!117 [sync] PR-116: backport upstreams to fixed memory leak on configuration reload with PCRE2

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-CVE-2024-7347.patch

@@ -0,0 +1,43 @@
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3099,7 +3099,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
++    uint64_t               n;
++    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
++        if (next_chunk < chunk) {
++            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                          "unordered mp4 stsc chunks in \"%s\"",
++                          mp4->file.name.data);
++            return NGX_ERROR;
++        }
++
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
++        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
++    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,

backport-CVE-2025-23419.patch

@@ -0,0 +1,69 @@
+From 13935cf9fdc3c8d8278c70716417d3b71c36140e Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Wed, 22 Jan 2025 18:55:44 +0400
+Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session
+ resumption.
+
+In OpenSSL, session resumption always happens in the default SSL context,
+prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
+protocols, SSL_get_servername() returns values received in the resumption
+handshake, which may be different from the value in the initial handshake.
+Notably, this makes the restriction added in b720f650b insufficient for
+sessions resumed with different SNI server name.
+
+Considering the example from b720f650b, previously, a client was able to
+request example.org by presenting a certificate for example.org, then to
+resume and request example.com.
+
+The fix is to reject handshakes resumed with a different server name, if
+verification of client certificates is enabled in a corresponding server
+configuration.
+---
+ src/http/ngx_http_request.c        | 27 +++++++++++++++++++++++++--
+ 1 files changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 3cca57cf5ee..9593b7fb506 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {

backport-Core-fixed-memory-leak-on-configuration-reload-with-PCRE2.patch

@@ -0,0 +1,54 @@
+From 284a0c73771e3a2c57af6e74d96d9a6878b2e7b4 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 17 Oct 2023 02:39:38 +0300
+Subject: [PATCH] Core: fixed memory leak on configuration reload with PCRE2.
+
+In ngx_regex_cleanup() allocator wasn't configured when calling
+pcre2_compile_context_free() and pcre2_match_data_free(), resulting
+in no ngx_free() call and leaked memory.  Fix is ensure that allocator
+is configured for global allocations, so that ngx_free() is actually
+called to free memory.
+
+Additionally, ngx_regex_compile_context was cleared in
+ngx_regex_module_init().  It should be either not cleared, so it will
+be freed by ngx_regex_cleanup(), or properly freed.  Fix is to
+not clear it, so ngx_regex_cleanup() will be able to free it.
+
+Reported by ZhenZhong Wu,
+https://mailman.nginx.org/pipermail/nginx-devel/2023-September/3Z5FIKUDRN2WBSL3JWTZJ7SXDA6YIWPB.html
+---
+ src/core/ngx_regex.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
+index 91381f49942..5b13c5db389 100644
+--- a/src/core/ngx_regex.c
++++ b/src/core/ngx_regex.c
+@@ -600,6 +600,8 @@ ngx_regex_cleanup(void *data)
+      * the new cycle, these will be re-allocated.
+      */
+ 
++    ngx_regex_malloc_init(NULL);
++
+     if (ngx_regex_compile_context) {
+         pcre2_compile_context_free(ngx_regex_compile_context);
+         ngx_regex_compile_context = NULL;
+@@ -611,6 +613,8 @@ ngx_regex_cleanup(void *data)
+         ngx_regex_match_data_size = 0;
+     }
+ 
++    ngx_regex_malloc_done();
++
+ #endif
+ }
+ 
+@@ -706,9 +710,6 @@ ngx_regex_module_init(ngx_cycle_t *cycle)
+     ngx_regex_malloc_done();
+ 
+     ngx_regex_studies = NULL;
+-#if (NGX_PCRE2)
+-    ngx_regex_compile_context = NULL;
+-#endif
+ 
+     return NGX_OK;
+ }

backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch

@@ -0,0 +1,34 @@
+From 25c546ac37ba622b93c1a7075bd7eb447bac17b2 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 18 Apr 2023 06:28:46 +0300
+Subject: [PATCH] Fixed segfault if regex studies list allocation fails.
+
+The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
+and this used to cause NULL pointer dereference if allocation
+failed.  Fix is to set cleanup handler only when allocation succeeds.
+---
+ src/core/ngx_regex.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
+index bebf3b6a83e..91381f49942 100644
+--- a/src/core/ngx_regex.c
++++ b/src/core/ngx_regex.c
+@@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle)
+         return NULL;
+     }
+ 
+-    cln->handler = ngx_regex_cleanup;
+-    cln->data = rcf;
+-
+     rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
+     if (rcf->studies == NULL) {
+         return NULL;
+     }
+ 
++    cln->handler = ngx_regex_cleanup;
++    cln->data = rcf;
++
+     ngx_regex_studies = rcf->studies;
+ 
+     return rcf;

nginx.spec

@@ -16,8 +16,8 @@
 
 Name:              nginx
 Epoch:             1
-Version:           1.23.3
-Release:           2
+Version:           1.24.0
+Release:           5
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@@ -40,6 +40,11 @@ Patch0:            nginx-auto-cc-gcc.patch
 Patch1:            nginx-1.12.1-logs-perm.patch
 Patch2:            nginx-fix-pidfile.patch
 Patch3:            backport-CVE-2023-44487.patch
+# https://nginx.org/download/patch.2024.mp4.txt
+Patch4:            backport-CVE-2024-7347.patch
+Patch5:            backport-CVE-2025-23419.patch
+Patch6:            backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch
+Patch7:            backport-Core-fixed-memory-leak-on-configuration-reload-with-PCRE2.patch
 
 BuildRequires:     gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl
@@ -387,6 +392,21 @@ fi
 %{_mandir}/man8/nginx.8*
 
 %changelog
+* Wed Apr 02 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-5
+- backport upstreams to fixed memory leak on configuration reload with PCRE2
+
+* Wed Apr 02 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-4
+- backport upstreams to fix possible segfault
+
+* Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-3
+- fix CVE-2025-23419
+
+* Thu Aug 15 2024 Funda Wang <fundawang@yeah.net> - 1:1.24.0-2
+- fix CVE-2024-7347
+
+* Tue Jan 02 2024 gaihuiying <eaglegai@163.com> - 1:1.24.0-1
+- update nginx to 1.24.0
+
 * Thu Oct 19 2023 yanglu <yanglu72@h-partners.com> - 1:1.23.3-2
 - fix CVE-2023-44487