[Pkg-nginx-maintainers] Bug#1100336: bookworm-pu: package nginx/1.22.1-9+deb12u2

Andrej Shadura andrewsh at debian.org
Wed Mar 12 18:09:41 GMT 2025 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: nginx at packages.debian.org, Jan Mojžíš <jan.mojzis at gmail.com>
Control: affects -1 + src:nginx
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

I’d like to upload a backport of patches fixing for CVE-2024-7347.
This issue has been fixed in the nginx version currently in trixie/unstable.
I also plan to upload a similar fix to the nginx version in bullseye, so to
ensure users don’t update from nginx with this bug fixed to one that’s
still vulnerable, I’d like to fix it in bullsworm as well.

[ Reason ]

Nginx has a vulnerability in the ngx_http_mp4_module, which might allow
an attacker to over-read nginx worker memory resulting in its termination
using a specially crafted mp4 file. The issue only affects nginx if it
is built with the ngx_http_mp4_module and the mp4 directive is used in
the configuration file. Additionally, the attack is possible only if an
attacker can trigger the processing of a specially crafted mp4 file with
the ngx_http_mp4_module.

[ Impact ]

Since this bug is going to be fixed in bullseye, users may hit the
vulnerability once they upgrade to booksworm.

[ Tests ]

I ran the automated tests (autopkgtests) included in the package.

[ Risks ]

This change is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

This is a trivial cherry-pick of the upstream commits
7362d01658b and 88955b1044e without any manual fixups.

Thanks.

-- 
Cheers,
  Andrej
-------------- next part --------------
diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
--- nginx-1.22.1/debian/changelog	2025-02-17 20:40:29.000000000 +0100
+++ nginx-1.22.1/debian/changelog	2025-03-12 18:55:08.000000000 +0100
@@ -1,3 +1,12 @@
+nginx (1.22.1-9+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * Add upstream patches for CVE-2024-7347:
+    - mp4: fix buffer underread while updating stsz atom
+    - mp4: reject unordered chunks in stsc atom
+
+ -- Andrej Shadura <andrewsh at debian.org>  Wed, 12 Mar 2025 18:55:08 +0100
+
 nginx (1.22.1-9+deb12u1) bookworm; urgency=medium
 
   * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
diff -Nru nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch
--- nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch	1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch	2025-03-12 18:54:39.000000000 +0100
@@ -0,0 +1,49 @@
+From: Roman Arutyunyan <arut at nginx.com>
+Date: Mon, 12 Aug 2024 18:20:43 +0400
+Subject: Mp4: fixed buffer underread while updating stsz atom.
+
+While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
+overflow could happen, which could result in incorrect seeking and a very large
+value stored in "samples".  This resulted in a large invalid value of
+trak->end_chunk_samples.  This value is further used to calculate the value of
+trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
+this, a large invalid value of trak->end_chunk_samples could result in reading
+memory before stsz atom start.  This could potentially result in a segfault.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 4eff01e..460d091 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3098,7 +3098,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
++    uint64_t               n;
++    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3159,7 +3160,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
++        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3181,7 +3182,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
++    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
diff -Nru nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch
--- nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch	1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.22.1/debian/patches/CVE-2024-7347-2.patch	2025-03-12 18:54:39.000000000 +0100
@@ -0,0 +1,31 @@
+From: Roman Arutyunyan <arut at nginx.com>
+Date: Mon, 12 Aug 2024 18:20:45 +0400
+Subject: Mp4: rejecting unordered chunks in stsc atom.
+
+Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
+in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
+this caused buffer overread while trying to calculate trak->end_offset.
+
+Origin: upstream, https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 460d091..dfada7c 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3155,6 +3155,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
++        if (next_chunk < chunk) {
++            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                          "unordered mp4 stsc chunks in \"%s\"",
++                          mp4->file.name.data);
++            return NGX_ERROR;
++        }
++
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series
--- nginx-1.22.1/debian/patches/series	2025-02-17 20:40:29.000000000 +0100
+++ nginx-1.22.1/debian/patches/series	2025-03-12 18:54:39.000000000 +0100
@@ -4,3 +4,5 @@
 bug-1024605.patch
 bug-973861.patch
 CVE-2025-23419.patch
+CVE-2024-7347-1.patch
+CVE-2024-7347-2.patch

More information about the Pkg-nginx-maintainers mailing list