From: "Theo Gaige (Schneider Electric)" <[email protected]>
Backport patch [1] mentioned in [2]. [1] https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7 [2] https://security-tracker.debian.org/tracker/CVE-2026-48142 Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]> Reviewed-by: Bruno Vernay <[email protected]> --- .../nginx/nginx-1.24.0/CVE-2026-48142.patch | 43 +++++++++++++++++++ .../recipes-httpd/nginx/nginx_1.24.0.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch new file mode 100644 index 0000000000..f3c5ec4f7a --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-48142.patch @@ -0,0 +1,43 @@ +From f0a5aa7beb3d210753dfb104dcfd873bf1af35f0 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <[email protected]> +Date: Mon, 1 Jun 2026 21:46:48 +0400 +Subject: [PATCH] Charset: fixed another rare buffer overread in + recode_from_utf8() + +With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte +overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() +stops advancing the pointer position on the first encountered invalid +byte. The fix is to adjust the advanced pointer up to the whole saved +sequence in this case. Note that this may result in different output +compared to complete invalid UTF-8 sequences, which we can disregard +at this point. + +Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. + +(cherry picked from commit 60c4243eb8775d51662a01def8a7dad5d9fb34a7) + +CVE: CVE-2026-48142 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7] +Signed-off-by: Theo Gaige (Schneider Electric) <[email protected]> +--- + src/http/modules/ngx_http_charset_filter_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c +index 7a518e3..ed80b5e 100644 +--- a/src/http/modules/ngx_http_charset_filter_module.c ++++ b/src/http/modules/ngx_http_charset_filter_module.c +@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, + "http charset invalid utf 1"); + ++ if (saved < &ctx->saved[ctx->saved_len]) { ++ saved = &ctx->saved[ctx->saved_len]; ++ } ++ + } else { + dst = ngx_sprintf(dst, "&#%uD;", n); + } +-- +2.43.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index dee6c6618e..8498ce766e 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -15,6 +15,7 @@ SRC_URI:append = " \ file://CVE-2026-42946-01.patch \ file://CVE-2026-42946-02.patch \ file://CVE-2026-9256.patch \ + file://CVE-2026-48142.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127696): https://lists.openembedded.org/g/openembedded-devel/message/127696 Mute This Topic: https://lists.openembedded.org/mt/119937995/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
