Import Debian changes 1.22.1-9+deb12u2

nginx (1.22.1-9+deb12u2) bookworm; urgency=medium . * Non-maintainer upload by the LTS Team. * Add upstream patches for CVE-2024-7347: - mp4: fix buffer underread while updating stsz atom - mp4: reject unordered chunks in stsc atom
release nginx 1.22.1-9+deb12u1, upload to bookworm pu
2025-05-21 09:27:16 +02:00 · 2025-03-06 07:11:13 +01:00
5 changed files with 168 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,18 @@
+nginx (1.22.1-9+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * Add upstream patches for CVE-2024-7347:
+    - mp4: fix buffer underread while updating stsz atom
+    - mp4: reject unordered chunks in stsc atom
+
+ -- Andrej Shadura <andrewsh@debian.org>  Wed, 12 Mar 2025 18:55:08 +0100
+
+nginx (1.22.1-9+deb12u1) bookworm; urgency=medium
+
+  * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
+
+ -- Jan Mojžíš <janmojzis@debian.org>  Mon, 17 Feb 2025 20:40:29 +0100
+
 nginx (1.22.1-9) unstable; urgency=medium

  * d/control: nginx-common Breaks+Replaces: nginx (<< 1.22.1-8)
--- a/debian/patches/CVE-2024-7347-1.patch
+++ b/debian/patches/CVE-2024-7347-1.patch
@ -0,0 +1,49 @@
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:43 +0400
+Subject: Mp4: fixed buffer underread while updating stsz atom.
+
+While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
+overflow could happen, which could result in incorrect seeking and a very large
+value stored in "samples".  This resulted in a large invalid value of
+trak->end_chunk_samples.  This value is further used to calculate the value of
+trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
+this, a large invalid value of trak->end_chunk_samples could result in reading
+memory before stsz atom start.  This could potentially result in a segfault.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 4eff01e..460d091 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3098,7 +3098,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
+    uint64_t               n;
+    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3159,7 +3160,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
+        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3181,7 +3182,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
+    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
--- a/debian/patches/CVE-2024-7347-2.patch
+++ b/debian/patches/CVE-2024-7347-2.patch
@ -0,0 +1,31 @@
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:45 +0400
+Subject: Mp4: rejecting unordered chunks in stsc atom.
+
+Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
+in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
+this caused buffer overread while trying to calculate trak->end_offset.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 460d091..dfada7c 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3155,6 +3155,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
--- a/debian/patches/CVE-2025-23419.patch
+++ b/debian/patches/CVE-2025-23419.patch
@ -0,0 +1,70 @@
+From: =?utf-8?b?SmFuIE1vasW+w63FoQ==?= <jan.mojzis@gmail.com>
+Date: Mon, 17 Feb 2025 20:39:22 +0100
+Subject: CVE-2025-23419
+Origin: https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e
+
+SNI: added restriction for TLSv1.3 cross-SNI session resumption.
+In OpenSSL, session resumption always happens in the default SSL context,
+prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
+protocols, SSL_get_servername() returns values received in the resumption
+handshake, which may be different from the value in the initial handshake.
+Notably, this makes the restriction added in b720f65 insufficient for
+sessions resumed with different SNI server name.
+
+Considering the example from b720f65, previously, a client was able to
+request example.org by presenting a certificate for example.org, then to
+resume and request example.com.
+
+The fix is to reject handshakes resumed with a different server name, if
+verification of client certificates is enabled in a corresponding server
+configuration.
+
+---
+ src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index a999ff5..4708719 100644
+--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
+@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+
+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+
+    if (sscf->verify) {
+        const char  *hostname;
+
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+
+#endif
+
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+
+     ngx_set_connection_log(c, clcf->error_log);
+
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+
+     if (sscf->ssl.ctx) {
--- a/debian/patches/series
+++ b/debian/patches/series
@ -3,3 +3,6 @@ nginx-fix-pidfile.patch
 nginx-ssl_cert_cb_yield.patch
 bug-1024605.patch
 bug-973861.patch
+CVE-2025-23419.patch
+CVE-2024-7347-1.patch
+CVE-2024-7347-2.patch