diff --git a/nghttp2-CVE-2023-35945.patch b/nghttp2-CVE-2023-35945.patch index daa59d2..5b38e86 100644 --- a/nghttp2-CVE-2023-35945.patch +++ b/nghttp2-CVE-2023-35945.patch @@ -46,11 +46,11 @@ into NGHTTP2_ERR_CALLBACK_FAILURE. tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 5 deletions(-) -diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c -index 7509ceb5..71858a39 100644 ---- a/lib/nghttp2_session.c -+++ b/lib/nghttp2_session.c -@@ -3296,6 +3296,7 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session, +Index: nghttp2-1.52.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.52.0/lib/nghttp2_session.c +@@ -3300,6 +3300,7 @@ static ssize_t nghttp2_session_mem_send_ if (rv < 0) { int32_t opened_stream_id = 0; uint32_t error_code = NGHTTP2_INTERNAL_ERROR; @@ -58,7 +58,7 @@ index 7509ceb5..71858a39 100644 DEBUGF("send: frame preparation failed with %s\n", nghttp2_strerror(rv)); -@@ -3338,19 +3339,18 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session, +@@ -3342,19 +3343,18 @@ static ssize_t nghttp2_session_mem_send_ } if (opened_stream_id) { /* careful not to override rv */ @@ -82,11 +82,11 @@ index 7509ceb5..71858a39 100644 if (rv == NGHTTP2_ERR_HEADER_COMP) { /* If header compression error occurred, should terminiate connection. */ -diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c -index b55ff534..74352426 100644 ---- a/tests/nghttp2_session_test.c -+++ b/tests/nghttp2_session_test.c -@@ -584,6 +584,15 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id, +Index: nghttp2-1.52.0/tests/nghttp2_session_test.c +=================================================================== +--- nghttp2-1.52.0.orig/tests/nghttp2_session_test.c ++++ nghttp2-1.52.0/tests/nghttp2_session_test.c +@@ -585,6 +585,15 @@ static int on_stream_close_callback(nght return 0; } @@ -102,7 +102,7 @@ index b55ff534..74352426 100644 static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf, size_t len, const nghttp2_frame *frame, void *user_data) { -@@ -4296,6 +4305,8 @@ void test_nghttp2_session_on_goaway_received(void) { +@@ -4297,6 +4306,8 @@ void test_nghttp2_session_on_goaway_rece nghttp2_frame frame; int i; nghttp2_mem *mem; @@ -111,7 +111,7 @@ index b55ff534..74352426 100644 mem = nghttp2_mem_default(); user_data.frame_recv_cb_called = 0; -@@ -4337,6 +4348,29 @@ void test_nghttp2_session_on_goaway_received(void) { +@@ -4338,6 +4349,29 @@ void test_nghttp2_session_on_goaway_rece nghttp2_frame_goaway_free(&frame.goaway, mem); nghttp2_session_del(session); @@ -141,6 +141,3 @@ index b55ff534..74352426 100644 } void test_nghttp2_session_on_window_update_received(void) { --- -2.35.3 - diff --git a/nghttp2-CVE-2024-28182-1.patch b/nghttp2-CVE-2024-28182-1.patch new file mode 100644 index 0000000..d4e43ee --- /dev/null +++ b/nghttp2-CVE-2024-28182-1.patch @@ -0,0 +1,103 @@ +From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:26:42 +0900 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +--- + lib/includes/nghttp2/nghttp2.h | 7 ++++++- + lib/nghttp2_helper.c | 2 ++ + lib/nghttp2_session.c | 7 +++++++ + lib/nghttp2_session.h | 10 ++++++++++ + 4 files changed, 25 insertions(+), 1 deletion(-) + +Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h +@@ -440,7 +440,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +Index: nghttp2-1.52.0/lib/nghttp2_helper.c +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_helper.c ++++ nghttp2-1.52.0/lib/nghttp2_helper.c +@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_c + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +Index: nghttp2-1.52.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.52.0/lib/nghttp2_session.c +@@ -491,6 +491,7 @@ static int session_new(nghttp2_session * + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -6838,6 +6839,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6959,6 +6962,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2 + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +Index: nghttp2-1.52.0/lib/nghttp2_session.h +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_session.h ++++ nghttp2-1.52.0/lib/nghttp2_session.h +@@ -105,6 +105,10 @@ typedef struct { + /* The default value of maximum number of concurrent streams. */ + #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -280,6 +284,12 @@ struct nghttp2_session { + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, diff --git a/nghttp2-CVE-2024-28182-2.patch b/nghttp2-CVE-2024-28182-2.patch new file mode 100644 index 0000000..96a4a82 --- /dev/null +++ b/nghttp2-CVE-2024-28182-2.patch @@ -0,0 +1,86 @@ +From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:48:10 +0900 +Subject: [PATCH] Add nghttp2_option_set_max_continuations + +--- + doc/Makefile.am | 1 + + lib/includes/nghttp2/nghttp2.h | 11 +++++++++++ + lib/nghttp2_option.c | 5 +++++ + lib/nghttp2_option.h | 5 +++++ + lib/nghttp2_session.c | 4 ++++ + 5 files changed, 26 insertions(+) + +Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h +=================================================================== +--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h ++++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h +@@ -3215,6 +3215,17 @@ nghttp2_session_set_stream_user_data(ngh + /** + * @function + * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function ++ * + * Sets |user_data| to |session|, overwriting the existing user data + * specified in `nghttp2_session_client_new()`, or + * `nghttp2_session_server_new()`. +Index: nghttp2-1.52.0/lib/nghttp2_option.c +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_option.c ++++ nghttp2-1.52.0/lib/nghttp2_option.c +@@ -143,3 +143,8 @@ void nghttp2_option_set_no_rfc9113_leadi + NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION; + option->no_rfc9113_leading_and_trailing_ws_validation = val; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +Index: nghttp2-1.52.0/lib/nghttp2_option.h +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_option.h ++++ nghttp2-1.52.0/lib/nghttp2_option.h +@@ -70,6 +70,7 @@ typedef enum { + NGHTTP2_OPT_MAX_SETTINGS = 1 << 12, + NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13, + NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -93,6 +94,10 @@ struct nghttp2_option { + */ + size_t max_settings; + /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +Index: nghttp2-1.52.0/lib/nghttp2_session.c +=================================================================== +--- nghttp2-1.52.0.orig/lib/nghttp2_session.c ++++ nghttp2-1.52.0/lib/nghttp2_session.c +@@ -574,6 +574,10 @@ static int session_new(nghttp2_session * + (*session_ptr)->opt_flags |= + NGHTTP2_OPTMASK_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION; + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, diff --git a/nghttp2.changes b/nghttp2.changes index 67e0c24..a2ce2d2 100644 --- a/nghttp2.changes +++ b/nghttp2.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu Apr 4 12:25:30 UTC 2024 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + + nghttp2-CVE-2024-28182-1.patch + fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks + + nghttp2-CVE-2024-28182-2.patch + ------------------------------------------------------------------- Tue Sep 26 13:58:42 UTC 2023 - Valentin Lefebvre diff --git a/nghttp2.spec b/nghttp2.spec index 29c8eee..73db080 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -35,6 +35,10 @@ Source: https://github.com/nghttp2/nghttp2/releases/download/v%{version} Source1: baselibs.conf # CVE-2023-35945 [bsc#1215713], Fixes leak memory Patch0: nghttp2-CVE-2023-35945.patch +# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks +Patch1: nghttp2-CVE-2024-28182-1.patch +# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks +Patch2: nghttp2-CVE-2024-28182-2.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc-c++ @@ -123,8 +127,8 @@ Documentation for nghttp2, which includes a shared C library, HTTP/2 client, server and proxy. %prep -%setup -q -n nghttp2-%{version} -%patch0 -p1 +%autosetup -p1 -n nghttp2-%{version} + # fix python shebang sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response