From 9dcd8e2aa3add64fde70901437310573cbf2d870 Mon Sep 17 00:00:00 2001 From: Síle Ekaterin Liszka Date: Sun, 29 Oct 2023 11:56:03 -0700 Subject: user/nginx: new package --- user/nginx/APKBUILD | 101 ++++++++++++++++++++++++++ user/nginx/CVE-2023-44487.patch | 52 +++++++++++++ user/nginx/fix-pcre2-reload-memory-leak.patch | 33 +++++++++ user/nginx/http2-buffer-management.patch | 43 +++++++++++ user/nginx/merge-sort.patch | 101 ++++++++++++++++++++++++++ user/nginx/nginx.conf | 28 +++++++ user/nginx/nginx.initd | 71 ++++++++++++++++++ user/nginx/nginx.pre-install | 4 + 8 files changed, 433 insertions(+) create mode 100644 user/nginx/APKBUILD create mode 100644 user/nginx/CVE-2023-44487.patch create mode 100644 user/nginx/fix-pcre2-reload-memory-leak.patch create mode 100644 user/nginx/http2-buffer-management.patch create mode 100644 user/nginx/merge-sort.patch create mode 100644 user/nginx/nginx.conf create mode 100644 user/nginx/nginx.initd create mode 100644 user/nginx/nginx.pre-install diff --git a/user/nginx/APKBUILD b/user/nginx/APKBUILD new file mode 100644 index 000000000..fd5cfb86f --- /dev/null +++ b/user/nginx/APKBUILD @@ -0,0 +1,101 @@ +# Contributor: Síle Ekaterin Liszka +# Maintainer: Síle Ekaterin Liszka +pkgname=nginx +pkgver=1.24.0 +pkgrel=0 +_testsuite_rev=24482e311749 +pkgdesc="High-performance HTTP server" +url="https://nginx.org" +arch="all" +options="" +license="BSD-2-Clause" +depends="" +makedepends="openssl-dev pcre2-dev zlib-dev" +checkdepends="openssl cmd:which" +install="nginx.pre-install" +pkgusers="nginx" +pkggroups="nginx" +subpackages="$pkgname-openrc" +source="https://nginx.org/download/nginx-$pkgver.tar.gz + $pkgname-tests-${_testsuite_rev}.tar.gz::https://hg.nginx.org/nginx-tests/archive/${_testsuite_rev}.tar.gz + + CVE-2023-44487.patch + fix-pcre2-reload-memory-leak.patch + merge-sort.patch + http2-buffer-management.patch + + nginx.initd + nginx.conf + " + +build() { + ./configure \ + --build=$CBUILD \ + --prefix=/usr \ + --modules-path=/usr/libexec/nginx \ + --conf-path=/etc/nginx/ \ + --pid-path=/run/nginx \ + --lock-path=/run/nginx \ + --user=nginx \ + --group=nginx \ + --with-poll_module \ + --with-threads \ + --with-file-aio \ + --with-http_ssl_module \ + --with-http_v2_module \ + --with-http_realip_module \ + --with-http_dav_module \ + --with-http_auth_request_module \ + --without-http_ssi_module \ + --without-http_empty_gif_module \ + --without-http_geo_module \ + --with-stream=dynamic \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module + make +} + +check() { + cd "$srcdir"/nginx-tests-${_testsuite_rev} + + TEST_NGINX_BINARY="$builddir/objs/nginx" prove -j ${JOBS} . +} + +package() { + mkdir -p "$pkgdir"/usr/sbin + install -Dm755 objs/nginx "$pkgdir"/usr/sbin/nginx + + mkdir -p "$pkgdir"/etc/init.d + install -Dm755 "$srcdir"/nginx.initd "$pkgdir"/etc/init.d/nginx + + mkdir -p "$pkgdir"/etc/nginx + for i in koi-win koi-utf win-utf mime.types; do + install -Dm644 conf/$i "$pkgdir"/etc/nginx + done + install -Dm644 "$srcdir"/nginx.conf "$pkgdir"/etc/nginx + + mkdir -p "$pkgdir"/etc/nginx/conf.d + for i in fastcgi scgi uwsgi; do + install -Dm644 conf/${i}_params "$pkgdir"/etc/nginx/conf.d/"$i".conf + done + + mkdir -p "$pkgdir"/usr/libexec/nginx + for i in objs/ngx_*_module.so; do + install -Dm755 "$i" "$pkgdir"/usr/libexec/nginx + done + + mkdir -p "$pkgdir"/var/www/nginx/localhost + for i in html/*.html; do + install -Dm644 "$i" "$pkgdir"/var/www/nginx/localhost + done +} + +sha512sums="1114e37de5664a8109c99cfb2faa1f42ff8ac63c932bcf3780d645e5ed32c0b2ac446f80305b4465994c8f9430604968e176ae464fd80f632d1cb2c8f6007ff3 nginx-1.24.0.tar.gz +80d163226bdbfcf4bd8556316a1dcc5b048fa87357f83f5cac3b13917043dad0c96b9bc67ac886b421cc4954ddf7603256fe77d85fda406f8ed8c9231fc1cf3e nginx-tests-24482e311749.tar.gz +828ec84b675b6849cf53bee42176cc0a5d3b043f0c5781f7d030d6fcd7ba95dcee36928909e66e305b0fbf10ce7cdee5a4d640ca4d40a59a674fb284c6126509 CVE-2023-44487.patch +d7e0433666783605b52d1567860a05dcac880250188e83f0d82ce27530e5c9b272c63b19a522d45bb375bb81ffd5570bbc330bb9206260df3bc777fac5f2de42 fix-pcre2-reload-memory-leak.patch +fccc503f2cb284ad75d661b2238eeef36f54f3b33badddbcf449c2ec6daa2910e2a7a8809c87234917b6880935fd5d221683cca331599206c92303daf5a10304 merge-sort.patch +edd733a56d8de7b13998e75b95d7016398b1ae3f041df49edb38bbde3e514395c684096ff45986b0ca259ac9e3ea7c0ad1aee1013c9bb26c6c281df5062ad419 http2-buffer-management.patch +eb183860cd511361346e4079c1fcf470985e1c3b2a034a57f8b2a92ba851fed99256261f9b779770a5f57e3750e9e71bd1550a9d19ad9bf3a4d288864f0374a2 nginx.initd +9f0583ebccf265d7fd5eac6afbe2bb8f6364e399b0ca9edc09f0c51996bf2b60348bddd8d8f7600a52a56e930d496a36c178b9f16cde30843417858bb613c850 nginx.conf" diff --git a/user/nginx/CVE-2023-44487.patch b/user/nginx/CVE-2023-44487.patch new file mode 100644 index 000000000..180c7cb85 --- /dev/null +++ b/user/nginx/CVE-2023-44487.patch @@ -0,0 +1,52 @@ +Source: https://trac.nginx.org/nginx/changeset/cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc/nginx + +This patch was modified from upstream in the following way(s): + +* Update path so that the patch applies correctly +* dos2unix + +Index: src/http/v2/ngx_http_v2.c +=================================================================== +--- a/src/http/v2/ngx_http_v2.c (revision 9121) ++++ b/src/http/v2/ngx_http_v2.c (revision 9165) +@@ -348,4 +348,5 @@ + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { +@@ -1285,4 +1286,12 @@ + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) +@@ -1349,4 +1358,10 @@ + + rst_stream: ++ ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } + + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { +Index: src/http/v2/ngx_http_v2.h +=================================================================== +--- a/src/http/v2/ngx_http_v2.h (revision 9121) ++++ b/src/http/v2/ngx_http_v2.h (revision 9165) +@@ -132,4 +132,6 @@ + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + diff --git a/user/nginx/fix-pcre2-reload-memory-leak.patch b/user/nginx/fix-pcre2-reload-memory-leak.patch new file mode 100644 index 000000000..ee22872f1 --- /dev/null +++ b/user/nginx/fix-pcre2-reload-memory-leak.patch @@ -0,0 +1,33 @@ +Source: https://trac.nginx.org/nginx/changeset/533bc2336df44679cc46e6fccf54675e13578f21/nginx + +This patch was modified from upstream in the following way(s): + +* Update path so that the patch applies correctly +* dos2unix + +Index: src/core/ngx_regex.c +=================================================================== +--- a/src/core/ngx_regex.c (revision 8163) ++++ b/src/core/ngx_regex.c (revision 9166) +@@ -601,4 +601,6 @@ + */ + ++ ngx_regex_malloc_init(NULL); ++ + if (ngx_regex_compile_context) { + pcre2_compile_context_free(ngx_regex_compile_context); +@@ -611,4 +613,6 @@ + ngx_regex_match_data_size = 0; + } ++ ++ ngx_regex_malloc_done(); + + #endif +@@ -707,7 +711,4 @@ + + ngx_regex_studies = NULL; +-#if (NGX_PCRE2) +- ngx_regex_compile_context = NULL; +-#endif + + return NGX_OK; diff --git a/user/nginx/http2-buffer-management.patch b/user/nginx/http2-buffer-management.patch new file mode 100644 index 000000000..e77b91feb --- /dev/null +++ b/user/nginx/http2-buffer-management.patch @@ -0,0 +1,43 @@ +Source: https://trac.nginx.org/nginx/changeset/ea1f29c2010cda4940b741976f103d547308815a/nginx + +This patch was modified from upstream in the following way(s): + +* Update path so that the patch applies correctly +* dos2unix + +Index: src/http/v2/ngx_http_v2.c +=================================================================== +--- a/src/http/v2/ngx_http_v2.c (revision 9165) ++++ b/src/http/v2/ngx_http_v2.c (revision 9179) +@@ -387,11 +387,9 @@ + ngx_http_v2_module); + +- available = h2mcf->recv_buffer_size - 2 * NGX_HTTP_V2_STATE_BUFFER_SIZE; ++ available = h2mcf->recv_buffer_size - NGX_HTTP_V2_STATE_BUFFER_SIZE; + + do { + p = h2mcf->recv_buffer; +- +- ngx_memcpy(p, h2c->state.buffer, NGX_HTTP_V2_STATE_BUFFER_SIZE); +- end = p + h2c->state.buffer_used; ++ end = ngx_cpymem(p, h2c->state.buffer, h2c->state.buffer_used); + + n = c->recv(c, end, available); +@@ -2593,5 +2591,5 @@ + } + +- ngx_memcpy(h2c->state.buffer, pos, NGX_HTTP_V2_STATE_BUFFER_SIZE); ++ ngx_memcpy(h2c->state.buffer, pos, size); + + h2c->state.buffer_used = size; +Index: src/http/v2/ngx_http_v2_module.c +=================================================================== +--- a/src/http/v2/ngx_http_v2_module.c (revision 9121) ++++ b/src/http/v2/ngx_http_v2_module.c (revision 9179) +@@ -389,5 +389,5 @@ + size_t *sp = data; + +- if (*sp <= 2 * NGX_HTTP_V2_STATE_BUFFER_SIZE) { ++ if (*sp <= NGX_HTTP_V2_STATE_BUFFER_SIZE) { + return "value is too small"; + } diff --git a/user/nginx/merge-sort.patch b/user/nginx/merge-sort.patch new file mode 100644 index 000000000..cedd87925 --- /dev/null +++ b/user/nginx/merge-sort.patch @@ -0,0 +1,101 @@ +Source: https://trac.nginx.org/nginx/changeset/3038bd4d78169a5e8a2624d79cf76f45f0805ddc/nginx + +This patch was modified from upstream in the following way(s): + +* Update path so that the patch applies correctly +* dos2unix + +Index: src/core/ngx_queue.c +=================================================================== +--- a/src/core/ngx_queue.c (revision 4412) ++++ b/src/core/ngx_queue.c (revision 9167) +@@ -8,4 +8,8 @@ + #include + #include ++ ++ ++static void ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail, ++ ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *)); + + +@@ -46,5 +50,5 @@ + + +-/* the stable insertion sort */ ++/* the stable merge sort */ + + void +@@ -52,5 +56,5 @@ + ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *)) + { +- ngx_queue_t *q, *prev, *next; ++ ngx_queue_t *q, tail; + + q = ngx_queue_head(queue); +@@ -60,21 +64,43 @@ + } + +- for (q = ngx_queue_next(q); q != ngx_queue_sentinel(queue); q = next) { ++ q = ngx_queue_middle(queue); + +- prev = ngx_queue_prev(q); +- next = ngx_queue_next(q); ++ ngx_queue_split(queue, q, &tail); + +- ngx_queue_remove(q); ++ ngx_queue_sort(queue, cmp); ++ ngx_queue_sort(&tail, cmp); + +- do { +- if (cmp(prev, q) <= 0) { +- break; +- } ++ ngx_queue_merge(queue, &tail, cmp); ++} + +- prev = ngx_queue_prev(prev); + +- } while (prev != ngx_queue_sentinel(queue)); ++static void ++ngx_queue_merge(ngx_queue_t *queue, ngx_queue_t *tail, ++ ngx_int_t (*cmp)(const ngx_queue_t *, const ngx_queue_t *)) ++{ ++ ngx_queue_t *q1, *q2; + +- ngx_queue_insert_after(prev, q); ++ q1 = ngx_queue_head(queue); ++ q2 = ngx_queue_head(tail); ++ ++ for ( ;; ) { ++ if (q1 == ngx_queue_sentinel(queue)) { ++ ngx_queue_add(queue, tail); ++ break; ++ } ++ ++ if (q2 == ngx_queue_sentinel(tail)) { ++ break; ++ } ++ ++ if (cmp(q1, q2) <= 0) { ++ q1 = ngx_queue_next(q1); ++ continue; ++ } ++ ++ ngx_queue_remove(q2); ++ ngx_queue_insert_before(q1, q2); ++ ++ q2 = ngx_queue_head(tail); + } + } +Index: src/core/ngx_queue.h +=================================================================== +--- a/src/core/ngx_queue.h (revision 4412) ++++ b/src/core/ngx_queue.h (revision 9167) +@@ -46,4 +46,7 @@ + (x)->next = h; \ + (h)->prev = x ++ ++ ++#define ngx_queue_insert_before ngx_queue_insert_tail + + diff --git a/user/nginx/nginx.conf b/user/nginx/nginx.conf new file mode 100644 index 000000000..204d667d5 --- /dev/null +++ b/user/nginx/nginx.conf @@ -0,0 +1,28 @@ +# This is an example configuration file for nginx, with a number of secure +# defaults specified already. + +# The system user that nginx runs under. +user nginx; + +# The number of worker processes nginx should have. 'Auto' allows nginx +# to determine for itself; typically this value should be the number of +# cores you wish nginx to use. +worker_processes auto; + +# HTTP-specific configuration +http { + # Default mapping of MIME types to file extensions. + include mime.types; + + # The default MIME type to use for unknown extensions. + default_type application/octet-stream; + + # This setting enables gzip-based compression, reducing bandwidth usage. + gzip on; + + # Global configuration. + include conf.d/*.conf; + + # Site configuration. + include sites.d/*.conf; +} diff --git a/user/nginx/nginx.initd b/user/nginx/nginx.initd new file mode 100644 index 000000000..603f91e63 --- /dev/null +++ b/user/nginx/nginx.initd @@ -0,0 +1,71 @@ +#!/sbin/openrc-run + +description="Nginx http and reverse proxy server" +extra_commands="checkconfig" +extra_started_commands="reload reopen upgrade" + +cfgfile=${cfgfile:-/etc/nginx/nginx.conf} +pidfile=/run/nginx/nginx.pid +command=/usr/sbin/nginx +command_args="-c $cfgfile" +required_files="$cfgfile" + +depend() { + need net + use dns logger netmount +} + +start_pre() { + checkpath --directory --owner nginx:nginx ${pidfile%/*} + $command $command_args -t -q +} + +checkconfig() { + ebegin "Checking $RC_SVCNAME configuration" + start_pre + eend $? +} + +reload() { + ebegin "Reloading $RC_SVCNAME configuration" + start_pre && start-stop-daemon --signal HUP --pidfile $pidfile + eend $? +} + +reopen() { + ebegin "Reopening $RC_SVCNAME log files" + start-stop-daemon --signal USR1 --pidfile $pidfile + eend $? +} + +upgrade() { + start_pre || return 1 + + ebegin "Upgrading $RC_SVCNAME binary" + + einfo "Sending USR2 to old binary" + start-stop-daemon --signal USR2 --pidfile $pidfile + + einfo "Sleeping 3 seconds before pid-files checking" + sleep 3 + + if [ ! -f $pidfile.oldbin ]; then + eerror "File with old pid ($pidfile.oldbin) not found" + return 1 + fi + + if [ ! -f $pidfile ]; then + eerror "New binary failed to start" + return 1 + fi + + einfo "Sleeping 3 seconds before WINCH" + sleep 3 ; start-stop-daemon --signal 28 --pidfile $pidfile.oldbin + + einfo "Sending QUIT to old binary" + start-stop-daemon --signal QUIT --pidfile $pidfile.oldbin + + einfo "Upgrade completed" + + eend $? "Upgrade failed" +} diff --git a/user/nginx/nginx.pre-install b/user/nginx/nginx.pre-install new file mode 100644 index 000000000..da22bde54 --- /dev/null +++ b/user/nginx/nginx.pre-install @@ -0,0 +1,4 @@ +#!/bin/sh + +groupadd -r -f -g 82 www-data >/dev/null +useradd -d /var/lib/nginx -G www-data -r -M -s /sbin/nologin -U >/dev/null -- cgit v1.2.3-60-g2f50