Compare commits
67 Commits
| Author | SHA1 | Date |
|---|---|---|
Felix Kaechele
|
7e0328ccf6 | |
Felix Kaechele
|
be3281ae9b | |
|
Felix Kaechele
|
0cc5fc00c4 | |
|
Felix Kaechele
|
8325e98e19 | |
|
Felix Kaechele
|
e4b9c8a028 | |
|
Felix Kaechele
|
058fcd1881 | |
Robert Scheck
|
956dc7e0d3 | |
|
Felix Kaechele
|
0d69dc951a | |
Warren Togami
|
bd6f020456 | |
|
Warren Togami
|
793b7e1d28 | |
Jamie Nguyen
|
c18be768fe | |
Tadej Janež
|
023a09b06a | |
Luboš Uhliarik
|
7c6355f049 | |
|
Luboš Uhliarik
|
f959394896 | |
|
Jamie Nguyen
|
0ad69b3018 | |
|
Jamie Nguyen
|
1f569e93dc | |
|
Jamie Nguyen
|
4859abf2bd | |
|
Jamie Nguyen
|
950c07b784 | |
|
Jamie Nguyen
|
a9d27fe9fb | |
|
Jamie Nguyen
|
d8a9dd4d5a | |
|
Jamie Nguyen
|
7be939a1eb | |
|
Jamie Nguyen
|
02037aa84e | |
|
Jamie Nguyen
|
fc810867b3 | |
|
Jamie Nguyen
|
193efa4e1d | |
|
Jamie Nguyen
|
2f9b55b87b | |
|
Jamie Nguyen
|
310718c028 | |
|
Jamie Nguyen
|
bfa5831962 | |
|
Jamie Nguyen
|
6e067ad07d | |
|
Jamie Nguyen
|
89a360a565 | |
|
Jamie Nguyen
|
b73f5f3ef9 | |
|
Jamie Nguyen
|
d6fe3140ac | |
|
Jamie Nguyen
|
41a69e61a1 | |
|
Jamie Nguyen
|
14760f87c2 | |
|
Jamie Nguyen
|
8895b33172 | |
|
Jamie Nguyen
|
2711a74d48 | |
Ville Skyttä
|
b1999fb929 | |
|
Jamie Nguyen
|
3b023b1fa5 | |
|
Jamie Nguyen
|
66c81d4eac | |
|
Jamie Nguyen
|
1f6028c976 | |
|
Jamie Nguyen
|
19236f4025 | |
|
Jamie Nguyen
|
fc84ebd99d | |
|
Jamie Nguyen
|
8b3545a6ae | |
|
Jamie Nguyen
|
a05b40aebb | |
|
Jamie Nguyen
|
822ac7d7f4 | |
|
Jamie Nguyen
|
8960fe5b7c | |
|
Jamie Nguyen
|
abfbfbdfeb | |
|
Jamie Nguyen
|
fc7b5b3b29 | |
|
Jamie Nguyen
|
c7df15134f | |
|
Jamie Nguyen
|
675148b262 | |
|
Jamie Nguyen
|
56a5c49435 | |
|
Jamie Nguyen
|
bb4239efa0 | |
|
Jamie Nguyen
|
09d71762bc | |
|
Jamie Nguyen
|
aa7abdd0d6 | |
|
Jamie Nguyen
|
618531bf75 | |
|
Jamie Nguyen
|
c6a4d3a834 | |
|
Jamie Nguyen
|
ce560d3c4b | |
|
Jamie Nguyen
|
b074711b52 | |
Warren Togami
|
e754ce11f2 | |
|
Warren Togami
|
23f650d0c7 | |
|
Jamie Nguyen
|
95d07b04c4 | |
|
Jamie Nguyen
|
2ef2d094a7 | |
|
Jamie Nguyen
|
5b0b18bc81 | |
|
Jamie Nguyen
|
3335a2cdf2 | |
|
Jamie Nguyen
|
1f05349f9e | |
Peter Borsa
|
fd256c6cd1 | |
|
Jamie Nguyen
|
d5faf95acf | |
Jonathan Steffan
|
e09136d836 |
|
|
@ -0,0 +1,313 @@
|
|||
From c200c8e90f7ab8b7f2138830955b31a43b3bd1b6 Mon Sep 17 00:00:00 2001
|
||||
From: Felix Kaechele <felix@kaechele.ca>
|
||||
Date: Thu, 10 Nov 2022 11:45:38 -0500
|
||||
Subject: [PATCH] backport fix CVE-2022-41741 and CVE-2022-41742
|
||||
|
||||
Backported to 1.20.1
|
||||
|
||||
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
|
||||
---
|
||||
src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++
|
||||
1 file changed, 147 insertions(+)
|
||||
|
||||
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
||||
index 0e93fbd..4f4d89d 100644
|
||||
--- a/src/http/modules/ngx_http_mp4_module.c
|
||||
+++ b/src/http/modules/ngx_http_mp4_module.c
|
||||
@@ -1070,6 +1070,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
+ if (mp4->ftyp_atom.buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
|
||||
|
||||
ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
|
||||
@@ -1128,6 +1134,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
+ if (mp4->moov_atom.buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
|
||||
|
||||
if (atom_data_size > mp4->buffer_size) {
|
||||
@@ -1195,6 +1207,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom");
|
||||
|
||||
+ if (mp4->mdat_atom.buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
data = &mp4->mdat_data_buf;
|
||||
data->file = &mp4->file;
|
||||
data->in_file = 1;
|
||||
@@ -1321,6 +1339,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom");
|
||||
|
||||
+ if (mp4->mvhd_atom.buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom_header = ngx_mp4_atom_header(mp4);
|
||||
mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
|
||||
mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
|
||||
@@ -1586,6 +1610,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->tkhd_size = atom_size;
|
||||
|
||||
ngx_mp4_set_32value(tkhd_atom->size, atom_size);
|
||||
@@ -1624,6 +1655,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->mdia_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1747,6 +1784,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->mdhd_size = atom_size;
|
||||
trak->timescale = timescale;
|
||||
|
||||
@@ -1789,6 +1833,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->hdlr_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1817,6 +1867,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->minf_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1860,6 +1916,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
|
||||
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
|
||||
+ {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
|
||||
+ mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->vmhd_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1891,6 +1956,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
|
||||
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
|
||||
+ {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
|
||||
+ mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->smhd_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1922,6 +1996,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->dinf_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -1950,6 +2030,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->stbl_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -2018,6 +2104,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
|
||||
+ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
atom = &trak->stsd_atom_buf;
|
||||
atom->temporary = 1;
|
||||
atom->pos = atom_header;
|
||||
@@ -2086,6 +2178,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->time_to_sample_entries = entries;
|
||||
|
||||
atom = &trak->stts_atom_buf;
|
||||
@@ -2291,6 +2390,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
"sync sample entries:%uD", entries);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->sync_samples_entries = entries;
|
||||
|
||||
atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
|
||||
@@ -2489,6 +2595,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
"composition offset entries:%uD", entries);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->composition_offset_entries = entries;
|
||||
|
||||
atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
|
||||
@@ -2692,6 +2805,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->sample_to_chunk_entries = entries;
|
||||
|
||||
atom = &trak->stsc_atom_buf;
|
||||
@@ -3024,6 +3144,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
"sample uniform size:%uD, entries:%uD", size, entries);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->sample_sizes_entries = entries;
|
||||
|
||||
atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
|
||||
@@ -3207,6 +3334,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_end = atom_table + entries * sizeof(uint32_t);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
|
||||
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
|
||||
+ {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stco/co64 atom in \"%s\"",
|
||||
+ mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->chunks = entries;
|
||||
|
||||
atom = &trak->stco_atom_buf;
|
||||
@@ -3413,6 +3550,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
||||
atom_end = atom_table + entries * sizeof(uint64_t);
|
||||
|
||||
trak = ngx_mp4_last_trak(mp4);
|
||||
+
|
||||
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
|
||||
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
|
||||
+ {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "duplicate mp4 stco/co64 atom in \"%s\"",
|
||||
+ mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
trak->chunks = entries;
|
||||
|
||||
atom = &trak->co64_atom_buf;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
|
|
@ -41,7 +41,7 @@
|
|||
Name: nginx
|
||||
Epoch: 1
|
||||
Version: 1.20.1
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
|
||||
Summary: A high performance web server and reverse proxy server
|
||||
# BSD License (two clause)
|
||||
|
|
@ -79,6 +79,9 @@ Patch1: 0002-fix-PIDFile-handling.patch
|
|||
# Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
|
||||
Patch2: http://hg.nginx.org/nginx/raw-rev/ec1071830799
|
||||
|
||||
# Fix for CVE-2022-41741 and CVE-2022-41742: Memory corruption/disclosure in the ngx_http_mp4_module
|
||||
Patch3: 0001-backport-fix-CVE-2022-41741-and-CVE-2022-41742.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
|
|
@ -578,6 +581,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Nov 10 2022 Felix Kaechele <felix@kaechele.ca> - 1:1.20.1-10
|
||||
- backport fix for CVE-2022-41741 and CVE-2022-41742
|
||||
|
||||
* Mon Oct 18 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-9
|
||||
- fix installation of nginxmods.attr for EPEL 7
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue