diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch new file mode 100644 index 0000000000..f3c5ec4f7a --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch @@ -0,0 +1,43 @@ +From f0a5aa7beb3d210753dfb104dcfd873bf1af35f0 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Mon, 1 Jun 2026 21:46:48 +0400 +Subject: [PATCH] Charset: fixed another rare buffer overread in + recode_from_utf8() + +With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte +overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() +stops advancing the pointer position on the first encountered invalid +byte. The fix is to adjust the advanced pointer up to the whole saved +sequence in this case. Note that this may result in different output +compared to complete invalid UTF-8 sequences, which we can disregard +at this point. + +Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. + +(cherry picked from commit 60c4243eb8775d51662a01def8a7dad5d9fb34a7) + +CVE: CVE-2026-48142 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7] +Signed-off-by: Theo Gaige (Schneider Electric) +--- + src/http/modules/ngx_http_charset_filter_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c +index 7a518e3..ed80b5e 100644 +--- a/src/http/modules/ngx_http_charset_filter_module.c ++++ b/src/http/modules/ngx_http_charset_filter_module.c +@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset invalid utf 1"); + ++ if (saved < &ctx->saved[ctx->saved_len]) { ++ saved = &ctx->saved[ctx->saved_len]; ++ } ++ + } else { + dst = ngx_sprintf(dst, "&#%uD;", n); + } +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index dee6c6618e..8498ce766e 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -15,6 +15,7 @@ SRC_URI:append = " \ file://CVE-2026-42946-01.patch \ file://CVE-2026-42946-02.patch \ file://CVE-2026-9256.patch \ + file://CVE-2026-48142.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"