Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:nginx User: [email protected] Usertags: pu
[ Reason ] A security issue was identified in ngx_mail_smtp_module, which might allow an attacker to cause buffer over-read, potentially resulting in sensitive information leak in a HTTP request to the authentication server (CVE-2025-53859). [ Impact ] The issue happens during the SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data [ Tests ] I have tested nginx package after aplying the patch, that everything works as before. - I ran all automated tests - I tested the functionality using telnet [ Risks ] The patch is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] I just added the official patch released by the upstream team. [ Other info ] The patch is applied to a part that has not been modified for a long time. So the fix is the same for sid/forky/trixie/bookworm nginx releases. diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog --- nginx-1.22.1/debian/changelog 2025-03-12 17:55:08.000000000 +0000 +++ nginx-1.22.1/debian/changelog 2025-08-29 14:26:01.000000000 +0000 @@ -1,3 +1,10 @@ +nginx (1.22.1-9+deb12u3) bookworm; urgency=medium + + * d/p/CVE-2025-53859.patch add, fix potential information leak + in ngx_mail_smtp_module (CVE-2025-53859). + + -- Jan Mojžíš <[email protected]> Fri, 29 Aug 2025 16:26:01 +0200 + nginx (1.22.1-9+deb12u2) bookworm; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru nginx-1.22.1/debian/patches/CVE-2025-53859.patch nginx-1.22.1/debian/patches/CVE-2025-53859.patch --- nginx-1.22.1/debian/patches/CVE-2025-53859.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.22.1/debian/patches/CVE-2025-53859.patch 2025-08-29 14:26:01.000000000 +0000 @@ -0,0 +1,132 @@ +Description: CVE-2025-53859 +Origin: https://nginx.org/download/patch.2025.smtp.txt +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111138 +Forwarded: not-needed + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 1167df3fb..d3be7f3b3 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c) + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,24 +678,26 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + p = s->login.data; + last = p + s->login.len; + diff -Nru nginx-1.22.1/debian/patches/series nginx-1.22.1/debian/patches/series --- nginx-1.22.1/debian/patches/series 2025-03-12 17:55:08.000000000 +0000 +++ nginx-1.22.1/debian/patches/series 2025-08-29 14:26:01.000000000 +0000 @@ -6,3 +6,4 @@ CVE-2025-23419.patch CVE-2024-7347-1.patch CVE-2024-7347-2.patch +CVE-2025-53859.patch
