diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2026-04-22 18:09:42 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2026-04-29 10:14:29 +0530 |
| commit | 7ba6689d13b7a3b1344430d770069dd887e71dc0 (patch) | |
| tree | 976d0ed1a892e6b26db88f3e86bc12b70de2b571 | |
| parent | bed3ecfe03c3f8ab8ac27a019430e0fb1bd024ca (diff) | |
| download | meta-openembedded-7ba6689d13b7a3b1344430d770069dd887e71dc0.tar.gz | |
nginx: fix CVE-2026-32647
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.
[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch | 78 | ||||
| -rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | 1 |
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch new file mode 100644 index 0000000000..d7bedb6b8b --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch | |||
| @@ -0,0 +1,78 @@ | |||
| 1 | From a172c880cb51f882a5dc999437e8b3a4f87630cc Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roman Arutyunyan <arut@nginx.com> | ||
| 3 | Date: Sat, 21 Feb 2026 12:04:36 +0400 | ||
| 4 | Subject: [PATCH] Mp4: avoid zero size buffers in output. | ||
| 5 | |||
| 6 | Previously, data validation checks did not cover the cases when the output | ||
| 7 | contained empty buffers. Such buffers are considered illegal and produce | ||
| 8 | "zero size buf in output" alerts. The change rejects the mp4 files which | ||
| 9 | produce such alerts. | ||
| 10 | |||
| 11 | Also, the change fixes possible buffer overread and overwrite that could | ||
| 12 | happen while processing empty stco and co64 atoms, as reported by | ||
| 13 | Pavel Kohout (Aisle Research) and Tim Becker. | ||
| 14 | |||
| 15 | CVE: CVE-2026-32647 | ||
| 16 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc] | ||
| 17 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 18 | --- | ||
| 19 | src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ | ||
| 20 | 1 file changed, 9 insertions(+), 6 deletions(-) | ||
| 21 | |||
| 22 | diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| 23 | index a7f8be7..015e42c 100644 | ||
| 24 | --- a/src/http/modules/ngx_http_mp4_module.c | ||
| 25 | +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| 26 | @@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) | ||
| 27 | } | ||
| 28 | } | ||
| 29 | |||
| 30 | - if (end_offset < start_offset) { | ||
| 31 | - end_offset = start_offset; | ||
| 32 | + if (end_offset <= start_offset) { | ||
| 33 | + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 34 | + "no data between start time and end time in \"%s\"", | ||
| 35 | + mp4->file.name.data); | ||
| 36 | + return NGX_ERROR; | ||
| 37 | } | ||
| 38 | |||
| 39 | mp4->moov_size += 8; | ||
| 40 | @@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) | ||
| 41 | |||
| 42 | *prev = &mp4->mdat_atom; | ||
| 43 | |||
| 44 | - if (start_offset > mp4->mdat_data.buf->file_last) { | ||
| 45 | + if (start_offset >= mp4->mdat_data.buf->file_last) { | ||
| 46 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 47 | "start time is out mp4 mdat atom in \"%s\"", | ||
| 48 | mp4->file.name.data); | ||
| 49 | @@ -3416,7 +3419,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, | ||
| 50 | if (data) { | ||
| 51 | entries = trak->sample_sizes_entries; | ||
| 52 | |||
| 53 | - if (trak->start_sample > entries) { | ||
| 54 | + if (trak->start_sample >= entries) { | ||
| 55 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 56 | "start time is out mp4 stsz samples in \"%s\"", | ||
| 57 | mp4->file.name.data); | ||
| 58 | @@ -3591,7 +3594,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, | ||
| 59 | return NGX_ERROR; | ||
| 60 | } | ||
| 61 | |||
| 62 | - if (trak->start_chunk > trak->chunks) { | ||
| 63 | + if (trak->start_chunk >= trak->chunks) { | ||
| 64 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 65 | "start time is out mp4 stco chunks in \"%s\"", | ||
| 66 | mp4->file.name.data); | ||
| 67 | @@ -3806,7 +3809,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, | ||
| 68 | return NGX_ERROR; | ||
| 69 | } | ||
| 70 | |||
| 71 | - if (trak->start_chunk > trak->chunks) { | ||
| 72 | + if (trak->start_chunk >= trak->chunks) { | ||
| 73 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 74 | "start time is out mp4 co64 chunks in \"%s\"", | ||
| 75 | mp4->file.name.data); | ||
| 76 | -- | ||
| 77 | 2.50.1 | ||
| 78 | |||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index d493a66ce9..b732e92b18 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb | |||
| @@ -8,6 +8,7 @@ SRC_URI:append = " \ | |||
| 8 | file://CVE-2026-27651.patch \ | 8 | file://CVE-2026-27651.patch \ |
| 9 | file://CVE-2026-27654.patch \ | 9 | file://CVE-2026-27654.patch \ |
| 10 | file://CVE-2026-28753.patch \ | 10 | file://CVE-2026-28753.patch \ |
| 11 | file://CVE-2026-32647.patch \ | ||
| 11 | " | 12 | " |
| 12 | 13 | ||
| 13 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" | 14 | SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" |
