[meta-oe,dunfell] nginx: fix CVE-2021-3618

Submitted by Armin Kuster on Aug. 21, 2021, 7:22 p.m. | Patch ID: 180147

Details

Message ID 20210821192224.3764987-1-akuster808@gmail.com
State New
Headers show

Commit Message

Armin Kuster Aug. 21, 2021, 7:22 p.m.
From: Joe Slater <joe.slater@windriver.com>

Source: meta-openembedded.ort
MR: 112731
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/nginx?id=f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5
ChangeID: dd3295b606d73e01dd09291d85d529dea17a1a9e
Description:

Backport with no change a patch from version 1.21.0.  This patch
was not cherry-picked by nginx to version 1.20.1.

Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5)
[refesh patch for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../nginx/files/CVE-2021-3618.patch           | 89 +++++++++++++++++++
 meta-webserver/recipes-httpd/nginx/nginx.inc  |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch

Patch hide | download patch | download mbox

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
new file mode 100644
index 0000000000..3fab8bac6c
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch
@@ -0,0 +1,89 @@ 
+From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Wed, 19 May 2021 03:13:31 +0300
+Subject: [PATCH 1/1] Mail: max_errors directive.
+
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+Index: nginx-1.16.1/src/mail/ngx_mail.h
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail.h
++++ nginx-1.16.1/src/mail/ngx_mail.h
+@@ -113,6 +113,8 @@ typedef struct {
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
++    ngx_uint_t              max_errors;
++
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -225,6 +227,7 @@ typedef struct {
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
++    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c
++++ nginx-1.16.1/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t  ngx_mail_core_comm
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
++    { ngx_string("max_errors"),
++      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_MAIL_SRV_CONF_OFFSET,
++      offsetof(ngx_mail_core_srv_conf_t, max_errors),
++      NULL },
++
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
++    cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
++    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+Index: nginx-1.16.1/src/mail/ngx_mail_handler.c
+===================================================================
+--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c
++++ nginx-1.16.1/src/mail/ngx_mail_handler.c
+@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++        s->errors++;
++
++        if (s->errors >= cscf->max_errors) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client sent too many invalid commands");
++            s->quit = 1;
++        }
++
++        return rc;
++    }
++
++    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index a4583ed8f8..903a62b3d7 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -23,6 +23,7 @@  SRC_URI = " \
     file://nginx.service \
     file://nginx-fix-pidfile.patch \
     file://CVE-2021-23017.patch \
+    file://CVE-2021-3618.patch \
 "
 
 inherit siteinfo update-rc.d useradd systemd