nginx: fix CVE-2021-3618

Source: meta-openembedded.ort MR: 112731 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/nginx?id=f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5 ChangeID: dd3295b606d73e01dd09291d85d529dea17a1a9e Description: Backport with no change a patch from version 1.21.0. This patch was not cherry-picked by nginx to version 1.20.1. Information about this CVE comes from https://ubuntu.com/security/CVE-2021-3618. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5) [refesh patch for Dunfell context] Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Joe Slater <joe.slater@windriver.com> 2021-08-19 14:25:18 -0700
committer: Armin Kuster <akuster@mvista.com> 2021-08-21 12:16:49 -0700
commit: 4a0d93d250576177e1237fa559f55c4f9d371809 (patch)
tree: 677c48699a21753105b178268ba9e2c4643047c2
parent: a64eec177151a7076a2fd6937e4abdb8e2264a59 (diff)
download: meta-openembedded-4a0d93d250576177e1237fa559f55c4f9d371809.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
new file mode 100644
index 000000000..3fab8bac6
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
@@ -0,0 +1,89 @@
+From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Wed, 19 May 2021 03:13:31 +0300
+Subject: [PATCH 1/1] Mail: max_errors directive.
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+Index: nginx-1.16.1/src/mail/ngx_mail.h
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail.h
+++ nginx-1.16.1/src/mail/ngx_mail.h
+@@ -113,6 +113,8 @@ typedef struct {
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
+    ngx_uint_t              max_errors;
+
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -225,6 +227,7 @@ typedef struct {
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
+    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c
+++ nginx-1.16.1/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t  ngx_mail_core_comm
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
+    { ngx_string("max_errors"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_core_srv_conf_t, max_errors),
+      NULL },
+
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
+    cscf->max_errors = NGX_CONF_UNSET_UINT;
+
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
+    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+Index: nginx-1.16.1/src/mail/ngx_mail_handler.c
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c
+++ nginx-1.16.1/src/mail/ngx_mail_handler.c
+@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+        s->errors++;
+
+        if (s->errors >= cscf->max_errors) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent too many invalid commands");
+            s->quit = 1;
+        }
+
+        return rc;
+    }
+
+    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index a4583ed8f..903a62b3d 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -23,6 +23,7 @@ SRC_URI = " \
    file://nginx.service \
    file://nginx-fix-pidfile.patch \
    file://CVE-2021-23017.patch \
+    file://CVE-2021-3618.patch \
 "
 inherit siteinfo update-rc.d useradd systemd
author	Joe Slater <joe.slater@windriver.com>	2021-08-19 14:25:18 -0700
committer	Armin Kuster <akuster@mvista.com>	2021-08-21 12:16:49 -0700
commit	4a0d93d250576177e1237fa559f55c4f9d371809 (patch)
tree	677c48699a21753105b178268ba9e2c4643047c2
parent	a64eec177151a7076a2fd6937e4abdb8e2264a59 (diff)
download	meta-openembedded-4a0d93d250576177e1237fa559f55c4f9d371809.tar.gz

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 000000000..3fab8bac6 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
@@ -0,0 +1,89 @@
		1	From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001
		2	From: Maxim Dounin <mdounin@mdounin.ru>
		3	Date: Wed, 19 May 2021 03:13:31 +0300
		4	Subject: [PATCH 1/1] Mail: max_errors directive.
		5
		6	Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
		7	in Exim, specifies the number of errors after which the connection is closed.
		8	Index: nginx-1.16.1/src/mail/ngx_mail.h
		9	===================================================================
		10	--- nginx-1.16.1.orig/src/mail/ngx_mail.h
		11	+++ nginx-1.16.1/src/mail/ngx_mail.h
		12	@@ -113,6 +113,8 @@ typedef struct {
		13	ngx_msec_t timeout;
		14	ngx_msec_t resolver_timeout;
		15
		16	+ ngx_uint_t max_errors;
		17	+
		18	ngx_str_t server_name;
		19
		20	u_char *file_name;
		21	@@ -225,6 +227,7 @@ typedef struct {
		22	ngx_uint_t command;
		23	ngx_array_t args;
		24
		25	+ ngx_uint_t errors;
		26	ngx_uint_t login_attempt;
		27
		28	/* used to parse POP3/IMAP/SMTP command */
		29	Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c
		30	===================================================================
		31	--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c
		32	+++ nginx-1.16.1/src/mail/ngx_mail_core_module.c
		33	@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm
		34	offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
		35	NULL },
		36
		37	+ { ngx_string("max_errors"),
		38	+ NGX_MAIL_MAIN_CONF\|NGX_MAIL_SRV_CONF\|NGX_CONF_TAKE1,
		39	+ ngx_conf_set_num_slot,
		40	+ NGX_MAIL_SRV_CONF_OFFSET,
		41	+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
		42	+ NULL },
		43	+
		44	ngx_null_command
		45	};
		46
		47	@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t
		48	cscf->timeout = NGX_CONF_UNSET_MSEC;
		49	cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
		50
		51	+ cscf->max_errors = NGX_CONF_UNSET_UINT;
		52	+
		53	cscf->resolver = NGX_CONF_UNSET_PTR;
		54
		55	cscf->file_name = cf->conf_file->file.name.data;
		56	@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t
		57	ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
		58	30000);
		59
		60	+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
		61
		62	ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
		63
		64	Index: nginx-1.16.1/src/mail/ngx_mail_handler.c
		65	===================================================================
		66	--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c
		67	+++ nginx-1.16.1/src/mail/ngx_mail_handler.c
		68	@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t
		69	return NGX_MAIL_PARSE_INVALID_COMMAND;
		70	}
		71
		72	- if (rc == NGX_IMAP_NEXT \|\| rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
		73	+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
		74	+
		75	+ s->errors++;
		76	+
		77	+ if (s->errors >= cscf->max_errors) {
		78	+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
		79	+ "client sent too many invalid commands");
		80	+ s->quit = 1;
		81	+ }
		82	+
		83	+ return rc;
		84	+ }
		85	+
		86	+ if (rc == NGX_IMAP_NEXT) {
		87	return rc;
		88	}
		89


diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index a4583ed8f..903a62b3d 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -23,6 +23,7 @@ SRC_URI = " \
23	file://nginx.service \	23	file://nginx.service \
24	file://nginx-fix-pidfile.patch \	24	file://nginx-fix-pidfile.patch \
25	file://CVE-2021-23017.patch \	25	file://CVE-2021-23017.patch \
		26	file://CVE-2021-3618.patch \
26	"	27	"
27		28
28	inherit siteinfo update-rc.d useradd systemd	29	inherit siteinfo update-rc.d useradd systemd