summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2026-04-09 23:22:06 +1200
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-15 14:12:18 +0530
commit24459e3f5c236726a27f74e8b748daaf265fdcb3 (patch)
tree9b4fa44e912680e5c320eb10f6e707177613f283
parent958cca39870ffba7e657b28cc25ee107fb57a2b8 (diff)
downloadmeta-openembedded-24459e3f5c236726a27f74e8b748daaf265fdcb3.tar.gz
nginx: fix CVE-2026-27654
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160382 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-27654 [3] https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch81
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb1
2 files changed, 82 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch
new file mode 100644
index 0000000000..b85c6621e9
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27654.patch
@@ -0,0 +1,81 @@
1From be39034fa93a4d44b52de9b7a463754eda56e712 Mon Sep 17 00:00:00 2001
2From: Roman Arutyunyan <arut@nginx.com>
3Date: Mon, 16 Mar 2026 20:13:03 +0400
4Subject: [PATCH] Dav: destination length validation for COPY and MOVE.
5
6Previously, when alias was used in a location with Dav COPY or MOVE
7enabled, and the destination URI was shorter than the alias, integer
8underflow could happen in ngx_http_map_uri_to_path(), which could
9result in heap buffer overwrite, followed by a possible segfault.
10With some implementations of memcpy(), the segfault could be avoided
11and the overwrite could result in a change of the source or destination
12file names to be outside of the location root.
13
14Reported by Calif.io in collaboration with Claude and Anthropic Research.
15
16(cherry picked from commit a1d18284e0a173c4ef2b28425535d0f640ae0a82)
17
18CVE: CVE-2026-27654
19Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a1d18284e0a173c4ef2b28425535d0f640ae0a82]
20Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
21---
22 src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++---------
23 1 file changed, 26 insertions(+), 13 deletions(-)
24
25diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
26index cfb98929e..4619b139a 100644
27--- a/src/http/modules/ngx_http_dav_module.c
28+++ b/src/http/modules/ngx_http_dav_module.c
29@@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r, ngx_http_dav_loc_conf_t *dlcf)
30 static ngx_int_t
31 ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
32 {
33- u_char *p, *host, *last, ch;
34- size_t len, root;
35- ngx_err_t err;
36- ngx_int_t rc, depth;
37- ngx_uint_t overwrite, slash, dir, flags;
38- ngx_str_t path, uri, duri, args;
39- ngx_tree_ctx_t tree;
40- ngx_copy_file_t cf;
41- ngx_file_info_t fi;
42- ngx_table_elt_t *dest, *over;
43- ngx_ext_rename_file_t ext;
44- ngx_http_dav_copy_ctx_t copy;
45- ngx_http_dav_loc_conf_t *dlcf;
46+ u_char *p, *host, *last, ch;
47+ size_t len, root;
48+ ngx_err_t err;
49+ ngx_int_t rc, depth;
50+ ngx_uint_t overwrite, slash, dir, flags;
51+ ngx_str_t path, uri, duri, args;
52+ ngx_tree_ctx_t tree;
53+ ngx_copy_file_t cf;
54+ ngx_file_info_t fi;
55+ ngx_table_elt_t *dest, *over;
56+ ngx_ext_rename_file_t ext;
57+ ngx_http_dav_copy_ctx_t copy;
58+ ngx_http_dav_loc_conf_t *dlcf;
59+ ngx_http_core_loc_conf_t *clcf;
60
61 if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
62 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
63@@ -644,6 +645,18 @@ destination_done:
64 return NGX_HTTP_CONFLICT;
65 }
66
67+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
68+
69+ if (clcf->alias
70+ && clcf->alias != NGX_MAX_SIZE_T_VALUE
71+ && duri.len < clcf->alias)
72+ {
73+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
74+ "client sent invalid \"Destination\" header: \"%V\"",
75+ &dest->value);
76+ return NGX_HTTP_BAD_REQUEST;
77+ }
78+
79 depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
80
81 if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index b57ee49813..cdd351fb12 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -6,6 +6,7 @@ SRC_URI:append = " \
6 file://CVE-2023-44487.patch \ 6 file://CVE-2023-44487.patch \
7 file://CVE-2026-28755.patch \ 7 file://CVE-2026-28755.patch \
8 file://CVE-2026-27651.patch \ 8 file://CVE-2026-27651.patch \
9 file://CVE-2026-27654.patch \
9" 10"
10 11
11SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" 12SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"