[Pkg-nginx-maintainers] Bug#1112451: trixie-pu: package nginx/1.26.3-3+deb13u1 (fix CVE-2025-53859)

Jan Mojzis janmojzis at debian.org
Fri Aug 29 15:53:35 BST 2025 

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: nginx at packages.debian.org
Control: affects -1 + src:nginx
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
A security issue was identified in ngx_mail_smtp_module,
which might allow an attacker to cause buffer over-read,
potentially resulting in sensitive information leak
in a HTTP request to the authentication server (CVE-2025-53859).

[ Impact ]
The issue happens during the SMTP authentication process and requires
the attacker to make preparations against the target system to extract
the leaked data

[ Tests ]
I have tested nginx package after aplying the patch,
that everything works as before.
- I ran all automated tests
- I tested the functionality using telnet

[ Risks ]
The patch is trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
I just added the official patch released by the upstream team.

[ Other info ]
The patch is applied to a part that has not been modified for a long time.
So the fix is the same for sid/forky/trixie/bookworm nginx releases.

debdiff nginx_1.26.3-3.dsc nginx_1.26.3-3+deb13u1.dsc
diff -Nru nginx-1.26.3/debian/changelog nginx-1.26.3/debian/changelog
--- nginx-1.26.3/debian/changelog	2025-05-15 15:31:38.000000000 +0200
+++ nginx-1.26.3/debian/changelog	2025-08-29 16:10:13.000000000 +0200
@@ -1,3 +1,10 @@
+nginx (1.26.3-3+deb13u1) trixie; urgency=medium
+
+  * d/p/CVE-2025-53859.patch add, fix potential information leak
+    in ngx_mail_smtp_module (CVE-2025-53859).
+
+ -- Jan Mojžíš <janmojzis at debian.org>  Fri, 29 Aug 2025 16:10:13 +0200
+
 nginx (1.26.3-3) unstable; urgency=medium

   [ Jan Mojžíš ]
diff -Nru nginx-1.26.3/debian/patches/CVE-2025-53859.patch nginx-1.26.3/debian/patches/CVE-2025-53859.patch
--- nginx-1.26.3/debian/patches/CVE-2025-53859.patch	1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.26.3/debian/patches/CVE-2025-53859.patch	2025-08-29 16:08:48.000000000 +0200
@@ -0,0 +1,132 @@
+Description: CVE-2025-53859
+Origin: https://nginx.org/download/patch.2025.smtp.txt
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138
+Forwarded: not-needed
+
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 1167df3fb..d3be7f3b3 100644
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c)
+ ngx_int_t
+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+ {
+-    u_char     *p, *last;
++    u_char     *p, *pos, *last;
+     ngx_str_t  *arg, plain;
+
+     arg = s->args.elts;
+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
+-    s->login.data = p;
++    pos = p;
+
+     while (p < last && *p) { p++; }
+
+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
+-    s->login.len = p++ - s->login.data;
++    s->login.len = p++ - pos;
++    s->login.data = pos;
+
+     s->passwd.len = last - p;
+     s->passwd.data = p;
+@@ -583,24 +584,26 @@ ngx_int_t
+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+     ngx_uint_t n)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+
+     arg = s->args.elts;
+
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &arg[n]);
+
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->login = login;
++
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &s->login);
+
+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+ ngx_int_t
+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, passwd;
+
+     arg = s->args.elts;
+
+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+                    "mail auth login password: \"%V\"", &arg[0]);
+ #endif
+
+-    s->passwd.data = ngx_pnalloc(c->pool,
+-                                 ngx_base64_decoded_length(arg[0].len));
+-    if (s->passwd.data == NULL) {
++    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (passwd.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->passwd = passwd;
++
+ #if (NGX_DEBUG_MAIL_PASSWD)
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login password: \"%V\"", &s->passwd);
+@@ -674,24 +678,26 @@ ngx_int_t
+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+     u_char     *p, *last;
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+
+     arg = s->args.elts;
+
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth cram-md5: \"%V\"", &arg[0]);
+
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+
+-    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
++    s->login = login;
++
+     p = s->login.data;
+     last = p + s->login.len;
+
diff -Nru nginx-1.26.3/debian/patches/series nginx-1.26.3/debian/patches/series
--- nginx-1.26.3/debian/patches/series	2025-05-15 15:31:38.000000000 +0200
+++ nginx-1.26.3/debian/patches/series	2025-08-29 16:08:48.000000000 +0200
@@ -1,3 +1,4 @@
 0003-define_gnu_source-on-other-glibc-based-platforms.patch
 nginx-fix-pidfile.patch
 nginx-ssl_cert_cb_yield.patch
+CVE-2025-53859.patch

More information about the Pkg-nginx-maintainers mailing list