diff options
author | Joe Slater <joe.slater@windriver.com> | 2021-08-19 14:25:18 -0700 |
---|---|---|
committer | Armin Kuster <akuster@mvista.com> | 2021-08-21 12:16:49 -0700 |
commit | 4a0d93d250576177e1237fa559f55c4f9d371809 (patch) | |
tree | 677c48699a21753105b178268ba9e2c4643047c2 | |
parent | a64eec177151a7076a2fd6937e4abdb8e2264a59 (diff) | |
download | meta-openembedded-4a0d93d250576177e1237fa559f55c4f9d371809.tar.gz |
nginx: fix CVE-2021-3618
Source: meta-openembedded.ort
MR: 112731
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/nginx?id=f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5
ChangeID: dd3295b606d73e01dd09291d85d529dea17a1a9e
Description:
Backport with no change a patch from version 1.21.0. This patch
was not cherry-picked by nginx to version 1.20.1.
Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5)
[refesh patch for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch | 89 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx.inc | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 000000000..3fab8bac6 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maxim Dounin <mdounin@mdounin.ru> | ||
3 | Date: Wed, 19 May 2021 03:13:31 +0300 | ||
4 | Subject: [PATCH 1/1] Mail: max_errors directive. | ||
5 | |||
6 | Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands | ||
7 | in Exim, specifies the number of errors after which the connection is closed. | ||
8 | Index: nginx-1.16.1/src/mail/ngx_mail.h | ||
9 | =================================================================== | ||
10 | --- nginx-1.16.1.orig/src/mail/ngx_mail.h | ||
11 | +++ nginx-1.16.1/src/mail/ngx_mail.h | ||
12 | @@ -113,6 +113,8 @@ typedef struct { | ||
13 | ngx_msec_t timeout; | ||
14 | ngx_msec_t resolver_timeout; | ||
15 | |||
16 | + ngx_uint_t max_errors; | ||
17 | + | ||
18 | ngx_str_t server_name; | ||
19 | |||
20 | u_char *file_name; | ||
21 | @@ -225,6 +227,7 @@ typedef struct { | ||
22 | ngx_uint_t command; | ||
23 | ngx_array_t args; | ||
24 | |||
25 | + ngx_uint_t errors; | ||
26 | ngx_uint_t login_attempt; | ||
27 | |||
28 | /* used to parse POP3/IMAP/SMTP command */ | ||
29 | Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c | ||
30 | =================================================================== | ||
31 | --- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c | ||
32 | +++ nginx-1.16.1/src/mail/ngx_mail_core_module.c | ||
33 | @@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm | ||
34 | offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), | ||
35 | NULL }, | ||
36 | |||
37 | + { ngx_string("max_errors"), | ||
38 | + NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, | ||
39 | + ngx_conf_set_num_slot, | ||
40 | + NGX_MAIL_SRV_CONF_OFFSET, | ||
41 | + offsetof(ngx_mail_core_srv_conf_t, max_errors), | ||
42 | + NULL }, | ||
43 | + | ||
44 | ngx_null_command | ||
45 | }; | ||
46 | |||
47 | @@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t | ||
48 | cscf->timeout = NGX_CONF_UNSET_MSEC; | ||
49 | cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; | ||
50 | |||
51 | + cscf->max_errors = NGX_CONF_UNSET_UINT; | ||
52 | + | ||
53 | cscf->resolver = NGX_CONF_UNSET_PTR; | ||
54 | |||
55 | cscf->file_name = cf->conf_file->file.name.data; | ||
56 | @@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t | ||
57 | ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, | ||
58 | 30000); | ||
59 | |||
60 | + ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); | ||
61 | |||
62 | ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); | ||
63 | |||
64 | Index: nginx-1.16.1/src/mail/ngx_mail_handler.c | ||
65 | =================================================================== | ||
66 | --- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c | ||
67 | +++ nginx-1.16.1/src/mail/ngx_mail_handler.c | ||
68 | @@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t | ||
69 | return NGX_MAIL_PARSE_INVALID_COMMAND; | ||
70 | } | ||
71 | |||
72 | - if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { | ||
73 | + if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { | ||
74 | + | ||
75 | + s->errors++; | ||
76 | + | ||
77 | + if (s->errors >= cscf->max_errors) { | ||
78 | + ngx_log_error(NGX_LOG_INFO, c->log, 0, | ||
79 | + "client sent too many invalid commands"); | ||
80 | + s->quit = 1; | ||
81 | + } | ||
82 | + | ||
83 | + return rc; | ||
84 | + } | ||
85 | + | ||
86 | + if (rc == NGX_IMAP_NEXT) { | ||
87 | return rc; | ||
88 | } | ||
89 | |||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index a4583ed8f..903a62b3d 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc | |||
@@ -23,6 +23,7 @@ SRC_URI = " \ | |||
23 | file://nginx.service \ | 23 | file://nginx.service \ |
24 | file://nginx-fix-pidfile.patch \ | 24 | file://nginx-fix-pidfile.patch \ |
25 | file://CVE-2021-23017.patch \ | 25 | file://CVE-2021-23017.patch \ |
26 | file://CVE-2021-3618.patch \ | ||
26 | " | 27 | " |
27 | 28 | ||
28 | inherit siteinfo update-rc.d useradd systemd | 29 | inherit siteinfo update-rc.d useradd systemd |