diff --git a/SPECS/nginx/CVE-2025-53859.patch b/SPECS/nginx/CVE-2025-53859.patch new file mode 100644 index 00000000000..8f670b314eb --- /dev/null +++ b/SPECS/nginx/CVE-2025-53859.patch @@ -0,0 +1,141 @@ +From 26aa1129e6d5920c7327991d693edda3aaa9abf3 Mon Sep 17 00:00:00 2001 +From: Azure Linux Security Servicing Account +Date: Tue, 19 Aug 2025 08:05:07 +0000 +Subject: [PATCH] CVE-2025-53859 + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://nginx.org/download/patch.2025.smtp.txt +--- + src/mail/ngx_mail_handler.c | 38 +++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 1167df3..d3be7f3 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c) + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,24 +678,26 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + p = s->login.data; + last = p + s->login.len; + +-- +2.45.4 + diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec index 4eb55e7c811..cbb5bb719ad 100644 --- a/SPECS/nginx/nginx.spec +++ b/SPECS/nginx/nginx.spec @@ -6,7 +6,7 @@ Name: nginx # Currently on "stable" version of nginx from https://nginx.org/en/download.html. # Note: Stable versions are even (1.20), mainline versions are odd (1.21) Version: 1.25.4 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD-2-Clause Vendor: Microsoft Corporation Distribution: Azure Linux @@ -22,6 +22,7 @@ Source3: nginx-tests.tgz Patch0: CVE-2024-7347.patch Patch1: CVE-2025-23419.patch +Patch2: CVE-2025-53859.patch BuildRequires: libxml2-devel BuildRequires: libxslt-devel BuildRequires: openssl-devel @@ -163,6 +164,9 @@ rm -rf nginx-tests %dir %{_sysconfdir}/%{name} %changelog +* Tue Aug 19 2025 Azure Linux Security Servicing Account - 1.25.4-5 +- Patch for CVE-2025-53859 + * Tue Mar 11 2025 Sandeep Karambelkar - 1.25.4-4 - Enable webdav module - Added tests to verify nginx server and its supported modules