Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838247 (CVE-2022-27007, CVE-2022-27008, CVE-2022-28049, CVE-2022-29369, CVE-2022-29779, CVE-2022-29780, CVE-2022-30503, CVE-2022-31306, CVE-2022-31307, CVE-2022-32414) - <www-servers/nginx-1.21.6-r3: vulnerabilities in bundled njs
Summary: <www-servers/nginx-1.21.6-r3: vulnerabilities in bundled njs
Status: RESOLVED FIXED
Alias: CVE-2022-27007, CVE-2022-27008, CVE-2022-28049, CVE-2022-29369, CVE-2022-29779, CVE-2022-29780, CVE-2022-30503, CVE-2022-31306, CVE-2022-31307, CVE-2022-32414
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://mailman.nginx.org/archives/li...
Whiteboard: B3 [noglsa]
Keywords: PullRequest
: 838352 (view as bug list)
Depends on: 858083
Blocks:
  Show dependency tree
 
Reported: 2022-04-13 19:19 UTC by John Helmert III
Modified: 2022-07-21 22:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 19:19:47 UTC 
From URL:

"This release focuses on stabilization of recently released features
including async/await and fixing bugs found by various fuzzers."

Please update the njs bundled with nginx to 0.7.3.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 05:11:12 UTC 
*** Bug 838352 has been marked as a duplicate of this bug. ***
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 05:11:37 UTC 
CVE-2022-27007 (https://github.com/nginx/njs/commit/ad48705bf1f04b4221a5f5b07715ac48b3160d53):

nginx njs 0.7.2 is affected suffers from Use-after-free in njs_function_frame_alloc() when it try to invoke from a restored frame saved with njs_function_frame_save().

CVE-2022-27008 (https://github.com/nginx/njs/issues/471):

nginx njs 0.7.2 is vulnerable to Buffer Overflow. Type confused in Array.prototype.concat() when a slow array appended element is fast array.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 05:16:21 UTC 
CVE-2022-28049 (https://github.com/nginx/njs/commit/f65981b0b8fcf02d69a40bc934803c25c9f607ab):
https://github.com/nginx/njs/issues/473

NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-13 17:25:29 UTC 
CVE-2022-29369 (https://github.com/nginx/njs/commit/222d6fdcf0c6485ec8e175f3a7b70d650c234b4e):
https://github.com/nginx/njs/issues/467

Nginx NJS v0.7.2 was discovered to contain a segmentation violation via njs_lvlhsh_bucket_find at njs_lvlhsh.c.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 21:45:29 UTC 
CVE-2022-30503 (https://github.com/nginx/njs/commit/5c6130a2a0b4c41ab415f6b8992aa323636338b9):
https://github.com/nginx/njs/issues/478

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_set_number at src/njs_value.h.

CVE-2022-29779 (https://github.com/nginx/njs/issues/485):
https://github.com/nginx/njs/commit/2e00e95473861846aa8538be87db07699d9f676d

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_value_own_enumerate at src/njs_value.c.

CVE-2022-29780 (https://github.com/nginx/njs/issues/486):
https://github.com/nginx/njs/commit/8b39afdad9a0761e0a5d4af1a762bd9a6daef572

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_prototype_sort at src/njs_array.c.

Fixes in 0.7.4.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-03 01:59:01 UTC 
CVE-2022-31306 (https://github.com/nginx/njs/issues/481):

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_array_convert_to_slow_array at src/njs_array.c.

CVE-2022-31307 (https://github.com/nginx/njs/commit/eafe4c7a326b163612f10861392622b5da5b1792):

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_string_offset at src/njs_string.c.

CVE-2022-32414 (https://github.com/nginx/njs/issues/483):

Nginx NJS v0.7.2 was discovered to contain a segmentation violation in the function njs_vmcode_interpreter at src/njs_vmcode.c.
Comment 7 Larry the Git Cow gentoo-dev 2022-07-13 19:05:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fef9c212cc857654acea385e37a492e818e3d417

commit fef9c212cc857654acea385e37a492e818e3d417
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-11 13:37:11 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-07-13 19:01:59 +0000

    www-servers/nginx: bump to 1.23.0
    
    Bug: https://bugs.gentoo.org/838247
    Closes: https://bugs.gentoo.org/852953
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26347
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/Manifest                         |    6 +
 .../files/http_headers_more-nginx-1.23.0.patch     |  187 ++++
 .../nginx/files/http_sticky-nginx-1.23.0.patch     |   25 +
 .../files/http_uploadprogress-nginx-1.23.0.patch   |   74 ++
 www-servers/nginx/nginx-1.23.0.ebuild              | 1028 ++++++++++++++++++++
 5 files changed, 1320 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-14 00:08:28 UTC 
Thanks hydrapolic! Please stable when ready.
Comment 9 Larry the Git Cow gentoo-dev 2022-07-14 19:01:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=801dee7a6b58e92868a393bbf5a7c2720cdedf12

commit 801dee7a6b58e92868a393bbf5a7c2720cdedf12
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-14 09:07:21 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-07-14 19:01:20 +0000

    www-servers/nginx: update vulnerable njs
    
    Bug: https://bugs.gentoo.org/838247
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26398
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/nginx-1.21.6-r3.ebuild | 1078 ++++++++++++++++++++++++++++++
 1 file changed, 1078 insertions(+)
Comment 10 Larry the Git Cow gentoo-dev 2022-07-20 07:39:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=effe6d2a83edc3cdd5a5d772145fe5f2d8f5d67c

commit effe6d2a83edc3cdd5a5d772145fe5f2d8f5d67c
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-07-20 04:32:29 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-07-20 07:38:48 +0000

    www-servers/nginx: drop vulnerable
    
    Bug: https://bugs.gentoo.org/838247
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/26491
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/Manifest               |    1 -
 www-servers/nginx/nginx-1.21.6-r2.ebuild | 1078 ------------------------------
 2 files changed, 1079 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-21 22:32:36 UTC 
Thanks! These don't seem exploitable, so no GLSA. All done!