From c8824ac4cc7248c79eedd316f12d8049be71313f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Nov=C3=BD?= Date: Thu, 24 Mar 2022 10:10:15 +0100 Subject: [PATCH 1/4] releasing package nginx version 1.18.0-6.1 --- debian/changelog | 8 ++++ debian/modules/http-lua/t/.gitignore | 2 - debian/modules/http-ndk/.gitignore | 4 -- debian/modules/nchan/src/.gitignore | 2 - .../nchan/src/store/redis/hiredis/.gitignore | 7 ---- .../store/redis/redis-lua-scripts/.gitignore | 1 - ...ff-by-one-write-in-ngx_resolver_copy.patch | 39 +++++++++++++++++++ debian/patches/series | 1 + 8 files changed, 48 insertions(+), 16 deletions(-) delete mode 100644 debian/modules/http-lua/t/.gitignore delete mode 100644 debian/modules/http-ndk/.gitignore delete mode 100644 debian/modules/nchan/src/.gitignore delete mode 100644 debian/modules/nchan/src/store/redis/hiredis/.gitignore delete mode 100644 debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore create mode 100644 debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch diff --git a/debian/changelog b/debian/changelog index 266e3ea..5fc2a4e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1) unstable; urgency=high + + * Non-maintainer upload. + * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017) + (Closes: #989095) + + -- Salvatore Bonaccorso Sat, 29 May 2021 16:21:37 +0200 + nginx (1.18.0-6) unstable; urgency=medium * Fix GCC-10 compatibility (Closes: #957605). diff --git a/debian/modules/http-lua/t/.gitignore b/debian/modules/http-lua/t/.gitignore deleted file mode 100644 index 3170741..0000000 --- a/debian/modules/http-lua/t/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -servroot - diff --git a/debian/modules/http-ndk/.gitignore b/debian/modules/http-ndk/.gitignore deleted file mode 100644 index 0fd79d0..0000000 --- a/debian/modules/http-ndk/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -tags -cscope.* -*~ -*.swp diff --git a/debian/modules/nchan/src/.gitignore b/debian/modules/nchan/src/.gitignore deleted file mode 100644 index 67fd4b3..0000000 --- a/debian/modules/nchan/src/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -nginx -nginx-source \ No newline at end of file diff --git a/debian/modules/nchan/src/store/redis/hiredis/.gitignore b/debian/modules/nchan/src/store/redis/hiredis/.gitignore deleted file mode 100644 index c44b5c5..0000000 --- a/debian/modules/nchan/src/store/redis/hiredis/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -/hiredis-test -/examples/hiredis-example* -/*.o -/*.so -/*.dylib -/*.a -/*.pc diff --git a/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore b/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore deleted file mode 100644 index b844b14..0000000 --- a/debian/modules/nchan/src/store/redis/redis-lua-scripts/.gitignore +++ /dev/null @@ -1 +0,0 @@ -Gemfile.lock diff --git a/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch b/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch new file mode 100644 index 0000000..7b3f4a7 --- /dev/null +++ b/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch @@ -0,0 +1,39 @@ +From: Maxim Dounin +Date: Tue, 25 May 2021 15:17:36 +0300 +Subject: Resolver: fixed off-by-one write in ngx_resolver_copy(). +Origin: https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf +Bug-Debian: https://bugs.debian.org/989095 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017 + +Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH. +--- + src/core/ngx_resolver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index 793907010278..63b26193df4f 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4008,15 +4008,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { +-- +2.31.1 + diff --git a/debian/patches/series b/debian/patches/series index b221db7..da61d80 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch 0003-define_gnu_source-on-other-glibc-based-platforms.patch CVE-2019-20372.patch +Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch From 2c27f48e5e667aa2b984cd30d3e19ee3a89b2650 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Nov=C3=BD?= Date: Thu, 24 Mar 2022 10:11:56 +0100 Subject: [PATCH 2/4] Backport upstream bugfix for segfault in nginx core >= 1.15.0 when libnginx-mod-http-lua is loaded and init_worker_by_lua* is used. (Closes: #994178) --- debian/changelog | 8 +++++ .../http-lua/bug-994178-segfault.patch | 31 +++++++++++++++++++ debian/modules/patches/http-lua/series | 1 + 3 files changed, 40 insertions(+) create mode 100644 debian/modules/patches/http-lua/bug-994178-segfault.patch diff --git a/debian/changelog b/debian/changelog index 5fc2a4e..84c02b3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium + + * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when + libnginx-mod-http-lua is loaded and init_worker_by_lua* is used. + (Closes: #994178) + + -- Jan Mojžíš Tue, 15 Mar 2022 21:36:18 +0100 + nginx (1.18.0-6.1) unstable; urgency=high * Non-maintainer upload. diff --git a/debian/modules/patches/http-lua/bug-994178-segfault.patch b/debian/modules/patches/http-lua/bug-994178-segfault.patch new file mode 100644 index 0000000..89dee6a --- /dev/null +++ b/debian/modules/patches/http-lua/bug-994178-segfault.patch @@ -0,0 +1,31 @@ +From: Datong Sun +Date: Wed Jul 18 16:21:09 2018 -0700 +Origin: https://github.com/openresty/lua-nginx-module/commit/e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 +Subject: fixed segfault in NGINX core >= 1.15.0 when init_worker_by_lua* is + used. + +Signed-off-by: Yichun Zhang (agentzh) + +diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c +index 4a722a06..2a82fcb9 100644 +--- a/src/ngx_http_lua_initworkerby.c ++++ b/src/ngx_http_lua_initworkerby.c +@@ -25,6 +25,7 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) + void *cur, *prev; + ngx_uint_t i; + ngx_conf_t conf; ++ ngx_conf_file_t cf_file; + ngx_cycle_t *fake_cycle; + ngx_module_t **modules; + ngx_open_file_t *file, *ofile; +@@ -166,6 +167,10 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle) + conf.pool = fake_cycle->pool; + conf.log = cycle->log; + ++ ngx_memzero(&cf_file, sizeof(cf_file)); ++ cf_file.file.name = cycle->conf_file; ++ conf.conf_file = &cf_file; ++ + http_ctx.loc_conf = ngx_pcalloc(conf.pool, + sizeof(void *) * ngx_http_max_module); + if (http_ctx.loc_conf == NULL) { diff --git a/debian/modules/patches/http-lua/series b/debian/modules/patches/http-lua/series index 1c68a88..61d5c01 100644 --- a/debian/modules/patches/http-lua/series +++ b/debian/modules/patches/http-lua/series @@ -1,2 +1,3 @@ discover-luajit-2.1.patch CVE-2020-11724.patch +bug-994178-segfault.patch From 1d4be75eac403f12f0ca25d77deb58fe400540db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Moj=C5=BE=C3=AD=C5=A1?= Date: Sun, 29 May 2022 11:26:11 +0200 Subject: [PATCH 3/4] CVE-2021-3618 fix Include upstream changeset from NGINX that adds mitigations into the Mail module for CVE-2021-3618.patch. --- debian/changelog | 8 +++ debian/patches/CVE-2021-3618.patch | 84 ++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 93 insertions(+) create mode 100644 debian/patches/CVE-2021-3618.patch diff --git a/debian/changelog b/debian/changelog index 84c02b3..a13e1e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium + + * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX + that adds mitigations into the Mail module for CVE-2021-3618.patch. + (Closes: #991328) + + -- Jan Mojžíš Sat, 14 May 2022 08:27:08 +0200 + nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when diff --git a/debian/patches/CVE-2021-3618.patch b/debian/patches/CVE-2021-3618.patch new file mode 100644 index 0000000..10f37a9 --- /dev/null +++ b/debian/patches/CVE-2021-3618.patch @@ -0,0 +1,84 @@ +Subject: Patch mitigation for CVE-2021-3618 + Mail: max_errors directive. + . + Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands + in Exim, specifies the number of errors after which the connection is closed. +Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799 +Bug-Debian: https://bugs.debian.org/991328 + +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -115,6 +115,8 @@ + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -871,7 +871,20 @@ + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/debian/patches/series b/debian/patches/series index da61d80..ba47a7e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0003-define_gnu_source-on-other-glibc-based-platforms.patch CVE-2019-20372.patch Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch +CVE-2021-3618.patch From 77dc39215cc45e6dc6bd6405f0aacb454a08ed92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Moj=C5=BE=C3=AD=C5=A1?= Date: Sat, 26 Nov 2022 18:28:40 +0100 Subject: [PATCH 4/4] update to bullseye-security version 1.18.0-6.1+deb11u3 CVE-2022-41741 CVE-2022-41742 --- debian/changelog | 6 + .../CVE-2022-41741_CVE-2022-41742.patch | 308 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 315 insertions(+) create mode 100644 debian/patches/CVE-2022-41741_CVE-2022-41742.patch diff --git a/debian/changelog b/debian/changelog index a13e1e8..9cacb14 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +nginx (1.18.0-6.1+deb11u3) bullseye-security; urgency=medium + + * CVE-2022-41741 / CVE-2022-41742 + + -- Moritz Muehlenhoff Fri, 11 Nov 2022 15:14:18 +0000 + nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX diff --git a/debian/patches/CVE-2022-41741_CVE-2022-41742.patch b/debian/patches/CVE-2022-41741_CVE-2022-41742.patch new file mode 100644 index 0000000..cc71fda --- /dev/null +++ b/debian/patches/CVE-2022-41741_CVE-2022-41742.patch @@ -0,0 +1,308 @@ +From 6b022a5556af22b6e18532e547a6ae46b0d8c6ea Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Wed, 19 Oct 2022 10:53:17 +0300 +Subject: [PATCH] Mp4: disabled duplicate atoms. + +Most atoms should not appear more than once in a container. Previously, +this was not enforced by the module, which could result in worker process +crash, memory corruption and disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ + 1 file changed, 147 insertions(+) + +--- nginx-1.18.0.orig/src/http/modules/ngx_http_mp4_module.c ++++ nginx-1.18.0/src/http/modules/ngx_http_mp4_module.c +@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4 + return NGX_ERROR; + } + ++ if (mp4->ftyp_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); +@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4 + return NGX_DECLINED; + } + ++ if (mp4->moov_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); + + if (atom_data_size > mp4->buffer_size) { +@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4 + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); + ++ if (mp4->mdat_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + data = &mp4->mdat_data_buf; + data->file = &mp4->file; + data->in_file = 1; +@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4 + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); + ++ if (mp4->mvhd_atom.buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom_header = ngx_mp4_atom_header(mp4); + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; +@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4 + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->tkhd_size = atom_size; + + ngx_mp4_set_32value(tkhd_atom->size, atom_size); +@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->mdia_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4 + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->mdhd_size = atom_size; + trak->timescale = timescale; + +@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->hdlr_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->minf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->vmhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 vmhd/smhd atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->smhd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->dinf_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stbl_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4 + + trak = ngx_mp4_last_trak(mp4); + ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + atom = &trak->stsd_atom_buf; + atom->temporary = 1; + atom->pos = atom_header; +@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->time_to_sample_entries = entries; + + atom = &trak->stts_atom_buf; +@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4 + "sync sample entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sync_samples_entries = entries; + + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); +@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4 + "composition offset entries:%uD", entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->composition_offset_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); +@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_to_chunk_entries = entries; + + atom = &trak->stsc_atom_buf; +@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4 + "sample uniform size:%uD, entries:%uD", size, entries); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->sample_sizes_entries = entries; + + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); +@@ -3213,6 +3340,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(uint32_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->stco_atom_buf; +@@ -3419,6 +3556,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4 + atom_end = atom_table + entries * sizeof(uint64_t); + + trak = ngx_mp4_last_trak(mp4); ++ ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) ++ { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "duplicate mp4 stco/co64 atom in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + trak->chunks = entries; + + atom = &trak->co64_atom_buf; diff --git a/debian/patches/series b/debian/patches/series index ba47a7e..f9dd558 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ CVE-2019-20372.patch Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch CVE-2021-3618.patch +CVE-2022-41741_CVE-2022-41742.patch