From dc9dfb7a271948fee171545c438257a29afb6f73 Mon Sep 17 00:00:00 2001
From: Felix Kaechele <heffer@fedoraproject.org>
Date: Thu, 24 Jun 2021 21:31:53 -0400
Subject: [PATCH] fix for CVE-2021-3618 (rhbz#1975651)

Signed-off-by: Felix Kaechele <heffer@fedoraproject.org>
---
 ec1071830799 | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 nginx.spec   |  8 ++++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 ec1071830799

diff --git a/ec1071830799 b/ec1071830799
new file mode 100644
index 0000000..3f46b6d
--- /dev/null
+++ b/ec1071830799
@@ -0,0 +1,91 @@
+
+# HG changeset patch
+# User Maxim Dounin <mdounin@mdounin.ru>
+# Date 1621383211 -10800
+# Node ID ec107183079903013faee7e67e8721262fd95552
+# Parent  b38728495e1aa06b685dc42c909fb02d3cddecfa
+Mail: max_errors directive.
+
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail.h
+--- a/src/mail/ngx_mail.h	Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail.h	Wed May 19 03:13:31 2021 +0300
+@@ -115,6 +115,8 @@
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
++    ngx_uint_t              max_errors;
++
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -231,6 +233,7 @@
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
++    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_core_module.c
+--- a/src/mail/ngx_mail_core_module.c	Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail_core_module.c	Wed May 19 03:13:31 2021 +0300
+@@ -85,6 +85,13 @@
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
++    { ngx_string("max_errors"),
++      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_MAIL_SRV_CONF_OFFSET,
++      offsetof(ngx_mail_core_srv_conf_t, max_errors),
++      NULL },
++
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
++    cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
++    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_handler.c
+--- a/src/mail/ngx_mail_handler.c	Wed May 19 03:13:28 2021 +0300
++++ b/src/mail/ngx_mail_handler.c	Wed May 19 03:13:31 2021 +0300
+@@ -874,7 +874,20 @@
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++        s->errors++;
++
++        if (s->errors >= cscf->max_errors) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client sent too many invalid commands");
++            s->quit = 1;
++        }
++
++        return rc;
++    }
++
++    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
+
diff --git a/nginx.spec b/nginx.spec
index 03ce7b9..f6e90eb 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -29,7 +29,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           2%{?dist}
+Release:           3%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -62,6 +62,9 @@ Patch0:            0001-remove-Werror-in-upstream-build-scripts.patch
 # rejected upstream: https://trac.nginx.org/nginx/ticket/1897
 Patch1:            0002-fix-PIDFile-handling.patch
 
+# Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
+Patch2:            http://hg.nginx.org/nginx/raw-rev/ec1071830799
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -503,6 +506,9 @@ fi
 
 
 %changelog
+* Fri Jun 25 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-3
+- fix for CVE-2021-3618 (rhbz#1975651)
+
 * Tue Jun 01 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-2
 - use different fix for rhbz#1683388 as it introduced permissions issues in 1:1.20.0-2