--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Ondrej Novy <onovy@debian.org>
- Subject: bullseye-pu: package nginx/1.18.0-6.1
- From: Jan Mojzis <jan.mojzis@gmail.com>
- Date: Wed, 16 Mar 2022 12:28:13 +0100
- Message-id: <164743009214.1625287.15887140490528267119.reportbug@dev.h.mojzis.com>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
Current version of nginx currently shipped in Debian 11
segfaults when libnginx-mod-http-lua is loaded and init_worker_by_lua* is used.
[ Reason ]
There is a bug in the libnginx-mod-http-lua module.
In the C code is 'conf. file variable' which is copied to the unalocated memory
space which cause segmentation fault.
[ Impact ]
Nginx crash.
[ Tests ]
/etc/nginx/nginx/conf:
~~~
user www-data;
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
events {
worker_connections 768;
}
http {
init_worker_by_lua_block {
}
server {
listen 80;
location / {
return 200;
}
}
}
~~~
curl -D- http://127.0.0.1/
[ Risks ]
Minimal, the patch is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
debdiff:
diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog 2021-05-29 16:21:37.000000000 +0200
+++ nginx-1.18.0/debian/changelog 2022-03-15 21:36:18.000000000 +0100
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
+ libnginx-mod-http-lua is loaded and init_worker_by_lua* is used.
+ (Closes: #994178)
+
+ -- Jan Mojžíš <jan.mojzis@gmail.com> Tue, 15 Mar 2022 21:36:18 +0100
+
nginx (1.18.0-6.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru nginx-1.18.0/debian/modules/patches/http-lua/bug-994178-segfault.patch nginx-1.18.0/debian/modules/patches/http-lua/bug-994178-segfault.patch
--- nginx-1.18.0/debian/modules/patches/http-lua/bug-994178-segfault.patch 1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.18.0/debian/modules/patches/http-lua/bug-994178-segfault.patch 2022-03-15 21:36:18.000000000 +0100
@@ -0,0 +1,31 @@
+From: Datong Sun <dndx@idndx.com>
+Date: Wed Jul 18 16:21:09 2018 -0700
+Origin: https://github.com/openresty/lua-nginx-module/commit/e94f2e5d64daa45ff396e262d8dab8e56f5f10e0
+Subject: fixed segfault in NGINX core >= 1.15.0 when init_worker_by_lua* is
+ used.
+
+Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
+
+diff --git a/src/ngx_http_lua_initworkerby.c b/src/ngx_http_lua_initworkerby.c
+index 4a722a06..2a82fcb9 100644
+--- a/src/ngx_http_lua_initworkerby.c
++++ b/src/ngx_http_lua_initworkerby.c
+@@ -25,6 +25,7 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+ void *cur, *prev;
+ ngx_uint_t i;
+ ngx_conf_t conf;
++ ngx_conf_file_t cf_file;
+ ngx_cycle_t *fake_cycle;
+ ngx_module_t **modules;
+ ngx_open_file_t *file, *ofile;
+@@ -166,6 +167,10 @@ ngx_http_lua_init_worker(ngx_cycle_t *cycle)
+ conf.pool = fake_cycle->pool;
+ conf.log = cycle->log;
+
++ ngx_memzero(&cf_file, sizeof(cf_file));
++ cf_file.file.name = cycle->conf_file;
++ conf.conf_file = &cf_file;
++
+ http_ctx.loc_conf = ngx_pcalloc(conf.pool,
+ sizeof(void *) * ngx_http_max_module);
+ if (http_ctx.loc_conf == NULL) {
diff -Nru nginx-1.18.0/debian/modules/patches/http-lua/series nginx-1.18.0/debian/modules/patches/http-lua/series
--- nginx-1.18.0/debian/modules/patches/http-lua/series 2021-05-29 16:21:37.000000000 +0200
+++ nginx-1.18.0/debian/modules/patches/http-lua/series 2022-03-15 21:36:18.000000000 +0100
@@ -1,2 +1,3 @@
discover-luajit-2.1.patch
CVE-2020-11724.patch
+bug-994178-segfault.patch
--- End Message ---