From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
To: Steve Sakoman <steve@sakoman.com>,
Manoj Saun <manojsingh.saun@windriver.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"narpat.mali@windriver.com" <narpat.mali@windriver.com>
Subject: RE: [OE-core] [meta-secure-core][kirkstone][PATCH 1/1] Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com>
Date: Wed, 23 Nov 2022 16:06:45 +0000 [thread overview]
Message-ID: <d5c46372a26e4fa0836d301383d3d86d@axis.com> (raw)
In-Reply-To: <CAOSpxdYRTwRyRNrKYuAAbuexxZVCepFtNWOtW=vd2JvKzbSg1A@mail.gmail.com>
The commit message also needs to be rewritten to follow the
common praxis for the repositories.
//Peter
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Steve Sakoman
> Sent: den 23 november 2022 16:44
> To: Manoj Saun <manojsingh.saun@windriver.com>
> Cc: openembedded-core@lists.openembedded.org; narpat.mali@windriver.com
> Subject: Re: [OE-core] [meta-secure-core][kirkstone][PATCH 1/1] Signed-
> off-by: Manoj Saun <manojsingh.saun@windriver.com>
>
> This is the wrong mailing list for your patch since it is for
> meta-openembedded, not oe-core. You should send it to:
> openembedded-devel@lists.openembedded.org
>
> Steve
>
> On Wed, Nov 23, 2022 at 5:23 AM Manoj Saun
> <manojsingh.saun@windriver.com> wrote:
> >
> > -> nginx: fix CVE-2022-41741
> >
> > -> nginx: disabled duplicate atoms.
> >
> > -> Reference:
> > -> https://nvd.nist.gov/vuln/detail/CVE-2022-41742
> >
> > -> Upstream fixes:
> > ->
> https://github.com/nginx/nginx/commit/0d23105373e6d8a720b9826079c077b9b4be
> 919d
> >
> > -> (LOCAL REV: NOT UPSTREAM) -- Not applicable, upstream out of
> maintenance
> > ---
> > .../0001-Mp4-disabled-duplicate-atoms.patch | 313 ++++++++++++++++++
> > meta-webserver/recipes-httpd/nginx/nginx.inc | 1 +
> > 2 files changed, 314 insertions(+)
> > create mode 100644 meta-webserver/recipes-httpd/nginx/files/0001-Mp4-
> disabled-duplicate-atoms.patch
> >
> > diff --git a/meta-webserver/recipes-httpd/nginx/files/0001-Mp4-disabled-
> duplicate-atoms.patch b/meta-webserver/recipes-httpd/nginx/files/0001-Mp4-
> disabled-duplicate-atoms.patch
> > new file mode 100644
> > index 000000000..0b0753c4c
> > --- /dev/null
> > +++ b/meta-webserver/recipes-httpd/nginx/files/0001-Mp4-disabled-
> duplicate-atoms.patch
> > @@ -0,0 +1,313 @@
> > +From 0d23105373e6d8a720b9826079c077b9b4be919d Mon Sep 17 00:00:00 2001
> > +From: Roman Arutyunyan <arut@nginx.com>
> > +Date: Wed, 19 Oct 2022 10:53:17 +0300
> > +Subject: [PATCH] Mp4: disabled duplicate atoms.
> > +
> > +Most atoms should not appear more than once in a container.
> Previously,
> > +this was not enforced by the module, which could result in worker
> process
> > +crash, memory corruption and disclosure.
> > +---
> > + src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++
> > + 1 file changed, 147 insertions(+)
> > +
> > +diff --git a/src/http/modules/ngx_http_mp4_module.c
> b/src/http/modules/ngx_http_mp4_module.c
> > +index 5721efbe..75a7315f 100644
> > +--- a/src/http/modules/ngx_http_mp4_module.c
> > ++++ b/src/http/modules/ngx_http_mp4_module.c
> > +@@ -1121,6 +1121,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + return NGX_ERROR;
> > + }
> > +
> > ++ if (mp4->ftyp_atom.buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 ftyp atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t)
> atom_data_size;
> > +
> > + ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
> > +@@ -1179,6 +1185,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + return NGX_DECLINED;
> > + }
> > +
> > ++ if (mp4->moov_atom.buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 moov atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + conf = ngx_http_get_module_loc_conf(mp4->request,
> ngx_http_mp4_module);
> > +
> > + if (atom_data_size > mp4->buffer_size) {
> > +@@ -1246,6 +1258,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat
> atom");
> > +
> > ++ if (mp4->mdat_atom.buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 mdat atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + data = &mp4->mdat_data_buf;
> > + data->file = &mp4->file;
> > + data->in_file = 1;
> > +@@ -1372,6 +1390,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd
> atom");
> > +
> > ++ if (mp4->mvhd_atom.buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 mvhd atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom_header = ngx_mp4_atom_header(mp4);
> > + mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
> > + mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
> > +@@ -1637,6 +1661,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t)
> atom_data_size;
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 tkhd atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->tkhd_size = atom_size;
> > + trak->movie_duration = duration;
> > +
> > +@@ -1676,6 +1707,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 mdia atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->mdia_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -1799,6 +1836,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t)
> atom_data_size;
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 mdhd atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->mdhd_size = atom_size;
> > + trak->timescale = timescale;
> > + trak->duration = duration;
> > +@@ -1862,6 +1906,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 hdlr atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->hdlr_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -1890,6 +1940,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 minf atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->minf_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -1933,6 +1989,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
> > ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
> > ++ {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 vmhd/smhd atom in \"%s\"",
> > ++ mp4->file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->vmhd_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -1964,6 +2029,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
> > ++ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
> > ++ {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 vmhd/smhd atom in \"%s\"",
> > ++ mp4->file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->smhd_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -1995,6 +2069,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 dinf atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->dinf_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -2023,6 +2103,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stbl atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->stbl_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -2144,6 +2230,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > +
> > ++ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stsd atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + atom = &trak->stsd_atom_buf;
> > + atom->temporary = 1;
> > + atom->pos = atom_header;
> > +@@ -2212,6 +2304,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stts atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->time_to_sample_entries = entries;
> > +
> > + atom = &trak->stts_atom_buf;
> > +@@ -2480,6 +2579,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + "sync sample entries:%uD", entries);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stss atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->sync_samples_entries = entries;
> > +
> > + atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
> > +@@ -2678,6 +2784,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + "composition offset entries:%uD", entries);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 ctts atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->composition_offset_entries = entries;
> > +
> > + atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
> > +@@ -2881,6 +2994,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stsc atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->sample_to_chunk_entries = entries;
> > +
> > + atom = &trak->stsc_atom_buf;
> > +@@ -3213,6 +3333,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + "sample uniform size:%uD, entries:%uD", size,
> entries);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stsz atom in \"%s\"", mp4-
> >file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->sample_sizes_entries = entries;
> > +
> > + atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
> > +@@ -3396,6 +3523,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_end = atom_table + entries * sizeof(uint32_t);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
> > ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
> > ++ {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stco/co64 atom in \"%s\"",
> > ++ mp4->file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->chunks = entries;
> > +
> > + atom = &trak->stco_atom_buf;
> > +@@ -3602,6 +3739,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t
> *mp4, uint64_t atom_data_size)
> > + atom_end = atom_table + entries * sizeof(uint64_t);
> > +
> > + trak = ngx_mp4_last_trak(mp4);
> > ++
> > ++ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
> > ++ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
> > ++ {
> > ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
> > ++ "duplicate mp4 stco/co64 atom in \"%s\"",
> > ++ mp4->file.name.data);
> > ++ return NGX_ERROR;
> > ++ }
> > ++
> > + trak->chunks = entries;
> > +
> > + atom = &trak->co64_atom_buf;
> > +--
> > +2.34.1
> > +
> > diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-
> webserver/recipes-httpd/nginx/nginx.inc
> > index dfced3330..754290d3a 100644
> > --- a/meta-webserver/recipes-httpd/nginx/nginx.inc
> > +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
> > @@ -22,6 +22,7 @@ SRC_URI = " \
> > file://nginx-volatile.conf \
> > file://nginx.service \
> > file://nginx-fix-pidfile.patch \
> > + file://0001-Mp4-disabled-duplicate-atoms.patch \
> > "
> >
> > inherit siteinfo update-rc.d useradd systemd
> > --
> > 2.34.1
> >
> >
> >
> >
prev parent reply other threads:[~2022-11-23 16:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-23 15:23 [meta-secure-core][kirkstone][PATCH 1/1] Signed-off-by: Manoj Saun <manojsingh.saun@windriver.com> Manoj Saun
2022-11-23 15:43 ` [OE-core] " Steve Sakoman
2022-11-23 16:06 ` Peter Kjellerstedt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d5c46372a26e4fa0836d301383d3d86d@axis.com \
--to=peter.kjellerstedt@axis.com \
--cc=manojsingh.saun@windriver.com \
--cc=narpat.mali@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.