mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

nginx: patch CVE-2026-42945

Browse Source 
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686

[2] https://security-tracker.debian.org/tracker/CVE-2026-42945

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-05-20 16:24:37 +02:00
committed by Anuj Mittal
parent b7758e9380
commit 96870679e8
2 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch
+46
View File
@@ -0,0 +1,46 @@
From 3d990abc5cb4adc2368da603a419c9944aaa5f65 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 22 Apr 2026 09:39:31 +0400
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
The following code resulted in incorrect escaping of $1 and possible
segfault:
location / {
rewrite ^(.*) /new?c=1;
set $myvar $1;
return 200 $myvar;
}
If there were arguments in a rewrite's replacement string, the is_args flag
was set and incorrectly never cleared. This resulted in escaping applied
to any captures evaluated afterwards in set or if. Additionally buffer was
allocated by ngx_http_script_complex_value_code() without escaping expected,
thus this also resulted in buffer overrun and possible segfault.
A similar issue was fixed in 74d939974d43.
Reported by Leo Lin.
CVE: CVE-2026-42945
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
src/http/ngx_http_script.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index a2b9f1b..2ea6113 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
r = e->request;
+ e->is_args = 0;
e->quote = 0;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
--
2.43.0
meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+1
View File
@@ -11,6 +11,7 @@ SRC_URI:append = " \
file://CVE-2026-32647.patch \
file://CVE-2026-40701.patch \
file://CVE-2026-42934.patch \
file://CVE-2026-42945.patch \
"
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"