headers.part; ++ clh->hash = ngx_http_lua_content_length_hash; ++ clh->key = ngx_http_lua_content_length_header_key; ++ clh->lowcase_key = ngx_pnalloc(sr->pool, clh->key.len); ++ if (clh->lowcase_key == NULL) { ++ return NGX_ERROR; ++ } ++ ++ ngx_strlow(clh->lowcase_key, clh->key.data, clh->key.len); ++ ++ p = ngx_palloc(sr->pool, NGX_OFF_T_LEN); ++ if (p == NULL) { ++ return NGX_ERROR; ++ } ++ ++ clh->value.data = p; ++ clh->value.len = ngx_sprintf(clh->value.data, "%O", len) ++ - clh->value.data; ++ ++ sr->headers_in.content_length = clh; ++ sr->headers_in.content_length_n = len; ++ ++ dd("sr crafted content-length: %.*s", ++ (int) sr->headers_in.content_length->value.len, ++ sr->headers_in.content_length->value.data); ++ } ++ ++ /* copy the parent request's headers */ ++ ++ part = &pr->headers_in.headers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { +@@ -1762,7 +1694,14 @@ ngx_http_lua_copy_request_headers(ngx_ht + i = 0; + } + +- dd("setting request header %.*s: %.*s", (int) header[i].key.len, ++ if (!pr_not_chunked && header[i].key.len == sizeof("Content-Length") - 1 ++ && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length", ++ sizeof("Content-Length") - 1) == 0) ++ { ++ continue; ++ } ++ ++ dd("sr copied req header %.*s: %.*s", (int) header[i].key.len, + header[i].key.data, (int) header[i].value.len, + header[i].value.data); + +@@ -1774,9 +1713,10 @@ ngx_http_lua_copy_request_headers(ngx_ht + } + + dd("after: parent req headers count: %d", +- (int) r->headers_in.headers.part.nelts); ++ (int) pr->headers_in.headers.part.nelts); + + return NGX_OK; + } + ++ + /* vi:set ft=c ts=4 sw=4 et fdm=marker: */ +--- a/t/020-subrequest.t ++++ b/t/020-subrequest.t +@@ -14,6 +14,7 @@ repeat_each(2); + plan tests => repeat_each() * (blocks() * 3 + 23); + + $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211; ++$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + + #no_diff(); + no_long_string(); +@@ -210,7 +211,7 @@ GET + + + +-=== TEST 8: PUT (nobody, proxy method) ++=== TEST 8: PUT (with body, proxy method) + --- config + location /other { + default_type 'foo/bar'; +@@ -242,7 +243,7 @@ hello + + + +-=== TEST 9: PUT (nobody, no proxy method) ++=== TEST 9: PUT (with body, no proxy method) + --- config + location /other { + default_type 'foo/bar'; +@@ -271,7 +272,7 @@ hello + + + +-=== TEST 10: PUT (nobody, no proxy method) ++=== TEST 10: PUT (no body, no proxy method) + --- config + location /other { + default_type 'foo/bar'; +@@ -2877,3 +2878,516 @@ DELETE /file.txt, response status: 204 + --- no_error_log + [error] + --- error_code: 200 ++ ++ ++ ++=== TEST 77: avoid request smuggling 1/4 (default capture + smuggle in header) ++--- http_config ++ upstream backend { ++ server unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ keepalive 32; ++ } ++ ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ ++ location / { ++ content_by_lua_block { ++ ngx.say("method: ", ngx.var.request_method, ++ ", uri: ", ngx.var.uri, ++ ", X: ", ngx.var.http_x) ++ } ++ } ++ } ++--- config ++ location /proxy { ++ proxy_http_version 1.1; ++ proxy_set_header Connection ""; ++ proxy_pass http://backend/foo; ++ } ++ ++ location /capture { ++ server_tokens off; ++ more_clear_headers Date; ++ ++ content_by_lua_block { ++ local res = ngx.location.capture("/proxy") ++ ngx.print(res.body) ++ } ++ } ++ ++ location /t { ++ content_by_lua_block { ++ local req = [[ ++GET /capture HTTP/1.1 ++Host: test.com ++Content-Length: 37 ++Transfer-Encoding: chunked ++ ++0 ++ ++GET /capture HTTP/1.1 ++Host: test.com ++X: GET /bar HTTP/1.0 ++ ++]] ++ ++ local sock = ngx.socket.tcp() ++ sock:settimeout(1000) ++ ++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT) ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send req: ", err) ++ return ++ end ++ ++ ngx.say("req bytes: ", bytes) ++ ++ local n_resp = 0 ++ ++ local reader = sock:receiveuntil("\r\n") ++ while true do ++ local line, err = reader() ++ if line then ++ ngx.say(line) ++ if line == "0" then ++ n_resp = n_resp + 1 ++ end ++ ++ if n_resp >= 2 then ++ break ++ end ++ ++ else ++ ngx.say("err: ", err) ++ break ++ end ++ end ++ ++ sock:close() ++ } ++ } ++--- request ++GET /t ++--- response_body ++req bytes: 146 ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++1f ++method: GET, uri: /foo, X: nil ++ ++0 ++ ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++2d ++method: GET, uri: /foo, X: GET /bar HTTP/1.0 ++ ++0 ++--- no_error_log ++[error] ++ ++ ++ ++=== TEST 78: avoid request smuggling 2/4 (POST capture + smuggle in body) ++--- http_config ++ upstream backend { ++ server unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ keepalive 32; ++ } ++ ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ ++ location / { ++ content_by_lua_block { ++ ngx.say("method: ", ngx.var.request_method, ++ ", uri: ", ngx.var.uri) ++ } ++ } ++ } ++--- config ++ location /proxy { ++ proxy_http_version 1.1; ++ proxy_set_header Connection ""; ++ proxy_pass http://backend/foo; ++ } ++ ++ location /capture { ++ server_tokens off; ++ more_clear_headers Date; ++ ++ content_by_lua_block { ++ ngx.req.read_body() ++ local res = ngx.location.capture("/proxy", { method = ngx.HTTP_POST }) ++ ngx.print(res.body) ++ } ++ } ++ ++ location /t { ++ content_by_lua_block { ++ local req = [[ ++GET /capture HTTP/1.1 ++Host: test.com ++Content-Length: 57 ++Transfer-Encoding: chunked ++ ++0 ++ ++POST /capture HTTP/1.1 ++Host: test.com ++Content-Length: 60 ++ ++POST /bar HTTP/1.1 ++Host: test.com ++Content-Length: 5 ++ ++hello ++ ++]] ++ ++ local sock = ngx.socket.tcp() ++ sock:settimeout(1000) ++ ++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT) ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send req: ", err) ++ return ++ end ++ ++ ngx.say("req bytes: ", bytes) ++ ++ local n_resp = 0 ++ ++ local reader = sock:receiveuntil("\r\n") ++ while true do ++ local line, err = reader() ++ if line then ++ ngx.say(line) ++ if line == "0" then ++ n_resp = n_resp + 1 ++ end ++ ++ if n_resp >= 2 then ++ break ++ end ++ ++ else ++ ngx.say("err: ", err) ++ break ++ end ++ end ++ ++ sock:close() ++ } ++ } ++--- request ++GET /t ++--- response_body ++req bytes: 205 ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++ ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++--- no_error_log ++[error] ++ ++ ++ ++=== TEST 79: avoid request smuggling 3/4 (POST capture w/ always_forward_body + smuggle in body) ++--- http_config ++ upstream backend { ++ server unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ keepalive 32; ++ } ++ ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ ++ location / { ++ content_by_lua_block { ++ ngx.say("method: ", ngx.var.request_method, ++ ", uri: ", ngx.var.uri) ++ } ++ } ++ } ++--- config ++ location /proxy { ++ proxy_http_version 1.1; ++ proxy_set_header Connection ""; ++ proxy_pass http://backend/foo; ++ } ++ ++ location /capture { ++ server_tokens off; ++ more_clear_headers Date; ++ ++ content_by_lua_block { ++ ngx.req.read_body() ++ local res = ngx.location.capture("/proxy", { ++ method = ngx.HTTP_POST, ++ always_forward_body = true ++ }) ++ ngx.print(res.body) ++ } ++ } ++ ++ location /t { ++ content_by_lua_block { ++ local req = [[ ++GET /capture HTTP/1.1 ++Host: test.com ++Content-Length: 57 ++Transfer-Encoding: chunked ++ ++0 ++ ++POST /capture HTTP/1.1 ++Host: test.com ++Content-Length: 60 ++ ++POST /bar HTTP/1.1 ++Host: test.com ++Content-Length: 5 ++ ++hello ++ ++]] ++ ++ local sock = ngx.socket.tcp() ++ sock:settimeout(1000) ++ ++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT) ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send req: ", err) ++ return ++ end ++ ++ ngx.say("req bytes: ", bytes) ++ ++ local n_resp = 0 ++ ++ local reader = sock:receiveuntil("\r\n") ++ while true do ++ local line, err = reader() ++ if line then ++ ngx.say(line) ++ if line == "0" then ++ n_resp = n_resp + 1 ++ end ++ ++ if n_resp >= 2 then ++ break ++ end ++ ++ else ++ ngx.say("err: ", err) ++ break ++ end ++ end ++ ++ sock:close() ++ } ++ } ++--- request ++GET /t ++--- response_body ++req bytes: 205 ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++ ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++--- no_error_log ++[error] ++ ++ ++ ++=== TEST 80: avoid request smuggling 4/4 (POST capture w/ body + smuggle in body) ++--- http_config ++ upstream backend { ++ server unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ keepalive 32; ++ } ++ ++ server { ++ listen unix:$TEST_NGINX_HTML_DIR/nginx.sock; ++ ++ location / { ++ content_by_lua_block { ++ ngx.say("method: ", ngx.var.request_method, ++ ", uri: ", ngx.var.uri) ++ } ++ } ++ } ++--- config ++ location /proxy { ++ proxy_http_version 1.1; ++ proxy_set_header Connection ""; ++ proxy_pass http://backend/foo; ++ } ++ ++ location /capture { ++ server_tokens off; ++ more_clear_headers Date; ++ ++ content_by_lua_block { ++ ngx.req.read_body() ++ local res = ngx.location.capture("/proxy", { ++ method = ngx.HTTP_POST, ++ always_forward_body = true, ++ body = ngx.req.get_body_data() ++ }) ++ ngx.print(res.body) ++ } ++ } ++ ++ location /t { ++ content_by_lua_block { ++ local req = [[ ++GET /capture HTTP/1.1 ++Host: test.com ++Content-Length: 57 ++Transfer-Encoding: chunked ++ ++0 ++ ++POST /capture HTTP/1.1 ++Host: test.com ++Content-Length: 60 ++ ++POST /bar HTTP/1.1 ++Host: test.com ++Content-Length: 5 ++ ++hello ++ ++]] ++ ++ local sock = ngx.socket.tcp() ++ sock:settimeout(1000) ++ ++ local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT) ++ if not ok then ++ ngx.say("failed to connect: ", err) ++ return ++ end ++ ++ local bytes, err = sock:send(req) ++ if not bytes then ++ ngx.say("failed to send req: ", err) ++ return ++ end ++ ++ ngx.say("req bytes: ", bytes) ++ ++ local n_resp = 0 ++ ++ local reader = sock:receiveuntil("\r\n") ++ while true do ++ local line, err = reader() ++ if line then ++ ngx.say(line) ++ if line == "0" then ++ n_resp = n_resp + 1 ++ end ++ ++ if n_resp >= 2 then ++ break ++ end ++ ++ else ++ ngx.say("err: ", err) ++ break ++ end ++ end ++ ++ sock:close() ++ } ++ } ++--- request ++GET /t ++--- response_body ++req bytes: 205 ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++ ++HTTP/1.1 200 OK ++Server: nginx ++Content-Type: text/plain ++Transfer-Encoding: chunked ++Connection: keep-alive ++ ++18 ++method: POST, uri: /foo ++ ++0 ++--- no_error_log ++[error] diff --git a/debian/modules/patches/http-lua/series b/debian/modules/patches/http-lua/series index 6a8b245..074e41c 100644 --- a/debian/modules/patches/http-lua/series +++ b/debian/modules/patches/http-lua/series @@ -1 +1,2 @@ discover-luajit-2.1.patch +bugfix-prevented-request-smuggling-in-the-ngx.locati.patch diff --git a/debian/patches/CVE-2019-20372.patch b/debian/patches/CVE-2019-20372.patch new file mode 100644 index 0000000..7793fa4 --- /dev/null +++ b/debian/patches/CVE-2019-20372.patch @@ -0,0 +1,31 @@ +From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 2c1ff174..e2a5e9dc 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.23.0 + diff --git a/debian/patches/CVE-2021-23017.patch b/debian/patches/CVE-2021-23017.patch new file mode 100644 index 0000000..a49fe82 --- /dev/null +++ b/debian/patches/CVE-2021-23017.patch @@ -0,0 +1,24 @@ +https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf + +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -3975,15 +3975,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { diff --git a/debian/patches/CVE-2021-3618.patch b/debian/patches/CVE-2021-3618.patch new file mode 100644 index 0000000..d4b27d5 --- /dev/null +++ b/debian/patches/CVE-2021-3618.patch @@ -0,0 +1,94 @@ +From: Markus Koschany +Date: Mon, 21 Nov 2022 12:43:20 +0100 +Subject: CVE-2021-3618 + +Bug-Debian: https://bugs.debian.org/991328 +Origin: http://hg.nginx.org/nginx/rev/ec1071830799 +--- + src/mail/ngx_mail.h | 3 +++ + src/mail/ngx_mail_core_module.c | 10 ++++++++++ + src/mail/ngx_mail_handler.c | 15 ++++++++++++++- + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h +index 6ecfefc..6961967 100644 +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -112,6 +112,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -224,6 +226,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c +index 276b8ee..690f7ab 100644 +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = { + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf) + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index bc3e6b9..41574f5 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -769,7 +769,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/debian/patches/CVE-2022-41741.patch b/debian/patches/CVE-2022-41741.patch new file mode 100644 index 0000000..bea978a --- /dev/null +++ b/debian/patches/CVE-2022-41741.patch @@ -0,0 +1,307 @@ +From: Markus Koschany +Date: Mon, 21 Nov 2022 11:57:23 +0100 +Subject: CVE-2022-41741 + +Origin: https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 618bf78..7b7184d 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3199,6 +3326,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3383,6 +3520,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; diff --git a/debian/patches/series b/debian/patches/series index dfc20c1..04e7fd4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,7 @@ CVE-2019-9516.patch CVE-2019-9511.patch CVE-2019-9513.patch +CVE-2019-20372.patch +CVE-2021-23017.patch +CVE-2022-41741.patch +CVE-2021-3618.patch