From 1bd93549cce00a5813c14132ac8818b056f2a6e3 Mon Sep 17 00:00:00 2001 From: eaglegai Date: Mon, 18 Aug 2025 05:50:10 +0000 Subject: [PATCH] fix CVE-2025-53859 (cherry picked from commit d877fffa3994f6ac35788f1a0eb92932a3dc0ada) --- ...to-the-error-log-with-smtp_auth-none.patch | 34 +++++ ...auth-credentials-with-smtp_auth-none.patch | 46 ++++++ backport-CVE-2025-53859.patch | 139 ++++++++++++++++++ nginx.spec | 8 +- 4 files changed, 226 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch create mode 100644 backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch create mode 100644 backport-CVE-2025-53859.patch diff --git a/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch b/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch new file mode 100644 index 0000000..e9beca9 --- /dev/null +++ b/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch @@ -0,0 +1,34 @@ +From 239e10793adb1e32847095ba6c1d14249bf19a5c Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Mon, 21 Jul 2025 17:44:28 +0400 +Subject: [PATCH] Mail: logging upstream to the error log with "smtp_auth + none;". + +Previously, it was never logged because of missing login. +--- + src/mail/ngx_mail_handler.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index d3be7f3b3b..a88e6c2873 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -1006,14 +1006,12 @@ ngx_mail_log_error(ngx_log_t *log, u_char *buf, size_t len) + len -= p - buf; + buf = p; + +- if (s->login.len == 0) { +- return p; ++ if (s->login.len) { ++ p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login); ++ len -= p - buf; ++ buf = p; + } + +- p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login); +- len -= p - buf; +- buf = p; +- + if (s->proxy == NULL) { + return p; + } diff --git a/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch b/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch new file mode 100644 index 0000000..feecb7b --- /dev/null +++ b/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch @@ -0,0 +1,46 @@ +From 9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Mon, 7 Jul 2025 23:48:44 +0400 +Subject: [PATCH] Mail: reset stale auth credentials with "smtp_auth none;". + +They might be reused in a session if an SMTP client proceeded +unauthenticated after previous invalid authentication attempts. +This could confuse an authentication server when passing stale +credentials along with "Auth-Method: none". + +The condition to send the "Auth-Salt" header is similarly refined. +--- + src/mail/ngx_mail_auth_http_module.c | 5 ++++- + src/mail/ngx_mail_smtp_handler.c | 3 +++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 27f64b92e0d..4ca6d6e24dc 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1321,7 +1321,10 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_copy(b->last, passwd.data, passwd.len); + *b->last++ = CR; *b->last++ = LF; + +- if (s->auth_method != NGX_MAIL_AUTH_PLAIN && s->salt.len) { ++ if ((s->auth_method == NGX_MAIL_AUTH_APOP ++ || s->auth_method == NGX_MAIL_AUTH_CRAM_MD5) ++ && s->salt.len) ++ { + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c +index e68ceedfdb5..1e26c2c8d7b 100644 +--- a/src/mail/ngx_mail_smtp_handler.c ++++ b/src/mail/ngx_mail_smtp_handler.c +@@ -782,6 +782,9 @@ ngx_mail_smtp_mail(ngx_mail_session_t *s, ngx_connection_t *c) + + ngx_str_set(&s->out, smtp_ok); + ++ ngx_str_null(&s->login); ++ ngx_str_null(&s->passwd); ++ + return NGX_OK; + } + diff --git a/backport-CVE-2025-53859.patch b/backport-CVE-2025-53859.patch new file mode 100644 index 0000000..95f1ae5 --- /dev/null +++ b/backport-CVE-2025-53859.patch @@ -0,0 +1,139 @@ +From 765642b86e0df1b5ef37f42522be7d08d95909c9 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 12 Aug 2025 15:55:02 +0400 +Subject: [PATCH] Mail: improved error handling in plain/login/cram-md5 auth + methods. + +Previously, login and password storage could be left in inconsistent +state in a session after decoding errors. +--- + src/mail/ngx_mail_handler.c | 38 +++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 1167df3fb37..d3be7f3b3b7 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c) + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,24 +678,26 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + p = s->login.data; + last = p + s->login.len; + diff --git a/nginx.spec b/nginx.spec index 3c89ab3..ea89e0a 100644 --- a/nginx.spec +++ b/nginx.spec @@ -17,7 +17,7 @@ Name: nginx Epoch: 1 Version: 1.21.5 -Release: 9 +Release: 10 Summary: A HTTP server, reverse proxy and mail proxy server License: BSD URL: http://nginx.org/ @@ -46,6 +46,9 @@ Patch5: backport-CVE-2024-7347.patch Patch6: backport-CVE-2025-23419.patch Patch7: backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch Patch8: backport-Core-fixed-memory-leak-on-configuration-reload-with-PCRE2.patch +Patch9: backport-CVE-2025-53859.patch +Patch10: backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch +Patch11: backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl @@ -394,6 +397,9 @@ fi %{_mandir}/man8/nginx.8* %changelog +* Mon Aug 18 2025 gaihuiying - 1:1.21.5-10 +- fix CVE-2025-53859 + * Wed Apr 02 2025 gaihuiying - 1:1.21.5-9 - backport upstreams to fix memory leak and possible segfault -- Gitee