mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

nginx: patch CVE-2026-42934

Browse Source 
Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a

[2] https://security-tracker.debian.org/tracker/CVE-2026-42934

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-05-20 16:24:36 +02:00
committed by Anuj Mittal
parent 167e8b64dd
commit b7758e9380
2 changed files with 80 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42934.patch
+79
View File
@@ -0,0 +1,79 @@
From 9e8f535a9320a2f6bdc3ae9cf9e616ae0a29869e Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Sun, 12 Apr 2026 07:13:23 +0100
Subject: [PATCH] Charset: fix buffer over-read in recode_from_utf8().
When a multi-byte UTF-8 character was split across 3+ single-byte
buffers, the saved bytes continuation path had two related bugs:
ngx_utf8_decode() was called with the last saved-array index instead
of the byte count, causing it to report "incomplete" even when the
sequence was already complete.
The subsequent ngx_memcpy() used that same index as the copy length,
reading past the input buffer boundary.
CVE: CVE-2026-42934
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/54b7945961b2eaafc480d6b85d9635d0db1c126a]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
.../modules/ngx_http_charset_filter_module.c | 20 ++++++-------------
1 file changed, 6 insertions(+), 14 deletions(-)
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
index e52b96e..7a518e3 100644
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -689,7 +689,6 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
u_char c, *p, *src, *dst, *saved, **table;
uint32_t n;
ngx_buf_t *b;
- ngx_uint_t i;
ngx_chain_t *out, *cl, **ll;
src = buf->pos;
@@ -783,18 +782,12 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, pool->log, 0,
"http charset utf saved: %z", ctx->saved_len);
- p = src;
-
- for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) {
- ctx->saved[i] = *p++;
-
- if (p == buf->last) {
- break;
- }
- }
+ len = ngx_min(NGX_UTF_LEN - ctx->saved_len, (size_t) (buf->last - src));
+ ngx_memcpy(&ctx->saved[ctx->saved_len], src, len);
+ len += ctx->saved_len;
saved = ctx->saved;
- n = ngx_utf8_decode(&saved, i);
+ n = ngx_utf8_decode(&saved, len);
c = '\0';
@@ -810,7 +803,7 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
/* incomplete UTF-8 symbol */
- if (i < NGX_UTF_LEN) {
+ if (len < NGX_UTF_LEN) {
out = ngx_http_charset_get_buf(pool, ctx);
if (out == NULL) {
return NULL;
@@ -823,8 +816,7 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
b->sync = 1;
b->shadow = buf;
- ngx_memcpy(&ctx->saved[ctx->saved_len], src, i);
- ctx->saved_len += i;
+ ctx->saved_len = len;
return out;
}
--
2.43.0
meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+1
View File
@@ -10,6 +10,7 @@ SRC_URI:append = " \
file://CVE-2026-28753.patch \
file://CVE-2026-32647.patch \
file://CVE-2026-40701.patch \
file://CVE-2026-42934.patch \
"
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"