summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2026-04-22 18:09:42 +0530
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2026-04-29 10:14:29 +0530
commit7ba6689d13b7a3b1344430d770069dd887e71dc0 (patch)
tree976d0ed1a892e6b26db88f3e86bc12b70de2b571
parentbed3ecfe03c3f8ab8ac27a019430e0fb1bd024ca (diff)
downloadmeta-openembedded-7ba6689d13b7a3b1344430d770069dd887e71dc0.tar.gz
nginx: fix CVE-2026-32647
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160366 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647 [3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch78
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb1
2 files changed, 79 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch
new file mode 100644
index 0000000000..d7bedb6b8b
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647.patch
@@ -0,0 +1,78 @@
1From a172c880cb51f882a5dc999437e8b3a4f87630cc Mon Sep 17 00:00:00 2001
2From: Roman Arutyunyan <arut@nginx.com>
3Date: Sat, 21 Feb 2026 12:04:36 +0400
4Subject: [PATCH] Mp4: avoid zero size buffers in output.
5
6Previously, data validation checks did not cover the cases when the output
7contained empty buffers. Such buffers are considered illegal and produce
8"zero size buf in output" alerts. The change rejects the mp4 files which
9produce such alerts.
10
11Also, the change fixes possible buffer overread and overwrite that could
12happen while processing empty stco and co64 atoms, as reported by
13Pavel Kohout (Aisle Research) and Tim Becker.
14
15CVE: CVE-2026-32647
16Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc]
17Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
18---
19 src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
20 1 file changed, 9 insertions(+), 6 deletions(-)
21
22diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
23index a7f8be7..015e42c 100644
24--- a/src/http/modules/ngx_http_mp4_module.c
25+++ b/src/http/modules/ngx_http_mp4_module.c
26@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
27 }
28 }
29
30- if (end_offset < start_offset) {
31- end_offset = start_offset;
32+ if (end_offset <= start_offset) {
33+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
34+ "no data between start time and end time in \"%s\"",
35+ mp4->file.name.data);
36+ return NGX_ERROR;
37 }
38
39 mp4->moov_size += 8;
40@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
41
42 *prev = &mp4->mdat_atom;
43
44- if (start_offset > mp4->mdat_data.buf->file_last) {
45+ if (start_offset >= mp4->mdat_data.buf->file_last) {
46 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
47 "start time is out mp4 mdat atom in \"%s\"",
48 mp4->file.name.data);
49@@ -3416,7 +3419,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
50 if (data) {
51 entries = trak->sample_sizes_entries;
52
53- if (trak->start_sample > entries) {
54+ if (trak->start_sample >= entries) {
55 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
56 "start time is out mp4 stsz samples in \"%s\"",
57 mp4->file.name.data);
58@@ -3591,7 +3594,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
59 return NGX_ERROR;
60 }
61
62- if (trak->start_chunk > trak->chunks) {
63+ if (trak->start_chunk >= trak->chunks) {
64 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
65 "start time is out mp4 stco chunks in \"%s\"",
66 mp4->file.name.data);
67@@ -3806,7 +3809,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
68 return NGX_ERROR;
69 }
70
71- if (trak->start_chunk > trak->chunks) {
72+ if (trak->start_chunk >= trak->chunks) {
73 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
74 "start time is out mp4 co64 chunks in \"%s\"",
75 mp4->file.name.data);
76--
772.50.1
78
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index d493a66ce9..b732e92b18 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -8,6 +8,7 @@ SRC_URI:append = " \
8 file://CVE-2026-27651.patch \ 8 file://CVE-2026-27651.patch \
9 file://CVE-2026-27654.patch \ 9 file://CVE-2026-27654.patch \
10 file://CVE-2026-28753.patch \ 10 file://CVE-2026-28753.patch \
11 file://CVE-2026-32647.patch \
11" 12"
12 13
13SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" 14SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"