mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
nginx: fix CVE-2026-28753
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix. Backport the commit[3] from 1.28.3 changelog matching the description. [1] https://my.f5.com/manage/s/article/K000160367 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28753 [3] https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,93 @@
|
|||||||
|
From 7e705808a8568a091a8ecf418ed9f77914304fcc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Thu, 26 Feb 2026 11:52:53 +0400
|
||||||
|
Subject: [PATCH] Mail: host validation.
|
||||||
|
|
||||||
|
Now host name resolved from client address is validated to only contain
|
||||||
|
the characters specified in RFC 1034, Section 3.5. The validation allows
|
||||||
|
to avoid injections when using the resolved host name in auth_http and
|
||||||
|
smtp proxy.
|
||||||
|
|
||||||
|
Reported by Asim Viladi Oglu Manizada, Colin Warren,
|
||||||
|
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
|
||||||
|
Bird Liu (Lanzhou University).
|
||||||
|
|
||||||
|
(cherry picked from commit 6a8513761fb327f67fcc6cfcf1ad216887e2589f)
|
||||||
|
|
||||||
|
CVE: CVE-2026-28753
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6a8513761fb327f67fcc6cfcf1ad216887e2589f]
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 45 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
|
||||||
|
index e68ceedfd..e477741c8 100644
|
||||||
|
--- a/src/mail/ngx_mail_smtp_handler.c
|
||||||
|
+++ b/src/mail/ngx_mail_smtp_handler.c
|
||||||
|
@@ -13,6 +13,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx);
|
||||||
|
+static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name);
|
||||||
|
static void ngx_mail_smtp_resolve_name(ngx_event_t *rev);
|
||||||
|
static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx);
|
||||||
|
static void ngx_mail_smtp_block_reading(ngx_event_t *rev);
|
||||||
|
@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) {
|
||||||
|
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
|
||||||
|
+ "%V resolved to invalid host name \"%V\"",
|
||||||
|
+ &c->addr_text, &ctx->name);
|
||||||
|
+
|
||||||
|
+ s->host = smtp_tempunavail;
|
||||||
|
+
|
||||||
|
+ ngx_resolve_addr_done(ctx);
|
||||||
|
+
|
||||||
|
+ ngx_mail_smtp_greeting(s, s->connection);
|
||||||
|
+
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
c->log->action = "in resolving client hostname";
|
||||||
|
|
||||||
|
s->host.data = ngx_pstrdup(c->pool, &ctx->name);
|
||||||
|
@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+static ngx_int_t
|
||||||
|
+ngx_mail_smtp_validate_host(ngx_str_t *name)
|
||||||
|
+{
|
||||||
|
+ u_char ch;
|
||||||
|
+ ngx_uint_t i;
|
||||||
|
+
|
||||||
|
+ if (name->len == 0) {
|
||||||
|
+ return NGX_DECLINED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < name->len; i++) {
|
||||||
|
+ ch = name->data[i];
|
||||||
|
+
|
||||||
|
+ /* allow only characters from RFC 1034, Section 3.5 */
|
||||||
|
+
|
||||||
|
+ if ((ch >= 'a' && ch <= 'z')
|
||||||
|
+ || (ch >= 'A' && ch <= 'Z')
|
||||||
|
+ || (ch >= '0' && ch <= '9')
|
||||||
|
+ || ch == '-' || ch == '.')
|
||||||
|
+ {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NGX_DECLINED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NGX_OK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
ngx_mail_smtp_resolve_name(ngx_event_t *rev)
|
||||||
|
{
|
||||||
@@ -7,6 +7,7 @@ SRC_URI:append = " \
|
|||||||
file://CVE-2026-28755.patch \
|
file://CVE-2026-28755.patch \
|
||||||
file://CVE-2026-27651.patch \
|
file://CVE-2026-27651.patch \
|
||||||
file://CVE-2026-27654.patch \
|
file://CVE-2026-27654.patch \
|
||||||
|
file://CVE-2026-28753.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
||||||
|
|||||||
Reference in New Issue
Block a user