mirror of
				https://github.com/openresty/openresty.git
				synced 2024-10-13 00:29:41 +00:00 
			
		
		
		
	bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.
This commit is contained in:
		
							
								
								
									
										36
									
								
								patches/nginx-CVE-2024-24989.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										36
									
								
								patches/nginx-CVE-2024-24989.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,36 @@ | ||||
| commit 5902baf680609f884a1e11ff2b82a0bffb3724cc | ||||
| Author: Sergey Kandaurov <pluknet@nginx.com> | ||||
| Date:   Wed Feb 14 15:55:34 2024 +0400 | ||||
|  | ||||
|     QUIC: trial packet decryption in response to invalid key update. | ||||
|      | ||||
|     Inspired by RFC 9001, Section 6.3, trial packet decryption with the current | ||||
|     keys is now used to avoid a timing side-channel signal.  Further, this fixes | ||||
|     segfault while accessing missing next keys (ticket #2585). | ||||
|  | ||||
| diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c | ||||
| index 88e6954cf..8223626b6 100644 | ||||
| --- a/src/event/quic/ngx_event_quic_protection.c | ||||
| +++ b/src/event/quic/ngx_event_quic_protection.c | ||||
| @@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn) | ||||
|          key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0; | ||||
|   | ||||
|          if (key_phase != pkt->key_phase) { | ||||
| -            secret = &pkt->keys->next_key.client; | ||||
| -            pkt->key_update = 1; | ||||
| +            if (pkt->keys->next_key.client.ctx != NULL) { | ||||
| +                secret = &pkt->keys->next_key.client; | ||||
| +                pkt->key_update = 1; | ||||
| + | ||||
| +            } else { | ||||
| +                /* | ||||
| +                 * RFC 9001,  6.3. Timing of Receive Key Generation. | ||||
| +                 * | ||||
| +                 * Trial decryption to avoid timing side-channel. | ||||
| +                 */ | ||||
| +                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0, | ||||
| +                               "quic next key missing"); | ||||
| +            } | ||||
|          } | ||||
|      } | ||||
|   | ||||
							
								
								
									
										27
									
								
								patches/nginx-CVE-2024-24990.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								patches/nginx-CVE-2024-24990.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,27 @@ | ||||
| commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c | ||||
| Author: Roman Arutyunyan <arut@nginx.com> | ||||
| Date:   Wed Feb 14 15:55:37 2024 +0400 | ||||
|  | ||||
|     QUIC: fixed stream cleanup (ticket #2586). | ||||
|      | ||||
|     Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls | ||||
|     ngx_quic_shutdown_stream() after which it resets the pointer from quic stream | ||||
|     to the connection (sc->connection = NULL).  Previously if this call failed, | ||||
|     sc->connection retained the old value, while the connection was freed by the | ||||
|     application code.  This resulted later in a second attempt to close the freed | ||||
|     connection, which lead to allocator double free error. | ||||
|      | ||||
|     The fix is to reset the sc->connection pointer in case of error. | ||||
|  | ||||
| diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c | ||||
| index df04d0f07..178b805e4 100644 | ||||
| --- a/src/event/quic/ngx_event_quic_streams.c | ||||
| +++ b/src/event/quic/ngx_event_quic_streams.c | ||||
| @@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data) | ||||
|                     "quic stream id:0x%xL cleanup", qs->id); | ||||
|   | ||||
|      if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) { | ||||
| +        qs->connection = NULL; | ||||
|          goto failed; | ||||
|      } | ||||
|   | ||||
| @ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then | ||||
|     fi | ||||
| fi | ||||
|  | ||||
| answer=`$root/util/ver-ge "$main_ver" 1.25.3` | ||||
| if [ "$answer" = "Y" ]; then | ||||
|     answer=`$root/util/ver-ge "$main_ver" 1.25.4` | ||||
|     if [ "$answer" = "N" ]; then | ||||
|         echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)" | ||||
|         patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1 | ||||
|         echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)" | ||||
|         patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1 | ||||
|     fi | ||||
| fi | ||||
|  | ||||
|  | ||||
| echo "$info_txt applying the upstream_timeout_fields patch for nginx" | ||||
| patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1 | ||||
| echo | ||||
|  | ||||
		Reference in New Issue
	
	Block a user