diff --git a/debian/changelog b/debian/changelog index 266e3ea..90a35bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,45 @@ +nginx (1.18.0-6.1+deb11u4) bullseye-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Backport upstream patch for CVE-2025-23419. + Compared to the original patch which fixes the issue in + http/ngx_http_request and stream/ngx_stream_ssl_module, this backport + only addresses it in http/ngx_http_request since the other location + does not exist yet in this source version. + * Apply upstream patch for CVE-2024-7347. + + -- Andrej Shadura Wed, 26 Feb 2025 19:43:51 +0100 + +nginx (1.18.0-6.1+deb11u3) bullseye-security; urgency=medium + + * CVE-2022-41741 / CVE-2022-41742 + + -- Moritz Muehlenhoff Fri, 11 Nov 2022 15:14:18 +0000 + +nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium + + * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX + that adds mitigations into the Mail module for CVE-2021-3618.patch. + (Closes: #991328) + + -- Jan Mojžíš Sat, 14 May 2022 08:27:08 +0200 + +nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium + + * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when + libnginx-mod-http-lua is loaded and init_worker_by_lua* is used. + (Closes: #994178) + + -- Jan Mojžíš Tue, 15 Mar 2022 21:36:18 +0100 + +nginx (1.18.0-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017) + (Closes: #989095) + + -- Salvatore Bonaccorso Sat, 29 May 2021 16:21:37 +0200 + nginx (1.18.0-6) unstable; urgency=medium * Fix GCC-10 compatibility (Closes: #957605). diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml index 557434c..a3b43b1 100644 --- a/debian/gitlab-ci.yml +++ b/debian/gitlab-ci.yml @@ -1,8 +1,10 @@ --- include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml + +lintian: + allow_failure: true # Disable reprotest which is failing now -variables: - SALSA_CI_DISABLE_REPROTEST: 1 +reprotest: + allow_failure: true diff --git a/debian/modules/http-lua/t/.gitignore b/debian/modules/http-lua/t/.gitignore deleted file mode 100644 index 3170741..0000000 --- a/debian/modules/http-lua/t/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -servroot - diff --git a/debian/modules/http-ndk/.gitignore b/debian/modules/http-ndk/.gitignore deleted file mode 100644 index 0fd79d0..0000000 --- a/debian/modules/http-ndk/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -tags -cscope.* -*~ -*.swp diff --git a/debian/modules/nchan/src/.gitignore b/debian/modules/nchan/src/.gitignore deleted file mode 100644 index 67fd4b3..0000000 --- a/debian/modules/nchan/src/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -nginx -nginx-source \ No newline at end of file diff --git a/debian/modules/nchan/src/store/redis/hiredis/.gitignore b/debian/modules/nchan/src/store/redis/hiredis/.gitignore deleted file mode 100644 index c44b5c5..0000000 --- a/debian/modules/nchan/src/store/redis/hiredis/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -/hiredis-test -/examples/hiredis-example* -/*.o -/*.so -/*.dylib -/*.a -/*.pc diff --git a/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore b/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore deleted file mode 100644 index b844b14..0000000 --- a/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore +++ /dev/null @@ -1 +0,0 @@ -Gemfile.lock diff --git a/debian/modules/patches/http-lua/bug-994178-segfault.patch b/debian/modules/patches/http-lua/bug-994178-segfault.patch new file mode 100644 index 0000000..89dee6a --- /dev/null +++ b/debian/modules/patches/http-lua/bug-994178-segfault.patch @@ -0,0 +1,31 @@ +From: Datong Sun +Date: Wed Jul 18 16:21:09 2018 -0700 +Origin: https://github.com/openresty/lua-nginx-module/commit/e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 +Subject: fixed segfault in NGINX core >= 1.15.0 when init_worker_by_lua* is + used. + +Signed-off-by: Yichun Zhang (agentzh) + +diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c +index 4a722a06..2a82fcb9 100644 +--- a/src/ngx_http_lua_initworkerby.c ++++ b/src/ngx_http_lua_initworkerby.c +@@ -25,6 +25,7 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) + void *cur, *prev; + ngx_uint_t i; + ngx_conf_t conf; ++ ngx_conf_file_t cf_file; + ngx_cycle_t *fake_cycle; + ngx_module_t **modules; + ngx_open_file_t *file, *ofile; +@@ -166,6 +167,10 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) + conf.pool = fake_cycle->pool; + conf.log = cycle->log; + ++ ngx_memzero(&cf_file, sizeof(cf_file)); ++ cf_file.file.name = cycle->conf_file; ++ conf.conf_file = &cf_file; ++ + http_ctx.loc_conf = ngx_pcalloc(conf.pool, + sizeof(void *) * ngx_http_max_module); + if (http_ctx.loc_conf == NULL) { diff --git a/debian/modules/patches/http-lua/series b/debian/modules/patches/http-lua/series index 1c68a88..61d5c01 100644 --- a/debian/modules/patches/http-lua/series +++ b/debian/modules/patches/http-lua/series @@ -1,2 +1,3 @@ discover-luajit-2.1.patch CVE-2020-11724.patch +bug-994178-segfault.patch diff --git a/debian/patches/CVE-2021-3618.patch b/debian/patches/CVE-2021-3618.patch new file mode 100644 index 0000000..10f37a9 --- /dev/null +++ b/debian/patches/CVE-2021-3618.patch @@ -0,0 +1,84 @@ +Subject: Patch mitigation for CVE-2021-3618 + Mail: max_errors directive. + . + Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands + in Exim, specifies the number of errors after which the connection is closed. +Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799 +Bug-Debian: https://bugs.debian.org/991328 + +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -115,6 +115,8 @@ + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -871,7 +871,20 @@ + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/debian/patches/CVE-2022-41741_CVE-2022-41742.patch b/debian/patches/CVE-2022-41741_CVE-2022-41742.patch new file mode 100644 index 0000000..cc71fda --- /dev/null +++ b/debian/patches/CVE-2022-41741_CVE-2022-41742.patch @@ -0,0 +1,308 @@ +From 6b022a5556af22b6e18532e547a6ae46b0d8c6ea Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 19 Oct 2022 10:53:17 +0300 +Subject: [PATCH] Mp4: disabled duplicate atoms. + +Most atoms should not appear more than once in a container. Previously, +this was not enforced by the module, which could result in worker process +crash, memory corruption and disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +--- nginx-1.18.0.orig/src/http/modules/ngx_http_mp4_module.c ++++ nginx-1.18.0/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4 + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4 + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4 + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4 + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4 + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4 + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4 + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4 + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4 + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3213,6 +3340,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3419,6 +3556,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; diff --git a/debian/patches/CVE-2024-7347-1.patch b/debian/patches/CVE-2024-7347-1.patch new file mode 100644 index 0000000..0fbbefd --- /dev/null +++ b/debian/patches/CVE-2024-7347-1.patch @@ -0,0 +1,49 @@ +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:43 +0400 +Subject: Mp4: fixed buffer underread while updating stsz atom. + +While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer +overflow could happen, which could result in incorrect seeking and a very large +value stored in "samples". This resulted in a large invalid value of +trak->end_chunk_samples. This value is further used to calculate the value of +trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing +this, a large invalid value of trak->end_chunk_samples could result in reading +memory before stsz atom start. This could potentially result in a segfault. + +Origin: upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4 +--- + src/http/modules/ngx_http_mp4_module.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 4893f59..850949c 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2915,7 +2915,8 @@ static ngx_int_t + ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + ngx_http_mp4_trak_t *trak, ngx_uint_t start) + { +- uint32_t start_sample, chunk, samples, id, next_chunk, n, ++ uint64_t n; ++ uint32_t start_sample, chunk, samples, id, next_chunk, + prev_samples; + ngx_buf_t *data, *buf; + ngx_uint_t entries, target_chunk, chunk_samples; +@@ -2976,7 +2977,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "samples:%uD, id:%uD", + start_sample, chunk, next_chunk - chunk, samples, id); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample < n) { + goto found; +@@ -2998,7 +2999,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", + start_sample, chunk, next_chunk - chunk, samples); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample > n) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, diff --git a/debian/patches/CVE-2024-7347-2.patch b/debian/patches/CVE-2024-7347-2.patch new file mode 100644 index 0000000..7ea27a2 --- /dev/null +++ b/debian/patches/CVE-2024-7347-2.patch @@ -0,0 +1,31 @@ +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:45 +0400 +Subject: Mp4: rejecting unordered chunks in stsc atom. + +Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk +in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() +this caused buffer overread while trying to calculate trak->end_offset. + +Origin: upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f +--- + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 460d091..dfada7c 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3155,6 +3155,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + + next_chunk = ngx_mp4_get_32value(entry->chunk); + ++ if (next_chunk < chunk) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "unordered mp4 stsc chunks in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, + "sample:%uD, chunk:%uD, chunks:%uD, " + "samples:%uD, id:%uD", diff --git a/debian/patches/CVE-2025-23419.patch b/debian/patches/CVE-2025-23419.patch new file mode 100644 index 0000000..9dd07db --- /dev/null +++ b/debian/patches/CVE-2025-23419.patch @@ -0,0 +1,70 @@ +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: SNI: added restriction for TLSv1.3 cross-SNI session resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. + +(partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e) + +Origin: backport, https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e +--- + src/http/ngx_http_request.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index eb53996..11c341c 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -913,6 +913,30 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + return SSL_TLSEXT_ERR_OK; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + *ad = SSL_AD_INTERNAL_ERROR; +@@ -927,8 +951,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { diff --git a/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch b/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch new file mode 100644 index 0000000..7b3f4a7 --- /dev/null +++ b/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch @@ -0,0 +1,39 @@ +From: Maxim Dounin +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: Resolver: fixed off-by-one write in ngx_resolver_copy(). +Origin: https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf +Bug-Debian: https://bugs.debian.org/989095 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017 + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 793907010278..63b26193df4f 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.31.1 + diff --git a/debian/patches/series b/debian/patches/series index b221db7..a3a0273 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,9 @@ 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch 0003-define_gnu_source-on-other-glibc-based-platforms.patch CVE-2019-20372.patch +Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch +CVE-2021-3618.patch +CVE-2022-41741_CVE-2022-41742.patch +CVE-2025-23419.patch +CVE-2024-7347-1.patch +CVE-2024-7347-2.patch