packages/nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-41742 CVE-2022-41741

Browse Source
This commit is contained in:
eaglegai 2022-10-26 03:11:08 +00:00
parent f2ab96bfc2
commit 3f403fdde0
2 changed files with 316 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
backport-CVE-2022-41742_CVE-2022-41741.patch Normal file
View File

@ -0,0 +1,310 @@
From 0d23105373e6d8a720b9826079c077b9b4be919d Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 19 Oct 2022 10:53:17 +0300
Subject: [PATCH] Mp4: disabled duplicate atoms.
Most atoms should not appear more than once in a container. Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.
---
src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++
1 file changed, 147 insertions(+)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 5721efbe60..75a7315f98 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -1121,6 +1121,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
return NGX_ERROR;
}
+ if (mp4->ftyp_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
@@ -1179,6 +1185,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
return NGX_DECLINED;
}
+ if (mp4->moov_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
if (atom_data_size > mp4->buffer_size) {
@@ -1246,6 +1258,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom");
+ if (mp4->mdat_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
data = &mp4->mdat_data_buf;
data->file = &mp4->file;
data->in_file = 1;
@@ -1372,6 +1390,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom");
+ if (mp4->mvhd_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom_header = ngx_mp4_atom_header(mp4);
mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
@@ -1637,6 +1661,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->tkhd_size = atom_size;
trak->movie_duration = duration;
@@ -1676,6 +1707,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->mdia_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1799,6 +1836,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->mdhd_size = atom_size;
trak->timescale = timescale;
trak->duration = duration;
@@ -1862,6 +1906,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->hdlr_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1890,6 +1940,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->minf_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1933,6 +1989,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->vmhd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1964,6 +2029,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->smhd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1995,6 +2069,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->dinf_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2023,6 +2103,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->stbl_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2144,6 +2230,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->stsd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2212,6 +2304,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->time_to_sample_entries = entries;
atom = &trak->stts_atom_buf;
@@ -2480,6 +2579,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sync sample entries:%uD", entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sync_samples_entries = entries;
atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
@@ -2678,6 +2784,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"composition offset entries:%uD", entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->composition_offset_entries = entries;
atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
@@ -2881,6 +2994,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sample_to_chunk_entries = entries;
atom = &trak->stsc_atom_buf;
@@ -3213,6 +3333,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sample uniform size:%uD, entries:%uD", size, entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sample_sizes_entries = entries;
atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
@@ -3396,6 +3523,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(uint32_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stco/co64 atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->chunks = entries;
atom = &trak->stco_atom_buf;
@@ -3602,6 +3739,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(uint64_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stco/co64 atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->chunks = entries;
atom = &trak->co64_atom_buf;

7
nginx.spec
View File

@ -14,7 +14,7 @@
Name: nginx
Epoch: 1
Version: 1.21.5
Release: 2
Release: 3
Summary: A HTTP server, reverse proxy and mail proxy server
License: BSD
URL: http://nginx.org/
@ -34,6 +34,8 @@ Source210: UPGRADE-NOTES-1.6-to-1.10
Patch0: nginx-auto-cc-gcc.patch
Patch1: nginx-1.12.1-logs-perm.patch
Patch2: nginx-fix-pidfile.patch
Patch3: backport-CVE-2022-41742_CVE-2022-41741.patch
BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl
Requires: nginx-all-modules = %{epoch}:%{version}-%{release}
@ -345,6 +347,9 @@ fi
%{_mandir}/man8/nginx.8*
%changelog
* Wed Oct 26 2022 gaihuiying <eaglegai@163.com> - 1:1.21.5-3
- fix CVE-2022-41742 CVE-2022-41741
* Tue Jul 19 2022 gaihuiying <eaglegai@163.com> - 1:1.21.5-2
- switch pcre to pcre2