2 files changed, 132 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch
new file mode 100755
index 0000000000..6f689938f4
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch
@@ -0,0 +1,131 @@
+CVE: CVE-2025-53859
+Upstream-Status: Backport [https://nginx.org/download/patch.2025.smtp.txt]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 1167df3fb..d3be7f3b3 100644
+--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)
+ ngx_int_t
+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+ {
+-    u_char     *p, *last;
+    u_char     *p, *pos, *last;
+     ngx_str_t  *arg, plain;
+ 
+     arg = s->args.elts;
+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.data = p;
+    pos = p;
+ 
+     while (p < last && *p) { p++; }
+ 
+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.len = p++ - s->login.data;
+    s->login.len = p++ - pos;
+    s->login.data = pos;
+ 
+     s->passwd.len = last - p;
+     s->passwd.data = p;
+@@ -583,24 +584,26 @@ ngx_int_t
+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+     ngx_uint_t n)
+ {
+-    ngx_str_t  *arg;
+    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &arg[n]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+-    if (s->login.data == NULL) {
+    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
+    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+    s->login = login;
+
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &s->login);
+ 
+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+ ngx_int_t
+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+-    ngx_str_t  *arg;
+    ngx_str_t  *arg, passwd;
+ 
+     arg = s->args.elts;
+ 
+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+                    "mail auth login password: \"%V\"", &arg[0]);
+ #endif
+ 
+-    s->passwd.data = ngx_pnalloc(c->pool,
+-                                 ngx_base64_decoded_length(arg[0].len));
+-    if (s->passwd.data == NULL) {
+    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+    if (passwd.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
+    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+    s->passwd = passwd;
+
+ #if (NGX_DEBUG_MAIL_PASSWD)
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login password: \"%V\"", &s->passwd);
+@@ -674,24 +678,26 @@ ngx_int_t
+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+     u_char     *p, *last;
+-    ngx_str_t  *arg;
+    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth cram-md5: \"%V\"", &arg[0]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+-    if (s->login.data == NULL) {
+    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
+    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+    s->login = login;
+
+     p = s->login.data;
+     last = p + s->login.len;
+ 
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index 926db19443..945be05c6a 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -25,6 +25,7 @@ SRC_URI = " \
    file://0001-configure-libxslt-conf.patch \
    file://CVE-2024-7347-1.patch \
    file://CVE-2024-7347-2.patch \
+    file://CVE-2025-53859.patch \
 "
 inherit siteinfo update-rc.d useradd systemd

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch new file mode 100755 index 0000000000..6f689938f4 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch
@@ -0,0 +1,131 @@
		1	CVE: CVE-2025-53859
		2	Upstream-Status: Backport [https://nginx.org/download/patch.2025.smtp.txt]
		3	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		4
		5	diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
		6	index 1167df3fb..d3be7f3b3 100644
		7	--- a/src/mail/ngx_mail_handler.c
		8	+++ b/src/mail/ngx_mail_handler.c
		9	@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t s, ngx_connection_t c)
		10	ngx_int_t
		11	ngx_mail_auth_plain(ngx_mail_session_t s, ngx_connection_t c, ngx_uint_t n)
		12	{
		13	- u_char p, last;
		14	+ u_char p, pos, *last;
		15	ngx_str_t *arg, plain;
		16
		17	arg = s->args.elts;
		18	@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t s, ngx_connection_t c, ngx_uint_t n)
		19	return NGX_MAIL_PARSE_INVALID_COMMAND;
		20	}
		21
		22	- s->login.data = p;
		23	+ pos = p;
		24
		25	while (p < last && *p) { p++; }
		26
		27	@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t s, ngx_connection_t c, ngx_uint_t n)
		28	return NGX_MAIL_PARSE_INVALID_COMMAND;
		29	}
		30
		31	- s->login.len = p++ - s->login.data;
		32	+ s->login.len = p++ - pos;
		33	+ s->login.data = pos;
		34
		35	s->passwd.len = last - p;
		36	s->passwd.data = p;
		37	@@ -583,24 +584,26 @@ ngx_int_t
		38	ngx_mail_auth_login_username(ngx_mail_session_t s, ngx_connection_t c,
		39	ngx_uint_t n)
		40	{
		41	- ngx_str_t *arg;
		42	+ ngx_str_t *arg, login;
		43
		44	arg = s->args.elts;
		45
		46	ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
		47	"mail auth login username: \"%V\"", &arg[n]);
		48
		49	- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
		50	- if (s->login.data == NULL) {
		51	+ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
		52	+ if (login.data == NULL) {
		53	return NGX_ERROR;
		54	}
		55
		56	- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
		57	+ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
		58	ngx_log_error(NGX_LOG_INFO, c->log, 0,
		59	"client sent invalid base64 encoding in AUTH LOGIN command");
		60	return NGX_MAIL_PARSE_INVALID_COMMAND;
		61	}
		62
		63	+ s->login = login;
		64	+
		65	ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
		66	"mail auth login username: \"%V\"", &s->login);
		67
		68	@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t s, ngx_connection_t c,
		69	ngx_int_t
		70	ngx_mail_auth_login_password(ngx_mail_session_t s, ngx_connection_t c)
		71	{
		72	- ngx_str_t *arg;
		73	+ ngx_str_t *arg, passwd;
		74
		75	arg = s->args.elts;
		76
		77	@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t s, ngx_connection_t c)
		78	"mail auth login password: \"%V\"", &arg[0]);
		79	#endif
		80
		81	- s->passwd.data = ngx_pnalloc(c->pool,
		82	- ngx_base64_decoded_length(arg[0].len));
		83	- if (s->passwd.data == NULL) {
		84	+ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
		85	+ if (passwd.data == NULL) {
		86	return NGX_ERROR;
		87	}
		88
		89	- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
		90	+ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
		91	ngx_log_error(NGX_LOG_INFO, c->log, 0,
		92	"client sent invalid base64 encoding in AUTH LOGIN command");
		93	return NGX_MAIL_PARSE_INVALID_COMMAND;
		94	}
		95
		96	+ s->passwd = passwd;
		97	+
		98	#if (NGX_DEBUG_MAIL_PASSWD)
		99	ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
		100	"mail auth login password: \"%V\"", &s->passwd);
		101	@@ -674,24 +678,26 @@ ngx_int_t
		102	ngx_mail_auth_cram_md5(ngx_mail_session_t s, ngx_connection_t c)
		103	{
		104	u_char p, last;
		105	- ngx_str_t *arg;
		106	+ ngx_str_t *arg, login;
		107
		108	arg = s->args.elts;
		109
		110	ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
		111	"mail auth cram-md5: \"%V\"", &arg[0]);
		112
		113	- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
		114	- if (s->login.data == NULL) {
		115	+ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
		116	+ if (login.data == NULL) {
		117	return NGX_ERROR;
		118	}
		119
		120	- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
		121	+ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
		122	ngx_log_error(NGX_LOG_INFO, c->log, 0,
		123	"client sent invalid base64 encoding in AUTH CRAM-MD5 command");
		124	return NGX_MAIL_PARSE_INVALID_COMMAND;
		125	}
		126
		127	+ s->login = login;
		128	+
		129	p = s->login.data;
		130	last = p + s->login.len;
		131


diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 926db19443..945be05c6a 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -25,6 +25,7 @@ SRC_URI = " \
25	file://0001-configure-libxslt-conf.patch \	25	file://0001-configure-libxslt-conf.patch \
26	file://CVE-2024-7347-1.patch \	26	file://CVE-2024-7347-1.patch \
27	file://CVE-2024-7347-2.patch \	27	file://CVE-2024-7347-2.patch \
		28	file://CVE-2025-53859.patch \
28	"	29	"
29		30
30	inherit siteinfo update-rc.d useradd systemd	31	inherit siteinfo update-rc.d useradd systemd