backport fix for CVE-2022-41741 and CVE-2022-41742

Signed-off-by: Felix Kaechele <felix@kaechele.ca>
2022-11-10 12:06:24 -05:00
2 changed files with 320 additions and 1 deletions
--- a/0001-backport-fix-CVE-2022-41741-and-CVE-2022-41742.patch
+++ b/0001-backport-fix-CVE-2022-41741-and-CVE-2022-41742.patch
@ -0,0 +1,313 @@
+From c200c8e90f7ab8b7f2138830955b31a43b3bd1b6 Mon Sep 17 00:00:00 2001
+From: Felix Kaechele <felix@kaechele.ca>
+Date: Thu, 10 Nov 2022 11:45:38 -0500
+Subject: [PATCH] backport fix CVE-2022-41741 and CVE-2022-41742
+
+Backported to 1.20.1
+
+Signed-off-by: Felix Kaechele <felix@kaechele.ca>
+---
+ src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++
+ 1 file changed, 147 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 0e93fbd..4f4d89d 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -1070,6 +1070,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+         return NGX_ERROR;
+     }
+ 
+    if (mp4->ftyp_atom.buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
+@@ -1128,6 +1134,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+         return NGX_DECLINED;
+     }
+ 
+    if (mp4->moov_atom.buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
+ 
+     if (atom_data_size > mp4->buffer_size) {
+@@ -1195,6 +1207,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom");
+ 
+    if (mp4->mdat_atom.buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     data = &mp4->mdat_data_buf;
+     data->file = &mp4->file;
+     data->in_file = 1;
+@@ -1321,6 +1339,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom");
+ 
+    if (mp4->mvhd_atom.buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom_header = ngx_mp4_atom_header(mp4);
+     mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
+     mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
+@@ -1586,6 +1610,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->tkhd_size = atom_size;
+ 
+     ngx_mp4_set_32value(tkhd_atom->size, atom_size);
+@@ -1624,6 +1655,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->mdia_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1747,6 +1784,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->mdhd_size = atom_size;
+     trak->timescale = timescale;
+ 
+@@ -1789,6 +1833,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->hdlr_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1817,6 +1867,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->minf_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1860,6 +1916,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+        || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+    {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 vmhd/smhd atom in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->vmhd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1891,6 +1956,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+        || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+    {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 vmhd/smhd atom in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->smhd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1922,6 +1996,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->dinf_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1950,6 +2030,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->stbl_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -2018,6 +2104,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
+    if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     atom = &trak->stsd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -2086,6 +2178,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->time_to_sample_entries = entries;
+ 
+     atom = &trak->stts_atom_buf;
+@@ -2291,6 +2390,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "sync sample entries:%uD", entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->sync_samples_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
+@@ -2489,6 +2595,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "composition offset entries:%uD", entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->composition_offset_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
+@@ -2692,6 +2805,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->sample_to_chunk_entries = entries;
+ 
+     atom = &trak->stsc_atom_buf;
+@@ -3024,6 +3144,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "sample uniform size:%uD, entries:%uD", size, entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->sample_sizes_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
+@@ -3207,6 +3334,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(uint32_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+        || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+    {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stco/co64 atom in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->chunks = entries;
+ 
+     atom = &trak->stco_atom_buf;
+@@ -3413,6 +3550,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(uint64_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
+
+    if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+        || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+    {
+        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                      "duplicate mp4 stco/co64 atom in \"%s\"",
+                      mp4->file.name.data);
+        return NGX_ERROR;
+    }
+
+     trak->chunks = entries;
+ 
+     atom = &trak->co64_atom_buf;
+-- 
+2.38.1
+
--- a/nginx.spec
+++ b/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.20.2
-Release:           4%{?dist}
+Release:           5%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -79,6 +79,9 @@ Patch1:            0002-fix-PIDFile-handling.patch
 # Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
 Patch2:            http://hg.nginx.org/nginx/raw-rev/ec1071830799

+# Fix for CVE-2022-41741 and CVE-2022-41742: Memory corruption/disclosure in the ngx_http_mp4_module
+Patch3:            0001-backport-fix-CVE-2022-41741-and-CVE-2022-41742.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -587,6 +590,9 @@ fi


 %changelog
+* Thu Nov 10 2022 Felix Kaechele <felix@kaechele.ca> - 1:1.20.2-5
+- backport fix for CVE-2022-41741 and CVE-2022-41742
+
 * Thu Mar 24 2022 Honza Horak <hhorak@redhat.com> - 1:1.20.2-4
 - Introduce core sub-package for having a daemon only with a minimal footprint