diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2026-04-09 23:22:06 +1200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-15 14:12:18 +0530 |
| commit | 24459e3f5c236726a27f74e8b748daaf265fdcb3 (patch) | |
| tree | 9b4fa44e912680e5c320eb10f6e707177613f283 | |
| parent | 958cca39870ffba7e657b28cc25ee107fb57a2b8 (diff) | |
| download | meta-openembedded-24459e3f5c236726a27f74e8b748daaf265fdcb3.tar.gz | |
nginx: fix CVE-2026-27654
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160382
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch | 81 | ||||
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | 1 |
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch new file mode 100644 index 0000000000..b85c6621e9 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch | |||
| @@ -0,0 +1,81 @@ | |||
| 1 | From be39034fa93a4d44b52de9b7a463754eda56e712 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roman Arutyunyan <arut@nginx.com> | ||
| 3 | Date: Mon, 16 Mar 2026 20:13:03 +0400 | ||
| 4 | Subject: [PATCH] Dav: destination length validation for COPY and MOVE. | ||
| 5 | |||
| 6 | Previously, when alias was used in a location with Dav COPY or MOVE | ||
| 7 | enabled, and the destination URI was shorter than the alias, integer | ||
| 8 | underflow could happen in ngx_http_map_uri_to_path(), which could | ||
| 9 | result in heap buffer overwrite, followed by a possible segfault. | ||
| 10 | With some implementations of memcpy(), the segfault could be avoided | ||
| 11 | and the overwrite could result in a change of the source or destination | ||
| 12 | file names to be outside of the location root. | ||
| 13 | |||
| 14 | Reported by Calif.io in collaboration with Claude and Anthropic Research. | ||
| 15 | |||
| 16 | (cherry picked from commit a1d18284e0a173c4ef2b28425535d0f640ae0a82) | ||
| 17 | |||
| 18 | CVE: CVE-2026-27654 | ||
| 19 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82] | ||
| 20 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 21 | --- | ||
| 22 | src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++--------- | ||
| 23 | 1 file changed, 26 insertions(+), 13 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c | ||
| 26 | index cfb98929e..4619b139a 100644 | ||
| 27 | --- a/src/http/modules/ngx_http_dav_module.c | ||
| 28 | +++ b/src/http/modules/ngx_http_dav_module.c | ||
| 29 | @@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r, ngx_http_dav_loc_conf_t *dlcf) | ||
| 30 | static ngx_int_t | ||
| 31 | ngx_http_dav_copy_move_handler(ngx_http_request_t *r) | ||
| 32 | { | ||
| 33 | - u_char *p, *host, *last, ch; | ||
| 34 | - size_t len, root; | ||
| 35 | - ngx_err_t err; | ||
| 36 | - ngx_int_t rc, depth; | ||
| 37 | - ngx_uint_t overwrite, slash, dir, flags; | ||
| 38 | - ngx_str_t path, uri, duri, args; | ||
| 39 | - ngx_tree_ctx_t tree; | ||
| 40 | - ngx_copy_file_t cf; | ||
| 41 | - ngx_file_info_t fi; | ||
| 42 | - ngx_table_elt_t *dest, *over; | ||
| 43 | - ngx_ext_rename_file_t ext; | ||
| 44 | - ngx_http_dav_copy_ctx_t copy; | ||
| 45 | - ngx_http_dav_loc_conf_t *dlcf; | ||
| 46 | + u_char *p, *host, *last, ch; | ||
| 47 | + size_t len, root; | ||
| 48 | + ngx_err_t err; | ||
| 49 | + ngx_int_t rc, depth; | ||
| 50 | + ngx_uint_t overwrite, slash, dir, flags; | ||
| 51 | + ngx_str_t path, uri, duri, args; | ||
| 52 | + ngx_tree_ctx_t tree; | ||
| 53 | + ngx_copy_file_t cf; | ||
| 54 | + ngx_file_info_t fi; | ||
| 55 | + ngx_table_elt_t *dest, *over; | ||
| 56 | + ngx_ext_rename_file_t ext; | ||
| 57 | + ngx_http_dav_copy_ctx_t copy; | ||
| 58 | + ngx_http_dav_loc_conf_t *dlcf; | ||
| 59 | + ngx_http_core_loc_conf_t *clcf; | ||
| 60 | |||
| 61 | if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { | ||
| 62 | ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | ||
| 63 | @@ -644,6 +645,18 @@ destination_done: | ||
| 64 | return NGX_HTTP_CONFLICT; | ||
| 65 | } | ||
| 66 | |||
| 67 | + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | ||
| 68 | + | ||
| 69 | + if (clcf->alias | ||
| 70 | + && clcf->alias != NGX_MAX_SIZE_T_VALUE | ||
| 71 | + && duri.len < clcf->alias) | ||
| 72 | + { | ||
| 73 | + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | ||
| 74 | + "client sent invalid \"Destination\" header: \"%V\"", | ||
| 75 | + &dest->value); | ||
| 76 | + return NGX_HTTP_BAD_REQUEST; | ||
| 77 | + } | ||
| 78 | + | ||
| 79 | depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH); | ||
| 80 | |||
| 81 | if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) { | ||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index b57ee49813..cdd351fb12 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | |||
| @@ -6,6 +6,7 @@ SRC_URI:append = " \ | |||
| 6 | file://CVE-2023-44487.patch \ | 6 | file://CVE-2023-44487.patch \ |
| 7 | file://CVE-2026-28755.patch \ | 7 | file://CVE-2026-28755.patch \ |
| 8 | file://CVE-2026-27651.patch \ | 8 | file://CVE-2026-27651.patch \ |
| 9 | file://CVE-2026-27654.patch \ | ||
| 9 | " | 10 | " |
| 10 | 11 | ||
| 11 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" | 12 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" |
