diff options
| author | Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> | 2026-05-20 16:24:38 +0200 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-05-21 09:56:23 +0530 |
| commit | 29653f38cda7c40061e0ce6c2c2ccdbf93ddde9c (patch) | |
| tree | 61b0fc3df586fb6ee94e4c2a0440bb9d458e71c9 | |
| parent | 96870679e8b6a0ec8eb9a98e2826e28675380aad (diff) | |
| download | meta-openembedded-29653f38cda7c40061e0ce6c2c2ccdbf93ddde9c.tar.gz | |
nginx: patch CVE-2026-42946
Backport patches [1] and [2] mentioned in [3].
[1] https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e
[2] https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd
[3] https://security-tracker.debian.org/tracker/CVE-2026-42946
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
3 files changed, 139 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch new file mode 100644 index 0000000000..2418f69afc --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-01.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From 7b45e652cc7e91fbc60cbb5f41eb4608e706bc03 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Sergey Kandaurov <pluknet@nginx.com> | ||
| 3 | Date: Wed, 29 Apr 2026 21:56:51 +0400 | ||
| 4 | Subject: [PATCH 1/2] Upstream: reset parsing state after invalid status line | ||
| 5 | |||
| 6 | Previously, it was possible to start parsing headers with a wrong | ||
| 7 | parsing state after status line was not recognized, as a fallback | ||
| 8 | used in the scgi and uwsgi modules. | ||
| 9 | |||
| 10 | Reported by Leo Lin. | ||
| 11 | |||
| 12 | CVE: CVE-2026-42946 | ||
| 13 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/baef7fdac28e4e1fe26509b50b8d15603393e28e] | ||
| 14 | Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> | ||
| 15 | --- | ||
| 16 | src/http/modules/ngx_http_scgi_module.c | 1 + | ||
| 17 | src/http/modules/ngx_http_uwsgi_module.c | 1 + | ||
| 18 | 2 files changed, 2 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c | ||
| 21 | index 9fc18dc..3259820 100644 | ||
| 22 | --- a/src/http/modules/ngx_http_scgi_module.c | ||
| 23 | +++ b/src/http/modules/ngx_http_scgi_module.c | ||
| 24 | @@ -1029,6 +1029,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) | ||
| 25 | |||
| 26 | if (rc == NGX_ERROR) { | ||
| 27 | u->process_header = ngx_http_scgi_process_header; | ||
| 28 | + r->state = 0; | ||
| 29 | return ngx_http_scgi_process_header(r); | ||
| 30 | } | ||
| 31 | |||
| 32 | diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c | ||
| 33 | index e4f721b..93bcad7 100644 | ||
| 34 | --- a/src/http/modules/ngx_http_uwsgi_module.c | ||
| 35 | +++ b/src/http/modules/ngx_http_uwsgi_module.c | ||
| 36 | @@ -1257,6 +1257,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) | ||
| 37 | |||
| 38 | if (rc == NGX_ERROR) { | ||
| 39 | u->process_header = ngx_http_uwsgi_process_header; | ||
| 40 | + r->state = 0; | ||
| 41 | return ngx_http_uwsgi_process_header(r); | ||
| 42 | } | ||
| 43 | |||
| 44 | -- | ||
| 45 | 2.43.0 | ||
| 46 | |||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch new file mode 100644 index 0000000000..089bd46a26 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42946-02.patch | |||
| @@ -0,0 +1,91 @@ | |||
| 1 | From 7b5bea14a2a7a784751a8f86559bd3c3f109ed5b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Sergey Kandaurov <pluknet@nginx.com> | ||
| 3 | Date: Wed, 29 Apr 2026 23:02:20 +0400 | ||
| 4 | Subject: [PATCH 2/2] Upstream: fixed parsing of split status lines | ||
| 5 | |||
| 6 | If the first response line was split across reads and it didn't appear | ||
| 7 | a status line, the portion already processed was lost. To preserve ABI, | ||
| 8 | the change reuses r->header_name_start for proper backtracking on status | ||
| 9 | line fallback. | ||
| 10 | |||
| 11 | CVE: CVE-2026-42946 | ||
| 12 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/39d7d0ba0799fcff6baee52b6525f45739593cfd] | ||
| 13 | Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com> | ||
| 14 | --- | ||
| 15 | src/http/modules/ngx_http_proxy_module.c | 5 +++++ | ||
| 16 | src/http/modules/ngx_http_scgi_module.c | 5 +++++ | ||
| 17 | src/http/modules/ngx_http_uwsgi_module.c | 5 +++++ | ||
| 18 | 3 files changed, 15 insertions(+) | ||
| 19 | |||
| 20 | diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c | ||
| 21 | index 9cc202c..19cbfa3 100644 | ||
| 22 | --- a/src/http/modules/ngx_http_proxy_module.c | ||
| 23 | +++ b/src/http/modules/ngx_http_proxy_module.c | ||
| 24 | @@ -1814,6 +1814,10 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) | ||
| 25 | |||
| 26 | u = r->upstream; | ||
| 27 | |||
| 28 | + if (r->state == 0) { | ||
| 29 | + r->header_name_start = u->buffer.pos; | ||
| 30 | + } | ||
| 31 | + | ||
| 32 | rc = ngx_http_parse_status_line(r, &u->buffer, &ctx->status); | ||
| 33 | |||
| 34 | if (rc == NGX_AGAIN) { | ||
| 35 | @@ -1821,6 +1825,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) | ||
| 36 | } | ||
| 37 | |||
| 38 | if (rc == NGX_ERROR) { | ||
| 39 | + u->buffer.pos = r->header_name_start; | ||
| 40 | |||
| 41 | #if (NGX_HTTP_CACHE) | ||
| 42 | |||
| 43 | diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c | ||
| 44 | index 3259820..a04fd47 100644 | ||
| 45 | --- a/src/http/modules/ngx_http_scgi_module.c | ||
| 46 | +++ b/src/http/modules/ngx_http_scgi_module.c | ||
| 47 | @@ -1021,6 +1021,10 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) | ||
| 48 | |||
| 49 | u = r->upstream; | ||
| 50 | |||
| 51 | + if (r->state == 0) { | ||
| 52 | + r->header_name_start = u->buffer.pos; | ||
| 53 | + } | ||
| 54 | + | ||
| 55 | rc = ngx_http_parse_status_line(r, &u->buffer, status); | ||
| 56 | |||
| 57 | if (rc == NGX_AGAIN) { | ||
| 58 | @@ -1029,6 +1033,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) | ||
| 59 | |||
| 60 | if (rc == NGX_ERROR) { | ||
| 61 | u->process_header = ngx_http_scgi_process_header; | ||
| 62 | + u->buffer.pos = r->header_name_start; | ||
| 63 | r->state = 0; | ||
| 64 | return ngx_http_scgi_process_header(r); | ||
| 65 | } | ||
| 66 | diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c | ||
| 67 | index 93bcad7..749254f 100644 | ||
| 68 | --- a/src/http/modules/ngx_http_uwsgi_module.c | ||
| 69 | +++ b/src/http/modules/ngx_http_uwsgi_module.c | ||
| 70 | @@ -1249,6 +1249,10 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) | ||
| 71 | |||
| 72 | u = r->upstream; | ||
| 73 | |||
| 74 | + if (r->state == 0) { | ||
| 75 | + r->header_name_start = u->buffer.pos; | ||
| 76 | + } | ||
| 77 | + | ||
| 78 | rc = ngx_http_parse_status_line(r, &u->buffer, status); | ||
| 79 | |||
| 80 | if (rc == NGX_AGAIN) { | ||
| 81 | @@ -1257,6 +1261,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) | ||
| 82 | |||
| 83 | if (rc == NGX_ERROR) { | ||
| 84 | u->process_header = ngx_http_uwsgi_process_header; | ||
| 85 | + u->buffer.pos = r->header_name_start; | ||
| 86 | r->state = 0; | ||
| 87 | return ngx_http_uwsgi_process_header(r); | ||
| 88 | } | ||
| 89 | -- | ||
| 90 | 2.43.0 | ||
| 91 | |||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index f9e40fa27f..26352a8814 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | |||
| @@ -12,6 +12,8 @@ SRC_URI:append = " \ | |||
| 12 | file://CVE-2026-40701.patch \ | 12 | file://CVE-2026-40701.patch \ |
| 13 | file://CVE-2026-42934.patch \ | 13 | file://CVE-2026-42934.patch \ |
| 14 | file://CVE-2026-42945.patch \ | 14 | file://CVE-2026-42945.patch \ |
| 15 | file://CVE-2026-42946-01.patch \ | ||
| 16 | file://CVE-2026-42946-02.patch \ | ||
| 15 | " | 17 | " |
| 16 | 18 | ||
| 17 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" | 19 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" |
