--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package nginx/1.22.1-9+deb12u2
- From: Andrej Shadura <andrewsh@debian.org>
- Date: Wed, 12 Mar 2025 19:09:41 +0100
- Message-id: <174180298110.1206278.15224825752730907373.reportbug@nuevo>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: nginx@packages.debian.org, Jan Mojžíš <jan.mojzis@gmail.com>
Control: affects -1 + src:nginx
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I’d like to upload a backport of patches fixing for CVE-2024-7347.
This issue has been fixed in the nginx version currently in trixie/unstable.
I also plan to upload a similar fix to the nginx version in bullseye, so to
ensure users don’t update from nginx with this bug fixed to one that’s
still vulnerable, I’d like to fix it in bullsworm as well.
[ Reason ]
Nginx has a vulnerability in the ngx_http_mp4_module, which might allow
an attacker to over-read nginx worker memory resulting in its termination
using a specially crafted mp4 file. The issue only affects nginx if it
is built with the ngx_http_mp4_module and the mp4 directive is used in
the configuration file. Additionally, the attack is possible only if an
attacker can trigger the processing of a specially crafted mp4 file with
the ngx_http_mp4_module.
[ Impact ]
Since this bug is going to be fixed in bullseye, users may hit the
vulnerability once they upgrade to booksworm.
[ Tests ]
I ran the automated tests (autopkgtests) included in the package.
[ Risks ]
This change is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
This is a trivial cherry-pick of the upstream commits
7362d01658b and 88955b1044e without any manual fixups.
Thanks.
--
Cheers,
Andrej
diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog 2025-02-17 20:40:29.000000000 +0100
+++ nginx-1.22.1/debian/changelog 2025-03-12 18:55:08.000000000 +0100
@@ -1,3 +1,12 @@
+nginx (1.22.1-9+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * Add upstream patches for CVE-2024-7347:
+ - mp4: fix buffer underread while updating stsz atom
+ - mp4: reject unordered chunks in stsc atom
+
+ -- Andrej Shadura <andrewsh@debian.org> Wed, 12 Mar 2025 18:55:08 +0100
+
nginx (1.22.1-9+deb12u1) bookworm; urgency=medium
* d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
diff -Nru nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch
--- nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch 2025-03-12 18:54:39.000000000 +0100
@@ -0,0 +1,49 @@
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:43 +0400
+Subject: Mp4: fixed buffer underread while updating stsz atom.
+
+While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
+overflow could happen, which could result in incorrect seeking and a very large
+value stored in "samples". This resulted in a large invalid value of
+trak->end_chunk_samples. This value is further used to calculate the value of
+trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing
+this, a large invalid value of trak->end_chunk_samples could result in reading
+memory before stsz atom start. This could potentially result in a segfault.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 4eff01e..460d091 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3098,7 +3098,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+- uint32_t start_sample, chunk, samples, id, next_chunk, n,
++ uint64_t n;
++ uint32_t start_sample, chunk, samples, id, next_chunk,
+ prev_samples;
+ ngx_buf_t *data, *buf;
+ ngx_uint_t entries, target_chunk, chunk_samples;
+@@ -3159,7 +3160,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ "samples:%uD, id:%uD",
+ start_sample, chunk, next_chunk - chunk, samples, id);
+
+- n = (next_chunk - chunk) * samples;
++ n = (uint64_t) (next_chunk - chunk) * samples;
+
+ if (start_sample < n) {
+ goto found;
+@@ -3181,7 +3182,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+ start_sample, chunk, next_chunk - chunk, samples);
+
+- n = (next_chunk - chunk) * samples;
++ n = (uint64_t) (next_chunk - chunk) * samples;
+
+ if (start_sample > n) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
diff -Nru nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch
--- nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch 2025-03-12 18:54:39.000000000 +0100
@@ -0,0 +1,31 @@
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:45 +0400
+Subject: Mp4: rejecting unordered chunks in stsc atom.
+
+Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
+in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom()
+this caused buffer overread while trying to calculate trak->end_offset.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 460d091..dfada7c 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3155,6 +3155,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+
+ next_chunk = ngx_mp4_get_32value(entry->chunk);
+
++ if (next_chunk < chunk) {
++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++ "unordered mp4 stsc chunks in \"%s\"",
++ mp4->file.name.data);
++ return NGX_ERROR;
++ }
++
+ ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+ "sample:%uD, chunk:%uD, chunks:%uD, "
+ "samples:%uD, id:%uD",
diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series
--- nginx-1.22.1/debian/patches/series 2025-02-17 20:40:29.000000000 +0100
+++ nginx-1.22.1/debian/patches/series 2025-03-12 18:54:39.000000000 +0100
@@ -4,3 +4,5 @@
bug-1024605.patch
bug-973861.patch
CVE-2025-23419.patch
+CVE-2024-7347-1.patch
+CVE-2024-7347-2.patch
--- End Message ---