GitList

Browse code

Patch for CVE-2018-16845

Change-Id: I4e14ae1b64f55e292afdea30fd2d625d9d46c439
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6752
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>

smaliakkal authored on 2019/02/16 09:41:16
Showing 2 changed files

SPECS/nginx/nginx-CVE-2018-16845.patch index 0000000..2d4f246
SPECS/nginx/nginx.spec index e74445c..c00bc7e 100644

SPECS/nginx/nginx-CVE-2018-16845.patch

History View file @ 27c53ac

                     new file mode 100644
@@ -0,0 +1,17 @@
                     +diff -ru a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
                     +--- a/src/http/modules/ngx_http_mp4_module.c	2018-03-20 15:58:32.000000000 +0000
                     +@@ -942,6 +942,13 @@
                     +                 atom_size = ngx_mp4_get_64value(atom_header + 8);
                     +                 atom_header_size = sizeof(ngx_mp4_atom_header64_t);
+                    +
                     ++		if (atom_size < sizeof(ngx_mp4_atom_header64_t)) {
                     ++                    ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
                     ++                                  "\"%s\" mp4 atom is too small:%uL",
                     ++                                  mp4->file.name.data, atom_size);
                     ++                    return NGX_ERROR;
                     ++                }
                     ++
                     +             } else {
                     +                 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
                     +                               "\"%s\" mp4 atom is too small:%uL",

SPECS/nginx/nginx.spec

History View file @ 27c53ac

@@ -1,7 +1,7 @@
                      Summary:        High-performance HTTP server and reverse proxy
                      Name:           nginx
                      Version:        1.13.10
                     -Release:        1%{?dist}
                     +Release:        2%{?dist}
                      License:        BSD-2-Clause
                      URL:            http://nginx.org/download/nginx-%{version}.tar.gz
                      Group:          Applications/System
@@ -14,6 +14,7 @@ Source2:        nginx-njs-0.2.1.tar.gz
                      %define sha1    nginx-njs=fd8c3f2d219f175be958796e3beaa17f3b465126
                      Patch0:         nginx-CVE-2018-16843.patch
                      Patch1:         nginx-CVE-2018-16844.patch
                     +Patch2:		nginx-CVE-2018-16845.patch
                      BuildRequires:  openssl-devel
                      BuildRequires:  pcre-devel
                      BuildRequires:  which
@@ -24,6 +25,7 @@ NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as
                      %setup -q
                      %patch0 -p1
                      %patch1 -p1
                     +%patch2 -p1
                      pushd ../
                      mkdir nginx-njs
                      tar -C nginx-njs -xf %{SOURCE2}
@@ -77,6 +79,8 @@ install -p -m 0644 %{SOURCE1} %{buildroot}/usr/lib/systemd/system/nginx.service
                      %dir %{_var}/log/nginx
                      %changelog
                     +*   Fri Feb 15 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.13.10-2
                     +-   Patch for CVE-2018-16845
                      *   Mon Jan 28 2019 Keerthana K <keerthanak@vmware.com> 1.13.10-1
                      -   Update to version 1.13.10
                      *   Thu Jan 17 2019 Keerthana K <keerthanak@vmware.com> 1.13.8-7