diff --git a/backport-CVE-2022-41742_CVE-2022-41741.patch b/backport-CVE-2022-41742_CVE-2022-41741.patch deleted file mode 100644 index 74444e98aefc5c20c203b8c89a663d5f39518615..0000000000000000000000000000000000000000 --- a/backport-CVE-2022-41742_CVE-2022-41741.patch +++ /dev/null @@ -1,310 +0,0 @@ -From 0d23105373e6d8a720b9826079c077b9b4be919d Mon Sep 17 00:00:00 2001 -From: Roman Arutyunyan -Date: Wed, 19 Oct 2022 10:53:17 +0300 -Subject: [PATCH] Mp4: disabled duplicate atoms. - -Most atoms should not appear more than once in a container. Previously, -this was not enforced by the module, which could result in worker process -crash, memory corruption and disclosure. ---- - src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++ - 1 file changed, 147 insertions(+) - -diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c -index 5721efbe60..75a7315f98 100644 ---- a/src/http/modules/ngx_http_mp4_module.c -+++ b/src/http/modules/ngx_http_mp4_module.c -@@ -1121,6 +1121,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - return NGX_ERROR; - } - -+ if (mp4->ftyp_atom.buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; - - ftyp_atom = ngx_palloc(mp4->request->pool, atom_size); -@@ -1179,6 +1185,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - return NGX_DECLINED; - } - -+ if (mp4->moov_atom.buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module); - - if (atom_data_size > mp4->buffer_size) { -@@ -1246,6 +1258,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom"); - -+ if (mp4->mdat_atom.buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - data = &mp4->mdat_data_buf; - data->file = &mp4->file; - data->in_file = 1; -@@ -1372,6 +1390,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom"); - -+ if (mp4->mvhd_atom.buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom_header = ngx_mp4_atom_header(mp4); - mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header; - mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header; -@@ -1637,6 +1661,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->tkhd_size = atom_size; - trak->movie_duration = duration; - -@@ -1676,6 +1707,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->mdia_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -1799,6 +1836,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size; - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->mdhd_size = atom_size; - trak->timescale = timescale; - trak->duration = duration; -@@ -1862,6 +1906,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->hdlr_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -1890,6 +1940,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->minf_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -1933,6 +1989,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf -+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) -+ { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 vmhd/smhd atom in \"%s\"", -+ mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->vmhd_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -1964,6 +2029,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf -+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf) -+ { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 vmhd/smhd atom in \"%s\"", -+ mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->smhd_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -1995,6 +2069,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->dinf_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -2023,6 +2103,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->stbl_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -2144,6 +2230,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - - trak = ngx_mp4_last_trak(mp4); - -+ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - atom = &trak->stsd_atom_buf; - atom->temporary = 1; - atom->pos = atom_header; -@@ -2212,6 +2304,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->time_to_sample_entries = entries; - - atom = &trak->stts_atom_buf; -@@ -2480,6 +2579,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - "sync sample entries:%uD", entries); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->sync_samples_entries = entries; - - atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t); -@@ -2678,6 +2784,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - "composition offset entries:%uD", entries); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->composition_offset_entries = entries; - - atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t); -@@ -2881,6 +2994,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->sample_to_chunk_entries = entries; - - atom = &trak->stsc_atom_buf; -@@ -3213,6 +3333,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - "sample uniform size:%uD, entries:%uD", size, entries); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->sample_sizes_entries = entries; - - atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t); -@@ -3396,6 +3523,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_end = atom_table + entries * sizeof(uint32_t); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf -+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) -+ { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stco/co64 atom in \"%s\"", -+ mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->chunks = entries; - - atom = &trak->stco_atom_buf; -@@ -3602,6 +3739,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) - atom_end = atom_table + entries * sizeof(uint64_t); - - trak = ngx_mp4_last_trak(mp4); -+ -+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf -+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf) -+ { -+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, -+ "duplicate mp4 stco/co64 atom in \"%s\"", -+ mp4->file.name.data); -+ return NGX_ERROR; -+ } -+ - trak->chunks = entries; - - atom = &trak->co64_atom_buf; diff --git a/nginx-1.21.5.tar.gz b/nginx-1.21.5.tar.gz deleted file mode 100644 index 207d55ca58ce3176bf02c79d043b5b32dd2a5ac1..0000000000000000000000000000000000000000 Binary files a/nginx-1.21.5.tar.gz and /dev/null differ diff --git a/nginx-1.24.0.tar.gz b/nginx-1.24.0.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1aeeaf85881597dec6537e927c8c6819385c779c Binary files /dev/null and b/nginx-1.24.0.tar.gz differ diff --git a/nginx.conf b/nginx.conf index f85920a863387006605204bf4676c32a7a1464ec..af67cbb6eaf5638e93aa85b24f62f39b7633532c 100644 --- a/nginx.conf +++ b/nginx.conf @@ -4,7 +4,7 @@ user nginx; worker_processes auto; -error_log /var/log/nginx/error.log; +error_log /var/log/nginx/error.log notice; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. @@ -23,7 +23,6 @@ http { sendfile on; tcp_nopush on; - tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; diff --git a/nginx.spec b/nginx.spec index 7c829da5b093dd9ff3ba5b5d64216a82c179da8b..2822cbe9aa220d6ad5227927b079bcc000ef0d60 100644 --- a/nginx.spec +++ b/nginx.spec @@ -16,8 +16,8 @@ Name: nginx Epoch: 1 -Version: 1.21.5 -Release: 5 +Version: 1.24.0 +Release: 1 Summary: A HTTP server, reverse proxy and mail proxy server License: BSD URL: http://nginx.org/ @@ -39,7 +39,6 @@ Source210: UPGRADE-NOTES-1.6-to-1.10 Patch0: nginx-auto-cc-gcc.patch Patch1: nginx-1.12.1-logs-perm.patch Patch2: nginx-fix-pidfile.patch -Patch3: backport-CVE-2022-41742_CVE-2022-41741.patch BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl @@ -388,6 +387,9 @@ fi %{_mandir}/man8/nginx.8* %changelog +* Thu Aug 17 2023 Funda Wang - 1:1.24.0-1 +- New version 1.24.0 + * Wed Dec 21 2022 snoweay - 1:1.21.5-5 - add safety compile options