main/nginx: fix CVE-2019-20372

fixes #11134 skip pkgrel=5 due to bad commit 732a2a015029 (main/nginx: fix CVE-2019-20372) in master.
author: Natanael Copa <ncopa@alpinelinux.org> 2020-01-16 16:03:50 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2020-01-16 21:28:57 +0100
commit: dd81abbcbedbddfc50c0d20af4559ecc142d2278 (patch)
tree: eb2ec1506f9713c81f76b57b45173724d514acb2
parent: 0883c9ddd66fa981fe993434cb3bab2593e299e4 (diff)
download: alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.tar.bz2
alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.tar.xz
alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.zip
2 files changed, 33 insertions, 1 deletions
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index d51ff8cba6..661ffc38f0 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 #
 # secfixes:
+#   1.16.1-r6:
+#     - CVE-2019-20372
 #   1.16.1-r0:
 #     - CVE-2019-9511
 #     - CVE-2019-9513
@@ -19,7 +21,7 @@ pkgname=nginx
 # NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
 # Odd-numbered versions are mainline (development) versions.
 pkgver=1.16.1
-pkgrel=4
+pkgrel=6
 # Revision of nginx-tests to use for check().
 _tests_hgrev=40e5f2a0a238
 _njs_ver=0.3.5
@@ -62,6 +64,7 @@ replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
 source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
        $pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
        $pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz
+        CVE-2019-20372.patch
        nginx.conf
        default.conf
        $pkgname.logrotate
@@ -350,6 +353,7 @@ _module() {
 sha512sums="17e95b43fa47d4fef5e652dea587518e16ab5ec562c9c94355c356440166d4b6a6a41ee520d406e5a34791a327d2e3c46b3f9b105ac9ce07afdd495c49eca437  nginx-1.16.1.tar.gz
 69ebc81dba60c062e3a0e1ba0a7e1f2c2bf74f38f2bbd4dd0c5608e6c6965b819dc3c57fe21b596c1faceef61bc4a1c804eb9634f8824d62bc9293d17cd2bab2  nginx-tests-40e5f2a0a238.tar.gz
 e7e11b5ed8703adac1d4fb3b8e82731f868eb6c1cad405e9664f3761733ebfaa9a122517ac78cf4ef93d8d78cdb58d36bdbd96dff164079a3a18e9eba60f4aae  nginx-njs-0.3.5.tar.gz
+3d70fecd28a3c7b126aa06404ebb3a0fa71659abb710ecf441208b6735bda80493265410bebb4cecbb2fffa589fede75897b7f7d2da9def2482c75ac85b02b30  CVE-2019-20372.patch
 ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41  nginx.conf
 0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3  default.conf
 09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb  nginx.logrotate
diff --git a/main/nginx/CVE-2019-20372.patch b/main/nginx/CVE-2019-20372.patch
new file mode 100644
index 0000000000..7329261e55
--- /dev/null
+++ b/main/nginx/CVE-2019-20372.patch
@@ -0,0 +1,28 @@
+From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 4ffb2cc8ad..76e6705889 100644
+--- a/src/http/ngx_http_special_response.c
+++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
+    r->expect_tested = 1;
+
+    if (ngx_http_discard_request_body(r) != NGX_OK) {
+        r->keepalive = 0;
+    }
+
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
author	Natanael Copa <ncopa@alpinelinux.org>	2020-01-16 16:03:50 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2020-01-16 21:28:57 +0100
commit	dd81abbcbedbddfc50c0d20af4559ecc142d2278 (patch)
tree	eb2ec1506f9713c81f76b57b45173724d514acb2
parent	0883c9ddd66fa981fe993434cb3bab2593e299e4 (diff)
download	alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.tar.bz2 alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.tar.xz alpine_aports-dd81abbcbedbddfc50c0d20af4559ecc142d2278.zip

diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD index d51ff8cba6..661ffc38f0 100644 --- a/main/nginx/APKBUILD +++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
4	# Contributor: Jakub Jirutka <jakub@jirutka.cz>	4	# Contributor: Jakub Jirutka <jakub@jirutka.cz>
5	#	5	#
6	# secfixes:	6	# secfixes:
		7	# 1.16.1-r6:
		8	# - CVE-2019-20372
7	# 1.16.1-r0:	9	# 1.16.1-r0:
8	# - CVE-2019-9511	10	# - CVE-2019-9511
9	# - CVE-2019-9513	11	# - CVE-2019-9513
@@ -19,7 +21,7 @@ pkgname=nginx
19	# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!	21	# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
20	# Odd-numbered versions are mainline (development) versions.	22	# Odd-numbered versions are mainline (development) versions.
21	pkgver=1.16.1	23	pkgver=1.16.1
22	pkgrel=4	24	pkgrel=6
23	# Revision of nginx-tests to use for check().	25	# Revision of nginx-tests to use for check().
24	_tests_hgrev=40e5f2a0a238	26	_tests_hgrev=40e5f2a0a238
25	_njs_ver=0.3.5	27	_njs_ver=0.3.5
@@ -62,6 +64,7 @@ replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
62	source="https://nginx.org/download/$pkgname-$pkgver.tar.gz	64	source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
63	$pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz	65	$pkgname-tests-$_tests_hgrev.tar.gz::https://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
64	$pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz	66	$pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz
		67	CVE-2019-20372.patch
65	nginx.conf	68	nginx.conf
66	default.conf	69	default.conf
67	$pkgname.logrotate	70	$pkgname.logrotate
@@ -350,6 +353,7 @@ _module() {
350	sha512sums="17e95b43fa47d4fef5e652dea587518e16ab5ec562c9c94355c356440166d4b6a6a41ee520d406e5a34791a327d2e3c46b3f9b105ac9ce07afdd495c49eca437 nginx-1.16.1.tar.gz	353	sha512sums="17e95b43fa47d4fef5e652dea587518e16ab5ec562c9c94355c356440166d4b6a6a41ee520d406e5a34791a327d2e3c46b3f9b105ac9ce07afdd495c49eca437 nginx-1.16.1.tar.gz
351	69ebc81dba60c062e3a0e1ba0a7e1f2c2bf74f38f2bbd4dd0c5608e6c6965b819dc3c57fe21b596c1faceef61bc4a1c804eb9634f8824d62bc9293d17cd2bab2 nginx-tests-40e5f2a0a238.tar.gz	354	69ebc81dba60c062e3a0e1ba0a7e1f2c2bf74f38f2bbd4dd0c5608e6c6965b819dc3c57fe21b596c1faceef61bc4a1c804eb9634f8824d62bc9293d17cd2bab2 nginx-tests-40e5f2a0a238.tar.gz
352	e7e11b5ed8703adac1d4fb3b8e82731f868eb6c1cad405e9664f3761733ebfaa9a122517ac78cf4ef93d8d78cdb58d36bdbd96dff164079a3a18e9eba60f4aae nginx-njs-0.3.5.tar.gz	355	e7e11b5ed8703adac1d4fb3b8e82731f868eb6c1cad405e9664f3761733ebfaa9a122517ac78cf4ef93d8d78cdb58d36bdbd96dff164079a3a18e9eba60f4aae nginx-njs-0.3.5.tar.gz
		356	3d70fecd28a3c7b126aa06404ebb3a0fa71659abb710ecf441208b6735bda80493265410bebb4cecbb2fffa589fede75897b7f7d2da9def2482c75ac85b02b30 CVE-2019-20372.patch
353	ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf	357	ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf
354	0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf	358	0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
355	09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate	359	09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate


diff --git a/main/nginx/CVE-2019-20372.patch b/main/nginx/CVE-2019-20372.patch new file mode 100644 index 0000000000..7329261e55 --- /dev/null +++ b/main/nginx/CVE-2019-20372.patch
@@ -0,0 +1,28 @@
		1	From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
		2	From: Ruslan Ermilov <ru@nginx.com>
		3	Date: Mon, 23 Dec 2019 15:45:46 +0300
		4	Subject: [PATCH] Discard request body when redirecting to a URL via
		5	error_page.
		6
		7	Reported by Bert JW Regeer and Francisco Oca Gonzalez.
		8	---
		9	src/http/ngx_http_special_response.c \| 6 ++++++
		10	1 file changed, 6 insertions(+)
		11
		12	diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
		13	index 4ffb2cc8ad..76e6705889 100644
		14	--- a/src/http/ngx_http_special_response.c
		15	+++ b/src/http/ngx_http_special_response.c
		16	@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t r, ngx_http_err_page_t err_page)
		17	return ngx_http_named_location(r, &uri);
		18	}
		19
		20	+ r->expect_tested = 1;
		21	+
		22	+ if (ngx_http_discard_request_body(r) != NGX_OK) {
		23	+ r->keepalive = 0;
		24	+ }
		25	+
		26	location = ngx_list_push(&r->headers_out.headers);
		27
		28	if (location == NULL) {