Bug#989095: nginx: diff for NMU version 1.18.0-6.1

Sat, 29 May 2021 08:03:15 -0700 

Control: tags 989095 + patch
Control: tags 989095 + pending


Dear maintainer,

I've prepared an NMU for nginx (versioned as 1.18.0-6.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog	2020-08-19 15:27:02.000000000 +0200
+++ nginx-1.18.0/debian/changelog	2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Resolver: fixed off-by-one write in ngx_resolver_copy() (CVE-2021-23017)
+    (Closes: #989095)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 29 May 2021 16:21:37 +0200
+
 nginx (1.18.0-6) unstable; urgency=medium
 
   * Fix GCC-10 compatibility (Closes: #957605).
diff -Nru nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
--- nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch	1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.18.0/debian/patches/Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch	2021-05-29 16:21:37.000000000 +0200
@@ -0,0 +1,39 @@
+From: Maxim Dounin <mdou...@mdounin.ru>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: Resolver: fixed off-by-one write in ngx_resolver_copy().
+Origin: https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+Bug-Debian: https://bugs.debian.org/989095
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-23017
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 793907010278..63b26193df4f 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {
+-- 
+2.31.1
+
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series	2020-08-19 15:11:02.000000000 +0200
+++ nginx-1.18.0/debian/patches/series	2021-05-29 16:21:37.000000000 +0200
@@ -1,3 +1,4 @@
 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
 0003-define_gnu_source-on-other-glibc-based-platforms.patch
 CVE-2019-20372.patch
+Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch

Reply via email to