From b05f76098bf4996002be06dc7ae400e8e11223da Mon Sep 17 00:00:00 2001
From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
Date: Sun, 29 Jun 2025 17:39:46 +0800
Subject: [PATCH] [CVE] CVE-2025-23419

to #18862
add patch to fix CVE-2025-23419
Project: TC2024080204
Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com>
---
 1-bugfix-for-CVE-2025-23419.patch | 45 +++++++++++++++++++++++++++++++
 nginx.spec                        |  7 ++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 1-bugfix-for-CVE-2025-23419.patch

diff --git a/1-bugfix-for-CVE-2025-23419.patch b/1-bugfix-for-CVE-2025-23419.patch
new file mode 100644
index 0000000..bee1c1c
--- /dev/null
+++ b/1-bugfix-for-CVE-2025-23419.patch
@@ -0,0 +1,45 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 684fabd..404aa77 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
diff --git a/nginx.spec b/nginx.spec
index f53494f..4e58130 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 %global  _hardened_build     1
 %global  nginx_user          nginx
 
@@ -36,6 +36,8 @@ License:           BSD
 URL:               https://nginx.org
 
 Source0:           https://nginx.org/download/nginx-%{version}.tar.gz
+
+Patch1: 1-bugfix-for-CVE-2025-23419.patch
 Source10:          nginx.service
 Source11:          nginx.logrotate
 Source12:          nginx.conf
@@ -684,6 +686,9 @@ fi
 %doc CHANGES README README.dynamic
 
 %changelog
+* Sun Jun 29 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 1.26.2-2
+- Fix CVE-2025-23419
+
 * Wed Mar 19 2025 Hong Wei Qin <qhw01063182@alibaba-inc.com> - 1:1.26.2-1
 - Update to 1.26.2 from 1.24.0
 
-- 
Gitee