From: "Sergey A. Osokin" <osa@freebsd.org>
Subject: Re: [PATCH] fix CVE-2025-53859 for www/nginx
To: Rafael Sadowski <rafael@sizeofvoid.org>
Cc: ports@openbsd.org, Robert Nagy <robert@openbsd.org>
Date: Sun, 17 Aug 2025 15:52:25 +0000

Hi Rafael,

On Sun, Aug 17, 2025 at 03:33:29PM +0000, Sergey A. Osokin wrote:
> On Sun, Aug 17, 2025 at 04:23:14PM +0200, Rafael Sadowski wrote:
> > On Sat Aug 16, 2025 at 04:48:08PM +0000, Sergey A. Osokin wrote:
> > > 
> > > here's the update for the www/nginx port, it fixes the
> > > CVE-2025-53859 security issue with the product.
> > 
> > Could we have patch under patches like we do in all other ports?
> 
> Sure, let's me do that.
> Thank you for the initial review.

The updated patch is attached to the email.
Thank you.

-- 
Sergey A. Osokin
Index: Makefile
===================================================================
RCS file: /cvs/ports/www/nginx/Makefile,v
diff -u -p -r1.193 Makefile
--- Makefile	24 Jul 2025 23:20:36 -0000	1.193
+++ Makefile	17 Aug 2025 15:48:42 -0000
@@ -21,9 +21,9 @@ COMMENT-stream=		nginx TCP/UDP proxy mod
 COMMENT-xslt=		nginx XSLT filter module
 
 VERSION=	1.28.0
-REVISION=	1
-REVISION-njs=		2
-REVISION-passenger=	2
+REVISION=	2
+REVISION-njs=		3
+REVISION-passenger=	3
 DISTNAME=	nginx-${VERSION}
 CATEGORIES=	www
 
Index: patches/patch-src_mail_ngx_mail_handler_c
===================================================================
RCS file: patches/patch-src_mail_ngx_mail_handler_c
diff -N patches/patch-src_mail_ngx_mail_handler_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_mail_ngx_mail_handler_c	17 Aug 2025 15:48:43 -0000
@@ -0,0 +1,125 @@
+Index: src/mail/ngx_mail_handler.c
+--- src/mail/ngx_mail_handler.c.orig
++++ src/mail/ngx_mail_handler.c
+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_conn
+ ngx_int_t
+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+ {
+-    u_char     *p, *last;
++    u_char     *p, *pos, *last;
+     ngx_str_t  *arg, plain;
+ 
+     arg = s->args.elts;
+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.data = p;
++    pos = p;
+ 
+     while (p < last && *p) { p++; }
+ 
+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connect
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.len = p++ - s->login.data;
++    s->login.len = p++ - pos;
++    s->login.data = pos;
+ 
+     s->passwd.len = last - p;
+     s->passwd.data = p;
+@@ -583,24 +584,26 @@ ngx_int_t
+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+     ngx_uint_t n)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &arg[n]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
++    s->login = login;
++
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &s->login);
+ 
+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ng
+ ngx_int_t
+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, passwd;
+ 
+     arg = s->args.elts;
+ 
+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ng
+                    "mail auth login password: \"%V\"", &arg[0]);
+ #endif
+ 
+-    s->passwd.data = ngx_pnalloc(c->pool,
+-                                 ngx_base64_decoded_length(arg[0].len));
+-    if (s->passwd.data == NULL) {
++    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (passwd.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
++    s->passwd = passwd;
++
+ #if (NGX_DEBUG_MAIL_PASSWD)
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login password: \"%V\"", &s->passwd);
+@@ -674,23 +678,25 @@ ngx_int_t
+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+     u_char     *p, *last;
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth cram-md5: \"%V\"", &arg[0]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
++
++    s->login = login;
+ 
+     p = s->login.data;
+     last = p + s->login.len;