Skip to content

Commit b92d939

Browse files
[AutoPR- Security] Patch nginx for CVE-2026-48142 [MEDIUM] (microsoft#17833)
Co-authored-by: SumitJenaHCL <v-sumitjena@microsoft.com>
1 parent 91164d5 commit b92d939

2 files changed

Lines changed: 45 additions & 1 deletion

File tree

SPECS/nginx/CVE-2026-48142.patch

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
From 0482091e8a6b53ba14b4b8cae855063762aadbbc Mon Sep 17 00:00:00 2001
2+
From: Sergey Kandaurov <pluknet@nginx.com>
3+
Date: Mon, 1 Jun 2026 21:46:48 +0400
4+
Subject: [PATCH] Charset: fixed another rare buffer overread in
5+
recode_from_utf8()
6+
7+
With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte
8+
overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode()
9+
stops advancing the pointer position on the first encountered invalid
10+
byte. The fix is to adjust the advanced pointer up to the whole saved
11+
sequence in this case. Note that this may result in different output
12+
compared to complete invalid UTF-8 sequences, which we can disregard
13+
at this point.
14+
15+
Reported by Han Yan of Xiaomi and p4p3r of CYBERONE.
16+
17+
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
18+
Upstream-reference: https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7.patch
19+
---
20+
src/http/modules/ngx_http_charset_filter_module.c | 4 ++++
21+
1 file changed, 4 insertions(+)
22+
23+
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
24+
index edb2db5..e0115e1 100644
25+
--- a/src/http/modules/ngx_http_charset_filter_module.c
26+
+++ b/src/http/modules/ngx_http_charset_filter_module.c
27+
@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
28+
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
29+
"http charset invalid utf 1");
30+
31+
+ if (saved < &ctx->saved[ctx->saved_len]) {
32+
+ saved = &ctx->saved[ctx->saved_len];
33+
+ }
34+
+
35+
} else {
36+
dst = ngx_sprintf(dst, "&#%uD;", n);
37+
}
38+
--
39+
2.45.4
40+

SPECS/nginx/nginx.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ Name: nginx
66
# Currently on "stable" version of nginx from https://nginx.org/en/download.html.
77
# Note: Stable versions are even (1.20), mainline versions are odd (1.21)
88
Version: 1.28.3
9-
Release: 5%{?dist}
9+
Release: 6%{?dist}
1010
License: BSD-2-Clause
1111
Vendor: Microsoft Corporation
1212
Distribution: Azure Linux
@@ -32,6 +32,7 @@ Patch9: CVE-2026-42945.patch
3232
Patch10: CVE-2026-42946.patch
3333
Patch11: CVE-2026-9256.patch
3434
Patch12: CVE-2026-49975.patch
35+
Patch13: CVE-2026-48142.patch
3536

3637
# njs patches start at 1001 to keep them separate from nginx patches
3738
Patch1001: CVE-2026-8711.patch
@@ -184,6 +185,9 @@ rm -rf nginx-tests
184185
%dir %{_sysconfdir}/%{name}
185186

186187
%changelog
188+
* Sat Jun 27 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.28.3-6
189+
- Patch for CVE-2026-48142
190+
187191
* Fri Jun 05 2026 Akhila Guruju <v-guakhila@microsoft.com> - 1.28.3-5
188192
- Patch for CVE-2026-49975
189193

0 commit comments

Comments
 (0)