From b7148ebb478f1607fa080d2b46aca289a6944936 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Wed, 21 Aug 2024 12:29:06 +0530 Subject: nginx: Backport fix for CVE-2024-7347 Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f and https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] Signed-off-by: Ashish Sharma Signed-off-by: Armin Kuster --- .../nginx/files/CVE-2024-7347-1.patch | 34 ++++++++++++++ .../nginx/files/CVE-2024-7347-2.patch | 52 ++++++++++++++++++++++ meta-webserver/recipes-httpd/nginx/nginx.inc | 2 + 3 files changed, 88 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch new file mode 100644 index 0000000000..23723d63d4 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch @@ -0,0 +1,34 @@ +From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:45 +0400 +Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom. + +Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk +in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() +this caused buffer overread while trying to calculate trak->end_offset. + +CVE: CVE-2024-7347 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f] +Signed-off-by: Ashish Sharma + + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 1cd017c274..041ad263b5 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + + next_chunk = ngx_mp4_get_32value(entry->chunk); + ++ if (next_chunk < chunk) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "unordered mp4 stsc chunks in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, + "sample:%uD, chunk:%uD, chunks:%uD, " + "samples:%uD, id:%uD", diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch new file mode 100644 index 0000000000..5b8d08a1e1 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch @@ -0,0 +1,52 @@ +From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:43 +0400 +Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom. + +While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer +overflow could happen, which could result in incorrect seeking and a very large +value stored in "samples". This resulted in a large invalid value of +trak->end_chunk_samples. This value is further used to calculate the value of +trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing +this, a large invalid value of trak->end_chunk_samples could result in reading +memory before stsz atom start. This could potentially result in a segfault. + +CVE: CVE-2024-7347 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] +Signed-off-by: Ashish Sharma + + src/http/modules/ngx_http_mp4_module.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 03175dea21..1cd017c274 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3099,7 +3099,8 @@ static ngx_int_t + ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + ngx_http_mp4_trak_t *trak, ngx_uint_t start) + { +- uint32_t start_sample, chunk, samples, id, next_chunk, n, ++ uint64_t n; ++ uint32_t start_sample, chunk, samples, id, next_chunk, + prev_samples; + ngx_buf_t *data, *buf; + ngx_uint_t entries, target_chunk, chunk_samples; +@@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "samples:%uD, id:%uD", + start_sample, chunk, next_chunk - chunk, samples, id); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample < n) { + goto found; +@@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", + start_sample, chunk, next_chunk - chunk, samples); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample > n) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 83ae90c40c..926db19443 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -23,6 +23,8 @@ SRC_URI = " \ file://nginx.service \ file://nginx-fix-pidfile.patch \ file://0001-configure-libxslt-conf.patch \ + file://CVE-2024-7347-1.patch \ + file://CVE-2024-7347-2.patch \ " inherit siteinfo update-rc.d useradd systemd -- cgit v1.2.3-54-g00ecf