From 9c9495b6f9277018e683bbee42ce2f6a0edf248d Mon Sep 17 00:00:00 2001
From: lijunlong <lijunlong@openresty.com>
Date: Wed, 1 May 2024 10:11:04 +0800
Subject: [PATCH] bugfix: backport fixes for CVE-2024-24989 and CVE-2024-24990.
---
patches/nginx-CVE-2024-24989.patch | 36 ++++++++++++++++++++++++++++++
patches/nginx-CVE-2024-24990.patch | 27 ++++++++++++++++++++++
util/mirror-tarballs | 12 ++++++++++
util/ver | 2 +-
4 files changed, 76 insertions(+), 1 deletion(-)
create mode 100644 patches/nginx-CVE-2024-24989.patch
create mode 100644 patches/nginx-CVE-2024-24990.patch
diff --git a/patches/nginx-CVE-2024-24989.patch b/patches/nginx-CVE-2024-24989.patch
new file mode 100644
index 0000000..aa2936c
--- /dev/null
+++ b/patches/nginx-CVE-2024-24989.patch
@@ -0,0 +1,36 @@
+commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
+Author: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed Feb 14 15:55:34 2024 +0400
+
+ QUIC: trial packet decryption in response to invalid key update.
+
+ Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
+ keys is now used to avoid a timing side-channel signal. Further, this fixes
+ segfault while accessing missing next keys (ticket #2585).
+
+diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
+index 88e6954cf..8223626b6 100644
+--- a/src/event/quic/ngx_event_quic_protection.c
++++ b/src/event/quic/ngx_event_quic_protection.c
+@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
+ key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
+
+ if (key_phase != pkt->key_phase) {
+- secret = &pkt->keys->next_key.client;
+- pkt->key_update = 1;
++ if (pkt->keys->next_key.client.ctx != NULL) {
++ secret = &pkt->keys->next_key.client;
++ pkt->key_update = 1;
++
++ } else {
++ /*
++ * RFC 9001, 6.3. Timing of Receive Key Generation.
++ *
++ * Trial decryption to avoid timing side-channel.
++ */
++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
++ "quic next key missing");
++ }
+ }
+ }
+
diff --git a/patches/nginx-CVE-2024-24990.patch b/patches/nginx-CVE-2024-24990.patch
new file mode 100644
index 0000000..4ba4d30
--- /dev/null
+++ b/patches/nginx-CVE-2024-24990.patch
@@ -0,0 +1,27 @@
+commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
+Author: Roman Arutyunyan <arut@nginx.com>
+Date: Wed Feb 14 15:55:37 2024 +0400
+
+ QUIC: fixed stream cleanup (ticket #2586).
+
+ Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
+ ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
+ to the connection (sc->connection = NULL). Previously if this call failed,
+ sc->connection retained the old value, while the connection was freed by the
+ application code. This resulted later in a second attempt to close the freed
+ connection, which lead to allocator double free error.
+
+ The fix is to reset the sc->connection pointer in case of error.
+
+diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
+index df04d0f07..178b805e4 100644
+--- a/src/event/quic/ngx_event_quic_streams.c
++++ b/src/event/quic/ngx_event_quic_streams.c
+@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
+ "quic stream id:0x%xL cleanup", qs->id);
+
+ if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
++ qs->connection = NULL;
+ goto failed;
+ }
+
diff --git a/util/mirror-tarballs b/util/mirror-tarballs
index f1f8791..5f6d845 100755
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -513,6 +513,18 @@ if [ "$answer" = "Y" ]; then
fi
fi
+answer=`$root/util/ver-ge "$main_ver" 1.25.3`
+if [ "$answer" = "Y" ]; then
+ answer=`$root/util/ver-ge "$main_ver" 1.25.4`
+ if [ "$answer" = "N" ]; then
+ echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
+ patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
+ echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
+ patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
+ fi
+fi
+
+
echo "$info_txt applying the upstream_timeout_fields patch for nginx"
patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
echo
diff --git a/util/ver b/util/ver
index 93ea32a..fb86902 100755
--- a/util/ver
+++ b/util/ver
@@ -1,7 +1,7 @@
#!/bin/bash
main_ver=1.25.3
-minor_ver=1
+minor_ver=2
version=$main_ver.$minor_ver
echo $version