From: "Theo Gaige (Schneider Electric)" <[email protected]>

Backport patch [1] mentioned in [2].

[1] 
https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686

[2] https://security-tracker.debian.org/tracker/CVE-2026-42945

Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]>
Reviewed-by: Bruno Vernay <[email protected]>
---
 .../nginx/nginx-1.24.0/CVE-2026-42945.patch   | 46 +++++++++++++++++++
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch

diff --git 
a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch 
b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch
new file mode 100644
index 0000000000..15abc875fb
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch
@@ -0,0 +1,46 @@
+From 3d990abc5cb4adc2368da603a419c9944aaa5f65 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <[email protected]>
+Date: Wed, 22 Apr 2026 09:39:31 +0400
+Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
+
+The following code resulted in incorrect escaping of $1 and possible
+segfault:
+
+    location / {
+        rewrite ^(.*) /new?c=1;
+        set $myvar $1;
+        return 200 $myvar;
+    }
+
+If there were arguments in a rewrite's replacement string, the is_args flag
+was set and incorrectly never cleared.  This resulted in escaping applied
+to any captures evaluated afterwards in set or if.  Additionally buffer was
+allocated by ngx_http_script_complex_value_code() without escaping expected,
+thus this also resulted in buffer overrun and possible segfault.
+
+A similar issue was fixed in 74d939974d43.
+
+Reported by Leo Lin.
+
+CVE: CVE-2026-42945
+Upstream-Status: Backport 
[https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686]
+Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]>
+---
+ src/http/ngx_http_script.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
+index a2b9f1b..2ea6113 100644
+--- a/src/http/ngx_http_script.c
++++ b/src/http/ngx_http_script.c
+@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t 
*e)
+ 
+     r = e->request;
+ 
++    e->is_args = 0;
+     e->quote = 0;
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+-- 
+2.43.0
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb 
b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index 7a94cb6172..f9e40fa27f 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -11,6 +11,7 @@ SRC_URI:append = " \
                   file://CVE-2026-32647.patch \
                   file://CVE-2026-40701.patch \
                   file://CVE-2026-42934.patch \
+                  file://CVE-2026-42945.patch \
 "
 
 SRC_URI[sha256sum] = 
"77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
-- 
2.43.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127119): 
https://lists.openembedded.org/g/openembedded-devel/message/127119
Mute This Topic: https://lists.openembedded.org/mt/119408658/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to