diff options
3 files changed, 88 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch new file mode 100644 index 0000000000..23723d63d4 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roman Arutyunyan <arut@nginx.com> | ||
| 3 | Date: Mon, 12 Aug 2024 18:20:45 +0400 | ||
| 4 | Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom. | ||
| 5 | |||
| 6 | Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk | ||
| 7 | in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() | ||
| 8 | this caused buffer overread while trying to calculate trak->end_offset. | ||
| 9 | |||
| 10 | CVE: CVE-2024-7347 | ||
| 11 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f] | ||
| 12 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
| 13 | |||
| 14 | src/http/modules/ngx_http_mp4_module.c | 7 +++++++ | ||
| 15 | 1 file changed, 7 insertions(+) | ||
| 16 | |||
| 17 | diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| 18 | index 1cd017c274..041ad263b5 100644 | ||
| 19 | --- a/src/http/modules/ngx_http_mp4_module.c | ||
| 20 | +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| 21 | @@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| 22 | |||
| 23 | next_chunk = ngx_mp4_get_32value(entry->chunk); | ||
| 24 | |||
| 25 | + if (next_chunk < chunk) { | ||
| 26 | + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| 27 | + "unordered mp4 stsc chunks in \"%s\"", | ||
| 28 | + mp4->file.name.data); | ||
| 29 | + return NGX_ERROR; | ||
| 30 | + } | ||
| 31 | + | ||
| 32 | ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, | ||
| 33 | "sample:%uD, chunk:%uD, chunks:%uD, " | ||
| 34 | "samples:%uD, id:%uD", | ||
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch new file mode 100644 index 0000000000..5b8d08a1e1 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch | |||
| @@ -0,0 +1,52 @@ | |||
| 1 | From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roman Arutyunyan <arut@nginx.com> | ||
| 3 | Date: Mon, 12 Aug 2024 18:20:43 +0400 | ||
| 4 | Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom. | ||
| 5 | |||
| 6 | While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer | ||
| 7 | overflow could happen, which could result in incorrect seeking and a very large | ||
| 8 | value stored in "samples". This resulted in a large invalid value of | ||
| 9 | trak->end_chunk_samples. This value is further used to calculate the value of | ||
| 10 | trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing | ||
| 11 | this, a large invalid value of trak->end_chunk_samples could result in reading | ||
| 12 | memory before stsz atom start. This could potentially result in a segfault. | ||
| 13 | |||
| 14 | CVE: CVE-2024-7347 | ||
| 15 | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] | ||
| 16 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
| 17 | |||
| 18 | src/http/modules/ngx_http_mp4_module.c | 7 ++++--- | ||
| 19 | 1 file changed, 4 insertions(+), 3 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| 22 | index 03175dea21..1cd017c274 100644 | ||
| 23 | --- a/src/http/modules/ngx_http_mp4_module.c | ||
| 24 | +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| 25 | @@ -3099,7 +3099,8 @@ static ngx_int_t | ||
| 26 | ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| 27 | ngx_http_mp4_trak_t *trak, ngx_uint_t start) | ||
| 28 | { | ||
| 29 | - uint32_t start_sample, chunk, samples, id, next_chunk, n, | ||
| 30 | + uint64_t n; | ||
| 31 | + uint32_t start_sample, chunk, samples, id, next_chunk, | ||
| 32 | prev_samples; | ||
| 33 | ngx_buf_t *data, *buf; | ||
| 34 | ngx_uint_t entries, target_chunk, chunk_samples; | ||
| 35 | @@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| 36 | "samples:%uD, id:%uD", | ||
| 37 | start_sample, chunk, next_chunk - chunk, samples, id); | ||
| 38 | |||
| 39 | - n = (next_chunk - chunk) * samples; | ||
| 40 | + n = (uint64_t) (next_chunk - chunk) * samples; | ||
| 41 | |||
| 42 | if (start_sample < n) { | ||
| 43 | goto found; | ||
| 44 | @@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| 45 | "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", | ||
| 46 | start_sample, chunk, next_chunk - chunk, samples); | ||
| 47 | |||
| 48 | - n = (next_chunk - chunk) * samples; | ||
| 49 | + n = (uint64_t) (next_chunk - chunk) * samples; | ||
| 50 | |||
| 51 | if (start_sample > n) { | ||
| 52 | ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 9cbe35a13a..4e744de270 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc | |||
| @@ -24,6 +24,8 @@ SRC_URI = " \ | |||
| 24 | file://nginx-fix-pidfile.patch \ | 24 | file://nginx-fix-pidfile.patch \ |
| 25 | file://0001-configure-libxslt-conf.patch \ | 25 | file://0001-configure-libxslt-conf.patch \ |
| 26 | file://CVE-2023-44487.patch \ | 26 | file://CVE-2023-44487.patch \ |
| 27 | file://CVE-2024-7347-1.patch \ | ||
| 28 | file://CVE-2024-7347-2.patch \ | ||
| 27 | " | 29 | " |
| 28 | 30 | ||
| 29 | inherit siteinfo update-rc.d useradd systemd | 31 | inherit siteinfo update-rc.d useradd systemd |
