nginx: patch CVE-2026-48142

Backport patch [1] mentioned in [2].

[1] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7

[2] https://security-tracker.debian.org/tracker/CVE-2026-48142

Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Theo Gaige (Schneider Electric)
2026-06-23 11:20:18 +02:00
committed by Anuj Mittal
parent 1d301aca63
commit bc3f9f396d
2 changed files with 44 additions and 0 deletions
@@ -0,0 +1,43 @@
From f0a5aa7beb3d210753dfb104dcfd873bf1af35f0 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Mon, 1 Jun 2026 21:46:48 +0400
Subject: [PATCH] Charset: fixed another rare buffer overread in
recode_from_utf8()
With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte
overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode()
stops advancing the pointer position on the first encountered invalid
byte. The fix is to adjust the advanced pointer up to the whole saved
sequence in this case. Note that this may result in different output
compared to complete invalid UTF-8 sequences, which we can disregard
at this point.
Reported by Han Yan of Xiaomi and p4p3r of CYBERONE.
(cherry picked from commit 60c4243eb8775d51662a01def8a7dad5d9fb34a7)
CVE: CVE-2026-48142
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7]
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
---
src/http/modules/ngx_http_charset_filter_module.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
index 7a518e3..ed80b5e 100644
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
"http charset invalid utf 1");
+ if (saved < &ctx->saved[ctx->saved_len]) {
+ saved = &ctx->saved[ctx->saved_len];
+ }
+
} else {
dst = ngx_sprintf(dst, "&#%uD;", n);
}
--
2.43.0
@@ -15,6 +15,7 @@ SRC_URI:append = " \
file://CVE-2026-42946-01.patch \ file://CVE-2026-42946-01.patch \
file://CVE-2026-42946-02.patch \ file://CVE-2026-42946-02.patch \
file://CVE-2026-9256.patch \ file://CVE-2026-9256.patch \
file://CVE-2026-48142.patch \
" "
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"