CVE-2022-38890 (https://github.com/nginx/njs/issues/569): Nginx NJS v0.7.7 was discovered to contain a segmentation violation via njs_utf8_next at src/njs_utf8.h
"Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact (CVE-2022-41741, CVE-2022-41742). The issues only affect nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the "mp4" directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module." Seems fixed in 1.22.1, 1.23.2.
(In reply to John Helmert III from comment #1) > "Two security issues were identified in the ngx_http_mp4_module, which might > allow an attacker to cause a worker process crash or worker process memory > disclosure by using a specially crafted mp4 file, or might have potential > other impact (CVE-2022-41741, CVE-2022-41742). > > The issues only affect nginx if it is built with the ngx_http_mp4_module > (the module is not built by default) and the "mp4" directive is used in > the configuration file. Further, the attack is only possible if an > attacker is able to trigger processing of a specially crafted mp4 file > with the ngx_http_mp4_module." > > Seems fixed in 1.22.1, 1.23.2. Upstream advisory: https://mailman.nginx.org/archives/list/nginx-announce@nginx.org/thread/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5297ee7000326d641b28980b4e1a7018e1658470 commit 5297ee7000326d641b28980b4e1a7018e1658470 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-10-19 14:40:44 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-19 14:43:05 +0000 www-servers/nginx: add 1.23.2 Includes also CVE-2022-38890 fix for NJS-0.7.7. Bug: https://bugs.gentoo.org/870409 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 + .../files/http_javascript_cve_2022-38890.patch | 49 + www-servers/nginx/nginx-1.23.2.ebuild | 1049 ++++++++++++++++++++ 3 files changed, 1099 insertions(+)
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da925421e26e4a8fb26bc9f23f6b7aedfb1f85ed commit da925421e26e4a8fb26bc9f23f6b7aedfb1f85ed Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2022-10-19 21:41:24 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2022-10-19 21:41:37 +0000 www-servers/nginx: drop 1.23.1-r1 Bug: https://bugs.gentoo.org/870409 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 - www-servers/nginx/nginx-1.23.1-r1.ebuild | 1049 ------------------------------ 2 files changed, 1050 deletions(-)
Thank you! ngx is a non-default module and impact is only DoS anyway. No GLSA, all done!
CVE-2022-43286 (https://github.com/nginx/njs/issues/480): Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c. Patch in 0.7.4: https://github.com/nginx/njs/commit/2ad0ea24a58d570634e09c2e58c3b314505eaa6a CVE-2022-43284 (https://github.com/nginx/njs/issues/470): Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h. Patch in 0.7.5: https://github.com/nginx/njs/commit/04f59f9defeeb618260e620bb11466741c0e41e5
