From 9be1704f23ebe1f6a25d615538bdcebfee11d834 Mon Sep 17 00:00:00 2001 From: Cameron E Baird Date: Wed, 28 Aug 2024 11:18:55 -0700 Subject: [PATCH] nginx: Address CVE-2024-7347 (#10190) --- SPECS/nginx/CVE-2024-7347.patch | 78 +++++++++++++++++++++++++++++++++ SPECS/nginx/nginx.spec | 6 ++- 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 SPECS/nginx/CVE-2024-7347.patch diff --git a/SPECS/nginx/CVE-2024-7347.patch b/SPECS/nginx/CVE-2024-7347.patch new file mode 100644 index 00000000000..bbfad40576a --- /dev/null +++ b/SPECS/nginx/CVE-2024-7347.patch @@ -0,0 +1,78 @@ +From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:43 +0400 +Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom. + +While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer +overflow could happen, which could result in incorrect seeking and a very large +value stored in "samples". This resulted in a large invalid value of +trak->end_chunk_samples. This value is further used to calculate the value of +trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing +this, a large invalid value of trak->end_chunk_samples could result in reading +memory before stsz atom start. This could potentially result in a segfault. +--- + src/http/modules/ngx_http_mp4_module.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 03175dea21..1cd017c274 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3099,7 +3099,8 @@ static ngx_int_t + ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + ngx_http_mp4_trak_t *trak, ngx_uint_t start) + { +- uint32_t start_sample, chunk, samples, id, next_chunk, n, ++ uint64_t n; ++ uint32_t start_sample, chunk, samples, id, next_chunk, + prev_samples; + ngx_buf_t *data, *buf; + ngx_uint_t entries, target_chunk, chunk_samples; +@@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "samples:%uD, id:%uD", + start_sample, chunk, next_chunk - chunk, samples, id); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample < n) { + goto found; +@@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", + start_sample, chunk, next_chunk - chunk, samples); + +- n = (next_chunk - chunk) * samples; ++ n = (uint64_t) (next_chunk - chunk) * samples; + + if (start_sample > n) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, +From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 12 Aug 2024 18:20:45 +0400 +Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom. + +Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk +in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() +this caused buffer overread while trying to calculate trak->end_offset. +--- + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 1cd017c274..041ad263b5 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, + + next_chunk = ngx_mp4_get_32value(entry->chunk); + ++ if (next_chunk < chunk) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "unordered mp4 stsc chunks in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; ++ } ++ + ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, + "sample:%uD, chunk:%uD, chunks:%uD, " + "samples:%uD, id:%uD", diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec index 4e6b2cd228e..a3022eb044c 100644 --- a/SPECS/nginx/nginx.spec +++ b/SPECS/nginx/nginx.spec @@ -7,7 +7,7 @@ Name: nginx # Currently on "stable" version of nginx from https://nginx.org/en/download.html. # Note: Stable versions are even (1.20), mainline versions are odd (1.21) Version: 1.22.1 -Release: 11%{?dist} +Release: 12%{?dist} License: BSD-2-Clause Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Source1: nginx.service Source2: https://github.com/nginx/njs/archive/refs/tags/%{njs_version}.tar.gz#/%{name}-njs-%{njs_version}.tar.gz Source3: https://github.com/open-telemetry/opentelemetry-cpp-contrib/archive/%{opentelemetry_cpp_contrib_git_commit}.tar.gz#/opentelemetry-cpp-contrib-%{opentelemetry_cpp_contrib_git_commit}.tar.gz Patch0: CVE-2023-44487.patch +Patch1: CVE-2024-7347.patch BuildRequires: libxml2-devel BuildRequires: libxslt-devel BuildRequires: openssl-devel @@ -145,6 +146,9 @@ exit 0 %{_sysconfdir}/%{name}/modules/otel_ngx_module.so %changelog +* Tue Aug 20 2024 Cameron Baird - 1.22.1-12 +- Fix CVE-2024-7347 + * Thu Oct 05 2023 Dan Streetman - 1.22.1-11 - Fix CVE-2023-44487