From 502b0443cc9cb724ba626b2130291187c61e6e22 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 27 2018 08:38:46 +0000 Subject: import rh-nginx112-nginx-1.12.1-2.el7.1 --- diff --git a/SOURCES/nginx-1.12.1-CVE-2018-16843.patch b/SOURCES/nginx-1.12.1-CVE-2018-16843.patch new file mode 100644 index 0000000..d8e012c --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2018-16843.patch @@ -0,0 +1,49 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 55db58e..429d06a 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -654,6 +654,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c) + + h2c->pool = NULL; + h2c->free_frames = NULL; ++ h2c->frames = 0; + h2c->free_fake_connections = NULL; + + #if (NGX_HTTP_SSL) +@@ -2640,7 +2641,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + + frame->blocked = 0; + +- } else { ++ } else if (h2c->frames < 10000) { + pool = h2c->pool ? h2c->pool : h2c->connection->pool; + + frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t)); +@@ -2664,6 +2665,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + frame->last = frame->first; + + frame->handler = ngx_http_v2_frame_handler; ++ ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + #if (NGX_DEBUG) +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 7d2a2ea..49398b9 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s { + ngx_http_connection_t *http_connection; + + ngx_uint_t processing; ++ ngx_uint_t frames; + + size_t send_window; + size_t recv_window; diff --git a/SOURCES/nginx-1.12.1-CVE-2018-16844.patch b/SOURCES/nginx-1.12.1-CVE-2018-16844.patch new file mode 100644 index 0000000..f8cf81b --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2018-16844.patch @@ -0,0 +1,39 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 429d06a..638ffaf 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4206,12 +4206,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev) + + #endif + +- c->destroyed = 0; +- ngx_reusable_connection(c, 0); +- + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, + ngx_http_v2_module); + ++ if (h2c->idle++ > 10 * h2scf->max_requests) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); ++ return; ++ } ++ ++ c->destroyed = 0; ++ ngx_reusable_connection(c, 0); ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 49398b9..6c42fee 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s { + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t idle; + + size_t send_window; + size_t recv_window; diff --git a/SOURCES/nginx-1.12.1-CVE-2018-16845.patch b/SOURCES/nginx-1.12.1-CVE-2018-16845.patch new file mode 100644 index 0000000..04ac23d --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2018-16845.patch @@ -0,0 +1,18 @@ +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index f3c0fdd..294a656 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file_t *mp4, + atom_size = ngx_mp4_get_64value(atom_header + 8); + atom_header_size = sizeof(ngx_mp4_atom_header64_t); + ++ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "\"%s\" mp4 atom is too small:%uL", ++ mp4->file.name.data, atom_size); ++ return NGX_ERROR; ++ } ++ + } else { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index b8778a0..dbcbe82 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -44,7 +44,7 @@ Name: %{?scl:%scl_prefix}nginx Epoch: 1 Version: 1.12.1 -Release: 2%{?dist} +Release: 2%{?dist}.1 Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons # BSD License (two clause) @@ -71,6 +71,9 @@ Source200: README.dynamic # removes -Werror in upstream build scripts. -Werror conflicts with # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: nginx-auto-cc-gcc.patch +Patch1: nginx-1.12.1-CVE-2018-16843.patch +Patch2: nginx-1.12.1-CVE-2018-16844.patch +Patch3: nginx-1.12.1-CVE-2018-16845.patch BuildRequires: gd-devel %if 0%{?with_gperftools} @@ -173,6 +176,9 @@ Requires: %{?scl:%scl_prefix}nginx %prep %setup -q -n nginx-%{version} %patch0 -p0 +%patch1 -p1 -b .CVE-2018-16843 +%patch2 -p1 -b .CVE-2018-16844 +%patch3 -p1 -b .CVE-2018-16845 cp %{SOURCE200} . %build @@ -609,6 +615,14 @@ fi %{_libdir}/nginx/modules/ngx_stream_module.so %changelog +* Thu Nov 15 2018 Lubos Uhliarik - 1:1.12.1-2.1 +- Resolves: #1648364 - CVE-2018-16845 rh-nginx112-nginx: nginx: + Denial of service and memory disclosure via mp4 module +- Resolves: #1650094 - CVE-2018-16844 rh-nginx112-nginx: nginx: + Excessive CPU usage via flaw in HTTP/2 implementation +- Resolves: #1650088 - CVE-2018-16843 rh-nginx112-nginx: nginx: + Excessive memory consumption via flaw in HTTP/2 implementation + * Tue Aug 08 2017 Luboš Uhliarik - 1:1.12.1-2 - Resolves: #1468712 - missing dependency for perl package