Merge 95f74a2fcf into 9c9495b6f9

bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.
update: patch file renaming;
2024-05-01 02:11:43 +00:00 · 2024-05-01 10:11:04 +08:00 · 2018-01-11 18:25:43 +04:00 · 2018-01-11 18:21:51 +04:00 · 2018-01-10 16:55:29 +04:00 · 2018-01-09 12:40:44 +04:00
5 changed files with 193 additions and 1 deletions
--- a/patches/nginx-1.13.6-lua_nginx_msvc_support.patch
+++ b/patches/nginx-1.13.6-lua_nginx_msvc_support.patch
@ -0,0 +1,117 @@
+diff --binary -Nur nginx-1.13.7.1-original/auto/cc/msvc nginx-1.13.7.1-msvc/auto/cc/msvc
+--- nginx-1.13.7.1-original/auto/cc/msvc	2017-11-21 19:09:44 +0400
+++ nginx-1.13.7.1-msvc/auto/cc/msvc	2018-01-07 13:00:37 +0400
+@@ -13,6 +13,7 @@
+ 
+ NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'Compiler Version' 2>&1 \
+                                  | sed -e 's/^.* Version \(.*\)/\1/'`
+NGX_MSVC_TYPE=`echo $NGX_MSVC_VER | sed -e 's/^.* for \([a-zA-Z0-9]*\)$/\1/'`
+ 
+ echo " + cl version: $NGX_MSVC_VER"
+ 
+@@ -120,11 +121,11 @@
+ 
+ 
+ # precompiled headers
+-CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch"
+-CORE_LINK="$CORE_LINK $NGX_OBJS/ngx_pch.obj"
+-NGX_PCH="$NGX_OBJS/ngx_config.pch"
+-NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch"
+-NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch"
+#CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch"
+#CORE_LINK="$CORE_LINK $NGX_OBJS/ngx_pch.obj"
+#NGX_PCH="$NGX_OBJS/ngx_config.pch"
+#NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch"
+#NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch"
+ 
+ 
+ # the resource file
+diff --binary -Nur nginx-1.13.7.1-original/auto/feature nginx-1.13.7.1-msvc/auto/feature
+--- nginx-1.13.7.1-original/auto/feature	2017-11-21 19:09:44 +0400
+++ nginx-1.13.7.1-msvc/auto/feature	2018-01-07 13:13:18 +0400
+@@ -38,15 +38,19 @@
+ 
+ END
+ 
+-
+-ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
+-          -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_TEST_LD_OPT $ngx_feature_libs"
+ngx_test=
+if [ "$NGX_CC_NAME" = msvc ]; then
+    ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
+              $NGX_AUTOTEST.c $ngx_feature_libs -link -out:$NGX_AUTOTEST $NGX_TEST_LD_OPT"
+else
+    ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \
+              -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_TEST_LD_OPT $ngx_feature_libs"
+fi
+ 
+ ngx_feature_inc_path=
+ 
+ eval "/bin/sh -c \"$ngx_test\" >> $NGX_AUTOCONF_ERR 2>&1"
+ 
+-
+ if [ -x $NGX_AUTOTEST ]; then
+ 
+     case "$ngx_feature_run" in
+diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/make nginx-1.13.7.1-msvc/auto/lib/openssl/make
+--- nginx-1.13.7.1-original/auto/lib/openssl/make	2017-11-21 19:09:44 +0400
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/make	2018-01-01 17:32:30 +0400
+@@ -10,7 +10,7 @@
+         cat << END                                            >> $NGX_MAKEFILE
+ 
+ $OPENSSL/openssl/include/openssl/ssl.h:	$NGX_MAKEFILE
+-	\$(MAKE) -f auto/lib/openssl/makefile.msvc			\
+	\$(MAKE) -f auto/lib/openssl/makefile-$NGX_MSVC_TYPE.msvc			\
+ 		OPENSSL="$OPENSSL" OPENSSL_OPT="$OPENSSL_OPT"
+ 
+ END
+diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/makefile-x64.msvc nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x64.msvc
+--- nginx-1.13.7.1-original/auto/lib/openssl/makefile-x64.msvc	1970-01-01 04:00:00 +0400
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x64.msvc	2018-01-10 16:50:39 +0400
+@@ -0,0 +1,21 @@
+
+# Copyright (C) Igor Sysoev
+# Copyright (C) Nginx, Inc.
+
+
+all:
+    cd $(OPENSSL)
+
+    perl Configure VC-WIN64A no-shared              \
+        --prefix="%cd%/openssl"                     \
+        --openssldir="%cd%/openssl/ssl"             \
+        $(OPENSSL_OPT)
+
+    if exist ms\do_win64a.bat (                     \
+        ms\do_win64a                                \
+        && $(MAKE) -f ms\nt.mak                     \
+        && $(MAKE) -f ms\nt.mak install             \
+    ) else (                                        \
+        $(MAKE)                                     \
+        && $(MAKE) install_sw                       \
+    )
+diff --binary -Nur nginx-1.13.7.1-original/auto/lib/openssl/makefile-x86.msvc nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x86.msvc
+--- nginx-1.13.7.1-original/auto/lib/openssl/makefile-x86.msvc	1970-01-01 04:00:00 +0400
+++ nginx-1.13.7.1-msvc/auto/lib/openssl/makefile-x86.msvc	2018-01-10 16:49:41 +0400
+@@ -0,0 +1,21 @@
+
+# Copyright (C) Igor Sysoev
+# Copyright (C) Nginx, Inc.
+
+
+all:
+    cd $(OPENSSL)
+
+    perl Configure VC-WIN32 no-shared               \
+        --prefix="%cd%/openssl"                     \
+        --openssldir="%cd%/openssl/ssl"             \
+        $(OPENSSL_OPT)
+
+    if exist ms\do_nasm.bat (                       \
+        ms\do_nasm                                  \
+        && $(MAKE) -f ms\nt.mak                     \
+        && $(MAKE) -f ms\nt.mak install             \
+    ) else (                                        \
+        $(MAKE)                                     \
+        && $(MAKE) install_sw                       \
+    )
--- a/patches/nginx-CVE-2024-24989.patch
+++ b/patches/nginx-CVE-2024-24989.patch
@ -0,0 +1,36 @@
+commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
+Author: Sergey Kandaurov <pluknet@nginx.com>
+Date:   Wed Feb 14 15:55:34 2024 +0400
+
+    QUIC: trial packet decryption in response to invalid key update.
+    
+    Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
+    keys is now used to avoid a timing side-channel signal.  Further, this fixes
+    segfault while accessing missing next keys (ticket #2585).
+
+diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
+index 88e6954cf..8223626b6 100644
+--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
+@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
+         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
+ 
+         if (key_phase != pkt->key_phase) {
+-            secret = &pkt->keys->next_key.client;
+-            pkt->key_update = 1;
+            if (pkt->keys->next_key.client.ctx != NULL) {
+                secret = &pkt->keys->next_key.client;
+                pkt->key_update = 1;
+
+            } else {
+                /*
+                 * RFC 9001,  6.3. Timing of Receive Key Generation.
+                 *
+                 * Trial decryption to avoid timing side-channel.
+                 */
+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
+                               "quic next key missing");
+            }
+         }
+     }
+ 
--- a/patches/nginx-CVE-2024-24990.patch
+++ b/patches/nginx-CVE-2024-24990.patch
@ -0,0 +1,27 @@
+commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
+Author: Roman Arutyunyan <arut@nginx.com>
+Date:   Wed Feb 14 15:55:37 2024 +0400
+
+    QUIC: fixed stream cleanup (ticket #2586).
+    
+    Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
+    ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
+    to the connection (sc->connection = NULL).  Previously if this call failed,
+    sc->connection retained the old value, while the connection was freed by the
+    application code.  This resulted later in a second attempt to close the freed
+    connection, which lead to allocator double free error.
+    
+    The fix is to reset the sc->connection pointer in case of error.
+
+diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
+index df04d0f07..178b805e4 100644
+--- a/src/event/quic/ngx_event_quic_streams.c
+++ b/src/event/quic/ngx_event_quic_streams.c
+@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
+                    "quic stream id:0x%xL cleanup", qs->id);
+ 
+     if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
+        qs->connection = NULL;
+         goto failed;
+     }
+ 
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then
    fi
 fi

+answer=`$root/util/ver-ge "$main_ver" 1.25.3`
+if [ "$answer" = "Y" ]; then
+    answer=`$root/util/ver-ge "$main_ver" 1.25.4`
+    if [ "$answer" = "N" ]; then
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
+        patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
+        patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
+    fi
+fi
+
+
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo
--- a/util/ver
+++ b/util/ver
@ -1,7 +1,7 @@
 #!/bin/bash

 main_ver=1.25.3
-minor_ver=1
+minor_ver=2
 version=$main_ver.$minor_ver
 echo $version
Author	SHA1	Message	Date
geniuss99	474975c123	Merge `95f74a2fcf` into `9c9495b6f9`	2024-05-01 02:11:43 +00:00
lijunlong	9c9495b6f9	bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.	2024-05-01 10:11:04 +08:00
geniuss99	95f74a2fcf	update: patch file renaming;	2018-01-11 18:25:43 +04:00
geniuss99	279b9b872e	Merge branch 'master' of https://github.com/openresty/openresty	2018-01-11 18:21:51 +04:00
geniuss99	e892c61bc1	update: the trailing \ is aligned up vertically.	2018-01-10 16:55:29 +04:00
geniuss99	d8b346e27c	feature: added support for compilation of lua-nginx-module with nginx under MSVC.	2018-01-09 12:40:44 +04:00