From f403cfd9f6713293a3776c9b29006579d6d2b9ab Mon Sep 17 00:00:00 2001
From: Kevin Daudt <kdaudt@alpinelinux.org>
Date: Tue, 26 Apr 2022 04:59:34 +0000
Subject: [PATCH] main/nginx: mitigate CVE-2021-3618
CVE-2021-3618 is an application layer protocol content confusion attack,
affecting multiple applications.
According to [redhat][0], nginx addressed this in hg:ec1071830799[1] or
git:173f16f736c10[2] in mainline, but this has not been backported to a
stable version yet.
Backport this fix ourselves.
Fixes #13737
[0]:https://bugzilla.redhat.com/show_bug.cgi?id=1975623
[1]:http://hg.nginx.org/nginx/rev/ec1071830799
[2]:https://github.com/nginx/nginx/commit/173f16f736c10eae46cd15dd861b04b82d91a37a
---
main/nginx/APKBUILD | 8 +-
main/nginx/CVE-2021-3618.patch | 92 +++++++++++++++++++
...sts~skip-broken-mail_max_error-tests.patch | 33 +++++++
3 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 main/nginx/CVE-2021-3618.patch
create mode 100644 main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index 44bf1c7681c2..7836029cd550 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,6 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 1.20.1-r1:
+# - CVE-2021-3618
# 1.20.1-r0:
# - CVE-2021-23017
# 1.16.1-r6:
@@ -23,7 +25,7 @@ pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.20.2
-pkgrel=0
+pkgrel=1
# Revision of nginx-tests to use for check().
_tests_hgrev=823f603da727
_njs_ver=0.5.3
@@ -79,6 +81,8 @@ source="https://nginx.org/download/$pkgname-$pkgver.tar.gz
nginx-rtmp-module~02-23e1873.patch::https://github.com/arut/nginx-rtmp-module/commit/23e1873aa62acb58b7881eed2a501f5bf35b82e9.patch
traffic-accounting-nginx-module~disable-stream-module.patch
nginx_cookie_flag_module~fix-mem-allocations.patch
+ CVE-2021-3618.patch
+ nginx-tests~skip-broken-mail_max_error-tests.patch
nginx.conf
default.conf
stream.conf
@@ -444,6 +448,8 @@ e87d9c8cbebc147881e3a40e6944acfe836f29eb7b393af0465b04dd27f1fa42f17ab63d2bcc7505
ddfd20891de0a48bf378cbc30a9c08e6e73115531b9f14d8120410122a926c4d31f554306bfb34fbed593c7984d1290c32d2c473118c1cbfd33f7cfd50956fbe nginx-rtmp-module~02-23e1873.patch
09ec9f18323197eafa55ff68e8c836ad3dd830e6cd3bd4aeaf34e179ef3f72f734a0117288c1c58813aff59f3f1f0f29ccd772a672e17551e7a4fd0693a89c92 traffic-accounting-nginx-module~disable-stream-module.patch
ac0f912ae90e0083cc761a622290223edeed0bd32213bbe766d637ac2dfd9835d163e5d16ef28740cbad05d6d92cc418d62df3413c70b4f2c63db02f8ca1c7cc nginx_cookie_flag_module~fix-mem-allocations.patch
+5896417268cdd4cde1cc6a4cf9ebc3aa2c82cb4b27a68c1fa4e9c1065cf4e5f0eebc13cfdb2ac3ebe29fdc5332022a61681aceefe1c72c5402ce73fab3f03f5a CVE-2021-3618.patch
+d04ebbdf6e595b724cad59bef273e192328b47dfb15a6b19b6856ea6cc2152aaff86ca33cfd9f736cfab56377aab686d4dca6c25cb5373e56ac2e4651418c851 nginx-tests~skip-broken-mail_max_error-tests.patch
9c5ee975dffa15b76688ef798371635f38f1e6773b143c738add26297878dddfc20ebf276e3871a60f28b197e8a70496ca17d4816c2136171978c157bb8e591f nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
f3321a45736697009817db335ad36d3f1d05f60d98ac90a943220cdd4c00c52632f018db6a6076d5431a483525aacc5725b87b765b590e2f63b3ef98c5b16bd8 stream.conf
diff --git a/main/nginx/CVE-2021-3618.patch b/main/nginx/CVE-2021-3618.patch
new file mode 100644
index 000000000000..5c3441ef26c7
--- /dev/null
+++ b/main/nginx/CVE-2021-3618.patch
@@ -0,0 +1,92 @@
+Patch-Source: https://github.com/nginx/nginx/commit/173f16f736c10eae46cd15dd861b04b82d91a37a
+commit 173f16f736c10eae46cd15dd861b04b82d91a37a
+Author: Maxim Dounin <mdounin@mdounin.ru>
+Date: Wed May 19 03:13:31 2021 +0300
+
+ Mail: max_errors directive.
+
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+
+diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
+index 07104df6..21178c3e 100644
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@ typedef struct {
+ ngx_msec_t timeout;
+ ngx_msec_t resolver_timeout;
+
++ ngx_uint_t max_errors;
++
+ ngx_str_t server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@ typedef struct {
+ ngx_uint_t command;
+ ngx_array_t args;
+
++ ngx_uint_t errors;
+ ngx_uint_t login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
+index 40831242..115671ca 100644
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
+ offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+ NULL },
+
++ { ngx_string("max_errors"),
++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++ ngx_conf_set_num_slot,
++ NGX_MAIL_SRV_CONF_OFFSET,
++ offsetof(ngx_mail_core_srv_conf_t, max_errors),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++ cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver = NGX_CONF_UNSET_PTR;
+
+ cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+ ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+ 30000);
+
++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+ ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index 57503e9a..246ba97c 100644
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -874,7 +874,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+
+- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++ s->errors++;
++
++ if (s->errors >= cscf->max_errors) {
++ ngx_log_error(NGX_LOG_INFO, c->log, 0,
++ "client sent too many invalid commands");
++ s->quit = 1;
++ }
++
++ return rc;
++ }
++
++ if (rc == NGX_IMAP_NEXT) {
+ return rc;
+ }
+
diff --git a/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch b/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch
new file mode 100644
index 000000000000..af563806b646
--- /dev/null
+++ b/main/nginx/nginx-tests~skip-broken-mail_max_error-tests.patch
@@ -0,0 +1,33 @@
+The fix for CVE-2021-3618 triggers some tests to fail. These tests are normally
+skipped, but the patch enables the features that enabled the tests.
+
+Skip these specific checks for now.
+diff --git a/mail_max_errors.t b/mail_max_errors.t
+index f6f0171..295e872 100644
+--- a/mail_max_errors.t
++++ b/mail_max_errors.t
+@@ -61,7 +61,7 @@ mail {
+
+ EOF
+
+-$t->try_run('no max_errors')->plan(18);
++$t->try_run('no max_errors')->plan(16);
+
+ ###############################################################################
+
+@@ -82,7 +82,6 @@ $s->read();
+
+ $s->send('a01 FOO' . CRLF . 'a02 BAR' . CRLF . 'a03 BAZZ');
+ $s->check(qr/^a01 BAD/, 'imap pipelined first error');
+-$s->check(qr/^a02 BAD/, 'imap pipelined second error');
+ $s->check(qr/^$/, 'imap pipelined max errors');
+
+ # pop3
+@@ -102,7 +101,6 @@ $s->read();
+
+ $s->send('FOO' . CRLF . 'BAR' . CRLF . 'BAZZ');
+ $s->check(qr/^-ERR/, 'pop3 pipelined first error');
+-$s->check(qr/^-ERR/, 'pop3 pipelined second error');
+ $s->check(qr/^$/, 'pop3 pipelined max errors');
+
+ # smtp
--
GitLab