diff options
author | Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-03-15 14:53:09 -0400 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2022-03-27 08:18:20 -0700 |
commit | 0940e1e38274673100076689f8f5ecd54bf632f3 (patch) | |
tree | c67b02374d58ad681471eaac9326533f905555b9 | |
parent | e6a4c8e5c546e684eae839a22a7dec65c3d67050 (diff) | |
download | meta-openembedded-0940e1e38274673100076689f8f5ecd54bf632f3.tar.gz |
nginx: backport fix for CVE-2019-20372
Fixed an HTTP request smuggling with certain error_page configurations
which could have allowed unauthorized web page reads.
This issue affects nginx prior to 1.17.7, so only the recipe for 1.16.1
needs the patch applied.
Fix is taken directly from
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch | 39 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb | 2 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch new file mode 100644 index 0000000000..45653e422e --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2019-20372.patch @@ -0,0 +1,39 @@ +From 6511195c023bf03e0fb19a36f41f42f4edde6e88 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. + +Upstream-Status: Backport +CVE: CVE-2019-20372 + +Reference to upstream patch: +https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 4ffb2cc8..76e67058 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.17.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb index 207642575b..09d58b8fb9 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.16.1.bb @@ -4,3 +4,5 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" SRC_URI[md5sum] = "45a80f75336c980d240987badc3dcf60" SRC_URI[sha256sum] = "f11c2a6dd1d3515736f0324857957db2de98be862461b5a542a3ac6188dbe32b" + +SRC_URI += "file://CVE-2019-20372.patch" |