From 00a70a727ec3eb3a33ee8ba3e542747ad331f2ea Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Mon, 6 Apr 2026 12:03:03 +0530 Subject: [PATCH] nginx: fix CVE-2026-27784, CVE-2026-28755 Pick up patch [1] and [2] from Debian report. [1] https://security-tracker.debian.org/tracker/CVE-2026-27784 [2] https://security-tracker.debian.org/tracker/CVE-2026-28755 More details : [1]: https://nvd.nist.gov/vuln/detail/CVE-2026-27784 [2]: https://nvd.nist.gov/vuln/detail/CVE-2026-28755 Signed-off-by: Hitendra Prajapati Signed-off-by: Gyorgy Sarvari --- .../nginx/nginx-1.24.0/CVE-2026-27784.patch | 88 +++++++++++++++++++ .../nginx/nginx-1.24.0/CVE-2026-28755.patch | 48 ++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 5 ++ 3 files changed, 141 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27784.patch create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27784.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27784.patch new file mode 100644 index 0000000000..41a8563c67 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-27784.patch @@ -0,0 +1,88 @@ +From b23ac73b00313d159a99636c21ef71b828781018 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Mon, 2 Mar 2026 21:12:34 +0400 +Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms. + +Previously, a 32-bit overflow could happen while validating atom entries +count. This allowed processing of an invalid atom with entrires beyond +its boundaries with reads and writes outside of the allocated mp4 buffer. + +Reported by Prabhav Srinath (sprabhav7). + +CVE: CVE-2026-27784 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018] +Signed-off-by: Hitendra Prajapati +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 041ad26..a7f8be7 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2294,7 +2294,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "mp4 time-to-sample entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t) +- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stts atom too small", mp4->file.name.data); +@@ -2597,7 +2597,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stss atom too small", mp4->file.name.data); +@@ -2802,7 +2802,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t) +- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 ctts atom too small", mp4->file.name.data); +@@ -2984,7 +2984,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample-to-chunk entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t) +- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsc atom too small", mp4->file.name.data); +@@ -3362,7 +3362,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + if (size == 0) { + if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsz atom too small", +@@ -3521,7 +3521,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stco atom too small", mp4->file.name.data); +@@ -3737,7 +3737,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t) +- + entries * sizeof(uint64_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 co64 atom too small", mp4->file.name.data); +-- +2.50.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch new file mode 100644 index 0000000000..37e6d5b3b4 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch @@ -0,0 +1,48 @@ +From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 17 Mar 2026 19:20:03 +0400 +Subject: [PATCH] Stream: fixed client certificate validation with OCSP. + +Check for OCSP status was missed in 581cf2267, resulting +in a broken validation. + +Reported by Mufeed VH of Winfunc Research. + +CVE: CVE-2026-28755 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8] +Signed-off-by: Hitendra Prajapati +--- + src/stream/ngx_stream_ssl_module.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index 1ba1825..c8e8323 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -335,6 +335,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) + long rc; + X509 *cert; + ngx_int_t rv; ++ const char *str; + ngx_connection_t *c; + ngx_stream_ssl_conf_t *sslcf; + +@@ -385,6 +386,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s) + + X509_free(cert); + } ++ ++ if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client SSL certificate verify error: %s", str); ++ ++ ngx_ssl_remove_cached_session(c->ssl->session_ctx, ++ (SSL_get0_session(c->ssl->connection))); ++ return NGX_ERROR; ++ } + } + + return NGX_OK; +-- +2.50.1 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index 2e865e400e..c843b67975 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -2,5 +2,10 @@ require nginx.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632" +SRC_URI:append = " \ + file://CVE-2026-27784.patch \ + file://CVE-2026-28755.patch \ + " + SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"