[meta-webserver,scarthgap,8/8] nginx: fix CVE-2026-32647

Message ID	20260409112208.1119823-8-ankur.tyagi85@gmail.com
State	New
Headers	show Return-Path: <ankur.tyagi85@gmail.com> ip: 209.85.210.179, mailfrom: ankur.tyagi85@gmail.com) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi <ankur.tyagi85@gmail.com> Subject: [oe][meta-webserver][scarthgap][PATCH 8/8] nginx: fix CVE-2026-32647 Date: Thu, 9 Apr 2026 23:22:08 +1200 Message-ID: <20260409112208.1119823-8-ankur.tyagi85@gmail.com> In-Reply-To: <20260409112208.1119823-1-ankur.tyagi85@gmail.com> References: <20260409112208.1119823-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,scarthgap,1/8] libvncserver: fix CVE-2026-32853 \| expand [meta-oe,scarthgap,1/8] libvncserver: fix CVE-2026-32853 [meta-oe,scarthgap,2/8] libvncserver: fix CVE-2026-32854 [meta-networking,scarthgap,3/8] mbedtls: upgrade 3.6.5 -> 3.6.6 [meta-oe,scarthgap,4/8] nodejs: upgrade 20.20.0 -> 20.20.2 [meta-webserver,scarthgap,5/8] nginx: fix CVE-2026-27651 [meta-webserver,scarthgap,6/8] nginx: fix CVE-2026-27654 [meta-webserver,scarthgap,7/8] nginx: fix CVE-2026-28753 [meta-webserver,scarthgap,8/8] nginx: fix CVE-2026-32647

diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch new file mode 100644 index 0000000000..506a3fb887 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-1.patch @@ -0,0 +1,77 @@ +From c694db97c62f33d621e73937a63e7b5c206c16c9 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Sat, 21 Feb 2026 12:04:36 +0400 +Subject: [PATCH] Mp4: avoid zero size buffers in output. + +Previously, data validation checks did not cover the cases when the output +contained empty buffers. Such buffers are considered illegal and produce +"zero size buf in output" alerts. The change rejects the mp4 files which +produce such alerts. + +Also, the change fixes possible buffer overread and overwrite that could +happen while processing empty stco and co64 atoms, as reported by +Pavel Kohout (Aisle Research) and Tim Becker. + +(cherry picked from commit a172c880cb51f882a5dc999437e8b3a4f87630cc) + +CVE: CVE-2026-32647 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc] +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> +--- + src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 041ad263b..13d87cd6a 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + } + } + +- if (end_offset < start_offset) { +- end_offset = start_offset; ++ if (end_offset <= start_offset) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "no data between start time and end time in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; + } + + mp4->moov_size += 8; +@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + + *prev = &mp4->mdat_atom; + +- if (start_offset > mp4->mdat_data.buf->file_last) { ++ if (start_offset >= mp4->mdat_data.buf->file_last) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 mdat atom in \"%s\"", + mp4->file.name.data); +@@ -3416,7 +3419,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, + if (data) { + entries = trak->sample_sizes_entries; + +- if (trak->start_sample > entries) { ++ if (trak->start_sample >= entries) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stsz samples in \"%s\"", + mp4->file.name.data); +@@ -3591,7 +3594,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stco chunks in \"%s\"", + mp4->file.name.data); +@@ -3806,7 +3809,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 co64 chunks in \"%s\"", + mp4->file.name.data); diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch new file mode 100644 index 0000000000..80bf94f5f1 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-32647-2.patch @@ -0,0 +1,87 @@ +From 1742d7fe92ed355ffa5aa68609b96f00f582f3d6 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Mon, 2 Mar 2026 21:12:34 +0400 +Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms. + +Previously, a 32-bit overflow could happen while validating atom entries +count. This allowed processing of an invalid atom with entrires beyond +its boundaries with reads and writes outside of the allocated mp4 buffer. + +Reported by Prabhav Srinath (sprabhav7). + +(cherry picked from commit b23ac73b00313d159a99636c21ef71b828781018) + +CVE: CVE-2026-32647 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018] +Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 13d87cd6a..015e42c51 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "mp4 time-to-sample entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t) +- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stts atom too small", mp4->file.name.data); +@@ -2600,7 +2600,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stss atom too small", mp4->file.name.data); +@@ -2805,7 +2805,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t) +- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 ctts atom too small", mp4->file.name.data); +@@ -2987,7 +2987,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample-to-chunk entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t) +- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsc atom too small", mp4->file.name.data); +@@ -3365,7 +3365,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + if (size == 0) { + if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsz atom too small", +@@ -3524,7 +3524,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stco atom too small", mp4->file.name.data); +@@ -3740,7 +3740,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t) +- + entries * sizeof(uint64_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 co64 atom too small", mp4->file.name.data); diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index 80cd5e1609..ab15c10596 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -6,6 +6,8 @@ SRC_URI:append = " file://CVE-2023-44487.patch \ file://CVE-2026-27651.patch \ file://CVE-2026-27654.patch \ file://CVE-2026-28753.patch \ + file://CVE-2026-32647-1.patch \ + file://CVE-2026-32647-2.patch \ " SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"

[meta-webserver,scarthgap,8/8] nginx: fix CVE-2026-32647

Commit Message

Patch