CVS commit: pkgsrc/www/nginx

["Sergey A. Osokin" <osa%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   osa
Date:           Sat Aug 16 15:52:43 UTC 2025

Modified Files:
        pkgsrc/www/nginx: Makefile distinfo
Added Files:
        pkgsrc/www/nginx/patches: patch-src_mail_ngx__mail__handler.c

Log Message:
www/nginx: fix the CVE-2025-53859 security issue

Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).

Obtained from:  https://nginx.org/download/patch.2025.smtp.txt

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.179 -r1.180 pkgsrc/www/nginx/Makefile
cvs rdiff -u -r1.135 -r1.136 pkgsrc/www/nginx/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/www/nginx/patches/patch-src_mail_ngx__mail__handler.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/nginx/Makefile
diff -u pkgsrc/www/nginx/Makefile:1.179 pkgsrc/www/nginx/Makefile:1.180
--- pkgsrc/www/nginx/Makefile:1.179     Thu Jul 10 20:54:15 2025
+++ pkgsrc/www/nginx/Makefile   Sat Aug 16 15:52:43 2025
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.179 2025/07/10 20:54:15 osa Exp $
+# $NetBSD: Makefile,v 1.180 2025/08/16 15:52:43 osa Exp $
 
 DISTNAME=      nginx-1.28.0
-PKGREVISION=   4
+PKGREVISION=   5
 CATEGORIES=    www
 MASTER_SITES=  https://nginx.org/download/
 DISTFILES=     ${DEFAULT_DISTFILES}

Index: pkgsrc/www/nginx/distinfo
diff -u pkgsrc/www/nginx/distinfo:1.135 pkgsrc/www/nginx/distinfo:1.136
--- pkgsrc/www/nginx/distinfo:1.135     Thu Jul 10 20:54:15 2025
+++ pkgsrc/www/nginx/distinfo   Sat Aug 16 15:52:43 2025
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.135 2025/07/10 20:54:15 osa Exp $
+$NetBSD: distinfo,v 1.136 2025/08/16 15:52:43 osa Exp $
 
 BLAKE2s (1ac658f44afc9240f13e9d6c1c9d5a7816299e8e.patch) = 6c3880dc781886fb1f4190fa9b8f1459246cc5d157aaed3b9a24cc7abaf7c5a1
 SHA512 (1ac658f44afc9240f13e9d6c1c9d5a7816299e8e.patch) = b780bea19736f5db844f11b0b407c159cc6ba7326b50177cefde6f8ee875238d3618e50d29b132a66fe98103cb5656f33895e5989d98d4cdc26cfeaa7f12865f
@@ -69,3 +69,4 @@ Size (vozlt-nginx-module-vts-b6f6528_GH.
 SHA1 (patch-auto_cc_conf) = 5e6a479ba419cd16dedeb3b4c47dc685d126ef6a
 SHA1 (patch-auto_install) = 3b3a0f9f4c005b707664554fa57a58c9e3b7de60
 SHA1 (patch-conf_nginx.conf) = d2ca1954e9682b9d0007cc02e5841e3986ecf5c1
+SHA1 (patch-src_mail_ngx__mail__handler.c) = 701c274ad5405484bb07ab5996d0f2afd1b8773a

Added files:

Index: pkgsrc/www/nginx/patches/patch-src_mail_ngx__mail__handler.c
diff -u /dev/null pkgsrc/www/nginx/patches/patch-src_mail_ngx__mail__handler.c:1.1
--- /dev/null   Sat Aug 16 15:52:43 2025
+++ pkgsrc/www/nginx/patches/patch-src_mail_ngx__mail__handler.c        Sat Aug 16 15:52:43 2025
@@ -0,0 +1,134 @@
+$NetBSD: patch-src_mail_ngx__mail__handler.c,v 1.1 2025/08/16 15:52:43 osa Exp $
+
+Security: processing of a specially crafted login/password when using
+the "none" authentication method in the ngx_mail_smtp_module might
+cause worker process memory disclosure to the authentication server
+(CVE-2025-53859).
+
+Obtained from: https://nginx.org/download/patch.2025.smtp.txt
+
+--- src/mail/ngx_mail_handler.c.orig   2025-04-23 11:48:54.000000000 +0000
++++ src/mail/ngx_mail_handler.c
+@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_
+ ngx_int_t
+ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n)
+ {
+-    u_char     *p, *last;
++    u_char     *p, *pos, *last;
+     ngx_str_t  *arg, plain;
+ 
+     arg = s->args.elts;
+@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.data = p;
++    pos = p;
+ 
+     while (p < last && *p) { p++; }
+ 
+@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    s->login.len = p++ - s->login.data;
++    s->login.len = p++ - pos;
++    s->login.data = pos;
+ 
+     s->passwd.len = last - p;
+     s->passwd.data = p;
+@@ -583,24 +584,26 @@ ngx_int_t
+ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c,
+     ngx_uint_t n)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &arg[n]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
++    s->login = login;
++
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login username: \"%V\"", &s->login);
+ 
+@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_se
+ ngx_int_t
+ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, passwd;
+ 
+     arg = s->args.elts;
+ 
+@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_se
+                    "mail auth login password: \"%V\"", &arg[0]);
+ #endif
+ 
+-    s->passwd.data = ngx_pnalloc(c->pool,
+-                                 ngx_base64_decoded_length(arg[0].len));
+-    if (s->passwd.data == NULL) {
++    passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (passwd.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH LOGIN command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
++    s->passwd = passwd;
++
+ #if (NGX_DEBUG_MAIL_PASSWD)
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth login password: \"%V\"", &s->passwd);
+@@ -674,24 +678,26 @@ ngx_int_t
+ ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c)
+ {
+     u_char     *p, *last;
+-    ngx_str_t  *arg;
++    ngx_str_t  *arg, login;
+ 
+     arg = s->args.elts;
+ 
+     ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0,
+                    "mail auth cram-md5: \"%V\"", &arg[0]);
+ 
+-    s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
+-    if (s->login.data == NULL) {
++    login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len));
++    if (login.data == NULL) {
+         return NGX_ERROR;
+     }
+ 
+-    if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) {
++    if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) {
+         ngx_log_error(NGX_LOG_INFO, c->log, 0,
+             "client sent invalid base64 encoding in AUTH CRAM-MD5 command");
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
++    s->login = login;
++
+     p = s->login.data;
+     last = p + s->login.len;
+