Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:nginx User: [email protected] Usertags: pu
[ Reason ] A security issue was identified in ngx_mail_smtp_module, which might allow an attacker to cause buffer over-read, potentially resulting in sensitive information leak in a HTTP request to the authentication server (CVE-2025-53859). [ Impact ] The issue happens during the SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data [ Tests ] I have tested nginx package after aplying the patch, that everything works as before. - I ran all automated tests - I tested the functionality using telnet [ Risks ] The patch is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I just added the official patch released by the upstream team. [ Other info ] The patch is applied to a part that has not been modified for a long time. So the fix is the same for sid/forky/trixie/bookworm nginx releases. debdiff nginx_1.26.3-3.dsc nginx_1.26.3-3+deb13u1.dsc diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog --- nginx-1.26.3/debian/changelog 2025-05-15 15:31:38.000000000 +0200 +++ nginx-1.26.3/debian/changelog 2025-08-29 16:10:13.000000000 +0200 @@ -1,3 +1,10 @@ +nginx (1.26.3-3+deb13u1) trixie; urgency=medium + + * d/p/CVE-2025-53859.patch add, fix potential information leak + in ngx_mail_smtp_module (CVE-2025-53859). + + -- Jan Mojžíš <[email protected]> Fri, 29 Aug 2025 16:10:13 +0200 + nginx (1.26.3-3) unstable; urgency=medium [ Jan Mojžíš ] diff -Nru nginx-1.26.3/debian/patches/CVE-2025-53859.patch nginx-1.26.3/debian/patches/CVE-2025-53859.patch --- nginx-1.26.3/debian/patches/CVE-2025-53859.patch 1970-01-01 01:00:00.000000000 +0100 +++ nginx-1.26.3/debian/patches/CVE-2025-53859.patch 2025-08-29 16:08:48.000000000 +0200 @@ -0,0 +1,132 @@ +Description: CVE-2025-53859 +Origin: https://nginx.org/download/patch.2025.smtp.txt +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138 +Forwarded: not-needed + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 1167df3fb..d3be7f3b3 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c) + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,24 +678,26 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + p = s->login.data; + last = p + s->login.len; + diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series --- nginx-1.26.3/debian/patches/series 2025-05-15 15:31:38.000000000 +0200 +++ nginx-1.26.3/debian/patches/series 2025-08-29 16:08:48.000000000 +0200 @@ -1,3 +1,4 @@ 0003-define_gnu_source-on-other-glibc-based-platforms.patch nginx-fix-pidfile.patch nginx-ssl_cert_cb_yield.patch +CVE-2025-53859.patch
