nginx: fix CVE-2021-3618

Backport with no change a patch from version 1.21.0. This patch was not cherry-picked by nginx to version 1.20.1. Information about this CVE comes from https://ubuntu.com/security/CVE-2021-3618. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Joe Slater <joe.slater@windriver.com> 2021-08-19 14:25:18 -0700
committer: Khem Raj <raj.khem@gmail.com> 2021-08-20 09:26:18 -0700
commit: f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5 (patch)
tree: 492d22410119935ade488d7a9bea1cd8c0ced280
parent: 7b672a3dfee375103c1d419c483aacf20e6bde43 (diff)
download: meta-openembedded-f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5.tar.gz
2 files changed, 109 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
new file mode 100644
index 0000000000..be42a1ed5e
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
@@ -0,0 +1,107 @@
+From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Wed, 19 May 2021 03:13:31 +0300
+Subject: [PATCH 1/1] Mail: max_errors directive.
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+--- end of original header ---
+CVE: CVE-2021-3618
+Upstream-Status: Backport
+                 https://github.com/nginx/nginx.git
+                 commit 173f16f736c10eae46cd15dd861b04b82d91a37a
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ src/mail/ngx_mail.h             |  3 +++
+ src/mail/ngx_mail_core_module.c | 10 ++++++++++
+ src/mail/ngx_mail_handler.c     | 15 ++++++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
+index b865a3b9..76cae37a 100644
+--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@ typedef struct {
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
+    ngx_uint_t              max_errors;
+
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -231,6 +233,7 @@ typedef struct {
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
+    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
+index 40831242..115671ca 100644
+--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t  ngx_mail_core_commands[] = {
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
+    { ngx_string("max_errors"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_core_srv_conf_t, max_errors),
+      NULL },
+
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
+    cscf->max_errors = NGX_CONF_UNSET_UINT;
+
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
+    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 0aaa0e78..71b81512 100644
+--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
+@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+        s->errors++;
+
+        if (s->errors >= cscf->max_errors) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent too many invalid commands");
+            s->quit = 1;
+        }
+
+        return rc;
+    }
+
+    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
+-- 
+2.25.1
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb
index 7f159a2a30..d686c627f2 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb
@@ -1,5 +1,7 @@
 require nginx.inc
+SRC_URI += "file://CVE-2021-3618.patch"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505"
 SRC_URI[md5sum] = "8ca6edd5076bdfad30a69c9c9b41cc68"
author	Joe Slater <joe.slater@windriver.com>	2021-08-19 14:25:18 -0700
committer	Khem Raj <raj.khem@gmail.com>	2021-08-20 09:26:18 -0700
commit	f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5 (patch)
tree	492d22410119935ade488d7a9bea1cd8c0ced280
parent	7b672a3dfee375103c1d419c483aacf20e6bde43 (diff)
download	meta-openembedded-f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5.tar.gz

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 0000000000..be42a1ed5e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
@@ -0,0 +1,107 @@
		1	From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001
		2	From: Maxim Dounin <mdounin@mdounin.ru>
		3	Date: Wed, 19 May 2021 03:13:31 +0300
		4	Subject: [PATCH 1/1] Mail: max_errors directive.
		5
		6	Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
		7	in Exim, specifies the number of errors after which the connection is closed.
		8	--- end of original header ---
		9
		10	CVE: CVE-2021-3618
		11
		12	Upstream-Status: Backport
		13	https://github.com/nginx/nginx.git
		14	commit 173f16f736c10eae46cd15dd861b04b82d91a37a
		15
		16	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		17	---
		18	src/mail/ngx_mail.h \| 3 +++
		19	src/mail/ngx_mail_core_module.c \| 10 ++++++++++
		20	src/mail/ngx_mail_handler.c \| 15 ++++++++++++++-
		21	3 files changed, 27 insertions(+), 1 deletion(-)
		22
		23	diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
		24	index b865a3b9..76cae37a 100644
		25	--- a/src/mail/ngx_mail.h
		26	+++ b/src/mail/ngx_mail.h
		27	@@ -115,6 +115,8 @@ typedef struct {
		28	ngx_msec_t timeout;
		29	ngx_msec_t resolver_timeout;
		30
		31	+ ngx_uint_t max_errors;
		32	+
		33	ngx_str_t server_name;
		34
		35	u_char *file_name;
		36	@@ -231,6 +233,7 @@ typedef struct {
		37	ngx_uint_t command;
		38	ngx_array_t args;
		39
		40	+ ngx_uint_t errors;
		41	ngx_uint_t login_attempt;
		42
		43	/* used to parse POP3/IMAP/SMTP command */
		44	diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
		45	index 40831242..115671ca 100644
		46	--- a/src/mail/ngx_mail_core_module.c
		47	+++ b/src/mail/ngx_mail_core_module.c
		48	@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
		49	offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
		50	NULL },
		51
		52	+ { ngx_string("max_errors"),
		53	+ NGX_MAIL_MAIN_CONF\|NGX_MAIL_SRV_CONF\|NGX_CONF_TAKE1,
		54	+ ngx_conf_set_num_slot,
		55	+ NGX_MAIL_SRV_CONF_OFFSET,
		56	+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
		57	+ NULL },
		58	+
		59	ngx_null_command
		60	};
		61
		62	@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
		63	cscf->timeout = NGX_CONF_UNSET_MSEC;
		64	cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
		65
		66	+ cscf->max_errors = NGX_CONF_UNSET_UINT;
		67	+
		68	cscf->resolver = NGX_CONF_UNSET_PTR;
		69
		70	cscf->file_name = cf->conf_file->file.name.data;
		71	@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t cf, void parent, void *child)
		72	ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
		73	30000);
		74
		75	+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
		76
		77	ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
		78
		79	diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
		80	index 0aaa0e78..71b81512 100644
		81	--- a/src/mail/ngx_mail_handler.c
		82	+++ b/src/mail/ngx_mail_handler.c
		83	@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t s, ngx_connection_t c)
		84	return NGX_MAIL_PARSE_INVALID_COMMAND;
		85	}
		86
		87	- if (rc == NGX_IMAP_NEXT \|\| rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
		88	+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
		89	+
		90	+ s->errors++;
		91	+
		92	+ if (s->errors >= cscf->max_errors) {
		93	+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
		94	+ "client sent too many invalid commands");
		95	+ s->quit = 1;
		96	+ }
		97	+
		98	+ return rc;
		99	+ }
		100	+
		101	+ if (rc == NGX_IMAP_NEXT) {
		102	return rc;
		103	}
		104
		105	--
		106	2.25.1
		107


diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb index 7f159a2a30..d686c627f2 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb
@@ -1,5 +1,7 @@
1	require nginx.inc	1	require nginx.inc
2		2
		3	SRC_URI += "file://CVE-2021-3618.patch"
		4
3	LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505"	5	LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505"
4		6
5	SRC_URI[md5sum] = "8ca6edd5076bdfad30a69c9c9b41cc68"	7	SRC_URI[md5sum] = "8ca6edd5076bdfad30a69c9c9b41cc68"