[Bug 2156066] [NEW] segfault after 7.10 security patch

Tue, 09 Jun 2026 06:25:36 -0700 

Public bug reported:

● Background command "Check nginx version and auth_pam module" completed
(exit code 0)

I've got a definitive diagnosis. Here's what's happening.

Root cause

The nginx core was security-patched today, twice: 1.24.0-2ubuntu7.8 →
7.9 → 7.10 (from /var/log/apt/history.log). Those updates rebuilt only
the packages that live in main: nginx, nginx-common, nginx-full,
libnginx-mod-stream.

The third-party module libnginx-mod-http-auth-pam lives in universe and
was not rebuilt — its .so is still the April 2024 build
(1:1.5.5-2build2), and apt offers no newer version (Candidate ==
Installed).

I pulled the faulting address out of the core dump
(/var/crash/_usr_sbin_nginx.33.crash, 07:07 today). The crashing
instruction pointer lands inside the .text of
ngx_http_auth_pam_module.so:

182e:  mov  0x190(%rdi),%rdx     ; read len  field at struct off 0x190
1846:  mov  0x198(%rdi),%rcx     ; read data ptr at struct off 0x198
1861:  movzbl (%rcx,%rsi,1),%eax ; <-- SIGSEGV: deref garbage %rcx
186c:  cmp  $0x3a,%al            ; scanning the string for ':'

The module reads hardcoded offsets 0x190/0x198 (the headers_in.user
ngx_str_t in ngx_http_request_t). The security patch added/reordered a
struct member, so every downstream offset shifted. nginx's module
signature is coarse and still matched (so the .so loaded fine), but the
field offsets no longer do — so on any auth_pam-protected request
(/intranet/agents/, /helpdesk/, webmin, svn, etc.) the worker
dereferences a bad pointer and dies with signal 11. That's the storm of
worker process … exited on signal 11 (core dumped) in your error log.

Important: this affects every stale universe module, not just auth_pam —
echo, dav-ext, geoip2, subs-filter, upstream-fair are all the same
April-2024 vintage and carry the same ABI risk.

** Affects: libnginx-mod-http-auth-pam (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156066

Title:
  segfault after 7.10 security patch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnginx-mod-http-auth-pam/+bug/2156066/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to