Mailing List Archive | ports@openbsd.org

Hi Rafael, On Sun, Aug 17, 2025 at 03:33:29PM +0000, Sergey A. Osokin wrote: > On Sun, Aug 17, 2025 at 04:23:14PM +0200, Rafael Sadowski wrote: > > On Sat Aug 16, 2025 at 04:48:08PM +0000, Sergey A. Osokin wrote: > > > > > > here's the update for the www/nginx port, it fixes the > > > CVE-2025-53859 security issue with the product. > > > > Could we have patch under patches like we do in all other ports? > > Sure, let's me do that. > Thank you for the initial review. The updated patch is attached to the email. Thank you. -- Sergey A. Osokin Index: Makefile =================================================================== RCS file: /cvs/ports/www/nginx/Makefile,v diff -u -p -r1.193 Makefile --- Makefile 24 Jul 2025 23:20:36 -0000 1.193 +++ Makefile 17 Aug 2025 15:48:42 -0000 @@ -21,9 +21,9 @@ COMMENT-stream= nginx TCP/UDP proxy mod COMMENT-xslt= nginx XSLT filter module VERSION= 1.28.0 -REVISION= 1 -REVISION-njs= 2 -REVISION-passenger= 2 +REVISION= 2 +REVISION-njs= 3 +REVISION-passenger= 3 DISTNAME= nginx-${VERSION} CATEGORIES= www Index: patches/patch-src_mail_ngx_mail_handler_c =================================================================== RCS file: patches/patch-src_mail_ngx_mail_handler_c diff -N patches/patch-src_mail_ngx_mail_handler_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_mail_ngx_mail_handler_c 17 Aug 2025 15:48:43 -0000 @@ -0,0 +1,125 @@ +Index: src/mail/ngx_mail_handler.c +--- src/mail/ngx_mail_handler.c.orig ++++ src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_conn + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ng + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ng + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,23 +678,25 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } ++ ++ s->login = login; + + p = s->login.data; + last = p + s->login.len;

2025-08-17 14:23 Rafael Sadowski:
[PATCH] fix CVE-2025-53859 for www/nginx
- 2025-08-17 15:33 Sergey A. Osokin:
  [PATCH] fix CVE-2025-53859 for www/nginx
- - 2025-08-17 15:52 Sergey A. Osokin:
    [PATCH] fix CVE-2025-53859 for www/nginx
  - - 2025-08-17 19:10 Rafael Sadowski:
      [PATCH] fix CVE-2025-53859 for www/nginx
    - - 2025-08-17 19:13 Kirill A. Korinsky:
        [PATCH] fix CVE-2025-53859 for www/nginx