A heap memory buffer overflow might occur in a worker process while handling a specially crafted request by ngx_http_rewrite_module, potentially resulting in arbitrary code execution.
The is_args flag was set when a rewrite replacement contained query arguments but was never cleared, causing incorrect URI escaping and a buffer overrun in subsequent set/if captures. Fix by resetting e->is_args in ngx_http_script_regex_end_code(). Upstream-Status: Backport [https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686] CVE: CVE-2026-42945 Signed-off-by: Nelson Garcia <[email protected]> --- .../nginx/nginx-1.24.0/CVE-2026-42945.patch | 40 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch new file mode 100644 index 0000000000..cb476bcd96 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-42945.patch @@ -0,0 +1,40 @@ +From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <[email protected]> +Date: Tue, 13 May 2026 00:00:00 +0400 +Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun. + +The following code resulted in incorrect escaping of $1 and possible +segfault: + + location / { + rewrite ^(.*) /new?c=1; + set $myvar $1; + return 200 $myvar; + } + +If there were arguments in a rewrite's replacement string, the is_args flag +was set and incorrectly never cleared. This resulted in escaping applied +to any captures evaluated afterwards in set or if. Additionally buffer was +allocated by ngx_http_script_complex_value_code() without escaping expected, +thus this also resulted in buffer overrun and possible segfault. + +Reported by Leo Lin. + +CVE: CVE-2026-42945 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686] +Signed-off-by: Roman Arutyunyan <[email protected]> +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index b732e92b18..c1f277517f 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -9,6 +9,7 @@ SRC_URI:append = " \ file://CVE-2026-27654.patch \ file://CVE-2026-28753.patch \ file://CVE-2026-32647.patch \ + file://CVE-2026-42945.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127290): https://lists.openembedded.org/g/openembedded-devel/message/127290 Mute This Topic: https://lists.openembedded.org/mt/119549579/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
