[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1112459: marked as done (bookworm-pu: package nginx/1.22.1-9+deb12u3 (fix CVE-2025-53859))

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1112459,
regarding bookworm-pu: package nginx/1.22.1-9+deb12u3 (fix CVE-2025-53859)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1112459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112459
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: nginx@packages.debian.org
Control: affects -1 + src:nginx
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
A security issue was identified in ngx_mail_smtp_module,
which might allow an attacker to cause buffer over-read,
potentially resulting in sensitive information leak
in a HTTP request to the authentication server (CVE-2025-53859).

[ Impact ]
The issue happens during the SMTP authentication process and requires
the attacker to make preparations against the target system to extract
the leaked data

[ Tests ]
I have tested nginx package after aplying the patch,
that everything works as before.
- I ran all automated tests
- I tested the functionality using telnet

[ Risks ]
The patch is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
I just added the official patch released by the upstream team.

[ Other info ]
The patch is applied to a part that has not been modified for a long time.
So the fix is the same for sid/forky/trixie/bookworm nginx releases.

diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog	2025-03-12 17:55:08.000000000 +0000
+++ nginx-1.22.1/debian/changelog	2025-08-29 14:26:01.000000000 +0000
@@ -1,3 +1,10 @@
+nginx (1.22.1-9+deb12u3) bookworm; urgency=medium
+
+  * d/p/CVE-2025-53859.patch add, fix potential information leak
+    in ngx_mail_smtp_module (CVE-2025-53859).
+
+ -- Jan Mojžíš <janmojzis@debian.org>  Fri, 29 Aug 2025 16:26:01 +0200
+
 nginx (1.22.1-9+deb12u2) bookworm; urgency=medium

   * Non-maintainer upload by the LTS Team.
diff -Nru nginx-1.22.1/debian/patches/CVE-2025-53859.patch nginx-1.22.1/debian/patches/CVE-2025-53859.patch
--- nginx-1.22.1/debian/patches/CVE-2025-53859.patch	1970-01-01 00:00:00.000000000 +0000
+++ nginx-1.22.1/debian/patches/CVE-2025-53859.patch	2025-08-29 14:26:01.000000000 +0000
@@ -0,0 +1,132 @@
+Description: CVE-2025-53859
+Origin: https://nginx.org/download/patch.2025.smtp.txt
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138
+Forwarded: not-needed
+
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 1167df3fb..d3be7f3b3 100644
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)
+ ngx_int_t
+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+ {
+-    u_char     *p, *last;
++    u_char     *p, *pos, *last;
+     ngx_str_t  *arg, plain;
+
+     arg = s->args.elts;
+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
+-    s->login.data = p;
++    pos = p;
+
+     while (p < last && *p) { p++; }
+
+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
+-    s->login.len = p++ - s->login.data;
++    s->login.len = p++ - pos;
++    s->login.data = pos;
+
+     s->passwd.len = last - p;
+     s->passwd.data = p;
+@@ -583,24 +584,26 @@ ngx_int_t
+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+     ngx_uint_t n)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+
+     arg = s->args.elts;
+
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &arg[n]);
+
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->login = login;
++
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &s->login);
+
+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+ ngx_int_t
+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, passwd;
+
+     arg = s->args.elts;
+
+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+                    "mail auth login password: \"%V\"", &arg[0]);
+ #endif
+
+-    s->passwd.data = ngx_pnalloc(c->pool,
+-                                 ngx_base64_decoded_length(arg[0].len));
+-    if (s->passwd.data == NULL) {
++    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (passwd.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->passwd = passwd;
++
+ #if (NGX_DEBUG_MAIL_PASSWD)
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login password: \"%V\"", &s->passwd);
+@@ -674,24 +678,26 @@ ngx_int_t
+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+     u_char     *p, *last;
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+
+     arg = s->args.elts;
+
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth cram-md5: \"%V\"", &arg[0]);
+
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->login = login;
++
+     p = s->login.data;
+     last = p + s->login.len;
+
diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series
--- nginx-1.22.1/debian/patches/series	2025-03-12 17:55:08.000000000 +0000
+++ nginx-1.22.1/debian/patches/series	2025-08-29 14:26:01.000000000 +0000
@@ -6,3 +6,4 @@
 CVE-2025-23419.patch
 CVE-2024-7347-1.patch
 CVE-2024-7347-2.patch
+CVE-2025-53859.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---
Reply to: