Import Debian changes 1.18.0-6.1+deb11u2

1ace86a8 · Jan Mojžíš · Dylan Aïssi · b0ba0776 · 1ace86a8 · 1ace86a8
Commit 1ace86a8 authored 2 years ago by Jan Mojžíš Committed by Dylan Aïssi 2 years ago
--- a/debian/changelog
+++ b/debian/changelog
+nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium
+
+  * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX
+    that adds mitigations into the Mail module for CVE-2021-3618.patch.
+    (Closes: #991328)
+
+ -- Jan Mojžíš <jan.mojzis@gmail.com>  Sat, 14 May 2022 08:27:08 +0200
+
+nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
+    libnginx-mod-http-lua is loaded and init_worker_by_lua* is used.
+    (Closes: #994178)
+
+ -- Jan Mojžíš <jan.mojzis@gmail.com>  Tue, 15 Mar 2022 21:36:18 +0100
+
 nginx (1.18.0-6.1) unstable; urgency=high

  * Non-maintainer upload.

--- a/debian/modules/patches/http-lua/bug-994178-segfault.patch
+++ b/debian/modules/patches/http-lua/bug-994178-segfault.patch
+From: Datong Sun <dndx@idndx.com>
+Date: Wed Jul 18 16:21:09 2018 -0700
+Origin: https://github.com/openresty/lua-nginx-module/commit/e94f2e5d64daa45ff396e262d8dab8e56f5f10e0
+Subject: fixed segfault in NGINX core >= 1.15.0 when init_worker_by_lua* is
+ used.
+
+Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
+
+diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c
+index 4a722a06..2a82fcb9 100644
+--- a/src/ngx_http_lua_initworkerby.c
+++ b/src/ngx_http_lua_initworkerby.c
+@@ -25,6 +25,7 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+     void                        *cur, *prev;
+     ngx_uint_t                   i;
+     ngx_conf_t                   conf;
+    ngx_conf_file_t              cf_file;
+     ngx_cycle_t                 *fake_cycle;
+     ngx_module_t               **modules;
+     ngx_open_file_t             *file, *ofile;
+@@ -166,6 +167,10 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+     conf.pool = fake_cycle->pool;
+     conf.log = cycle->log;
+
+    ngx_memzero(&cf_file, sizeof(cf_file));
+    cf_file.file.name = cycle->conf_file;
+    conf.conf_file = &cf_file;
+
+     http_ctx.loc_conf = ngx_pcalloc(conf.pool,
+                                     sizeof(void *) * ngx_http_max_module);
+     if (http_ctx.loc_conf == NULL) {
--- a/debian/modules/patches/http-lua/series
+++ b/debian/modules/patches/http-lua/series
 discover-luajit-2.1.patch
 CVE-2020-11724.patch
+bug-994178-segfault.patch
--- a/debian/patches/CVE-2021-3618.patch
+++ b/debian/patches/CVE-2021-3618.patch
+Subject: Patch mitigation for CVE-2021-3618
+ Mail: max_errors directive.
+ .
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799
+Bug-Debian: https://bugs.debian.org/991328
+
+--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
+    ngx_uint_t              max_errors;
+
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -231,6 +233,7 @@
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
+    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
+    { ngx_string("max_errors"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_core_srv_conf_t, max_errors),
+      NULL },
+
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
+    cscf->max_errors = NGX_CONF_UNSET_UINT;
+
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
+    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
+@@ -871,7 +871,20 @@
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+        s->errors++;
+
+        if (s->errors >= cscf->max_errors) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent too many invalid commands");
+            s->quit = 1;
+        }
+
+        return rc;
+    }
+
+    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0003-define_gnu_source-on-other-glibc-based-platforms.patch
 CVE-2019-20372.patch
 Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
+CVE-2021-3618.patch