SLFO-pool/nghttp2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main nghttp2 revision d521df2e29062fab3a277490a9d80d86

Browse Source
This commit is contained in:
Adrian Schröter 2024-12-13 10:44:16 +01:00
parent 05bc9efd8d
commit 188bf2eb44
10 changed files with 617 additions and 593 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
baselibs.conf
View File

@ -1,2 +1 @@
libnghttp2-14
libnghttp2_asio1

BIN
nghttp2-1.52.0.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

BIN
nghttp2-1.64.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
nghttp2-1.64.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEUWtiKRjRXEeKseo6UzmivoLgfewFAmcWQzsACgkQUzmivoLg
fexT6w/9Eo6PuvGWcYn0e8CbTHDi+BhyCs3AQHPKmuJi19yIeknZd7qcQE1xYryJ
Xef5W1q5+p06kDgFH56Y7wORwCWmtzx5gZLVYNY7qNCCJ0CsMLI2/ypf2L06MLWe
c8dS8DFsvqrSTe3QzPHCP+T7FDp7bfH7gKLoEobhU9v299MseLMUdw06fBTLGqKs
KWhuQ0gD2r1zJfGdX+O5zf97pLYtR/Ch+YGHqcNYCmiIguKpZX+Vg3pHr1vJhqnT
P6LiFVeokI6zeW1YWB0DQNBrGXEx3AZWzR9d9IlA2ijobtItc/lTTUn0zpmqNFiv
E95D29wEQ2MtbCJd/nolIz0YiDn0JpwHBBfkWRNLj7+LqBlebyVwig8nMO453sE9
vxklm7yONLJDDiU3o8lmUf8IVTX+FpZ3nbbeQkDwTPKU7hvcTojasPMegS4Laiok
sfKIKaMTeYokSD4M++ikyb8c2+Vt4genVIyeUAohlSUhUr4I8E/O36JvfPaA4nTe
S2oNl5iv/0pPQpuXTMcf/MGR3b8HmN0bH4tkowV3sRWLNHeBn6hnlY1sq1ZcegMs
vAqum1CyReyhLfThvXAV7ImjsplNVmshQK4IaXNDYYJyr/wNAgnw41RiO01W+NgX
KbPvx4H1actquW04yYCAAvDcBHfERM71Ye17oTFjoOEeDoQsMJg=
=aykV
-----END PGP SIGNATURE-----

143
nghttp2-CVE-2023-35945.patch
View File

@ -1,143 +0,0 @@
From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 14 Jul 2023 20:52:03 +0900
Subject: [PATCH] Fix memory leak
This commit fixes memory leak that happens when PUSH_PROMISE or
HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
fails with a fatal error. For example, if GOAWAY frame has been
received, a HEADERS frame that opens new stream cannot be sent.
This issue has already been made public via CVE-2023-35945 [1] issued
by envoyproxy/envoy project. During embargo period, the patch to fix
this bug was accidentally submitted to nghttp2/nghttp2 repository [2].
And they decided to disclose CVE early. I was notified just 1.5 hours
before disclosure. I had no time to respond.
PoC described in [1] is quite simple, but I think it is not enough to
trigger this bug. While it is true that receiving GOAWAY prevents a
client from opening new stream, and nghttp2 enters error handling
branch, in order to cause the memory leak,
nghttp2_session_close_stream function must return a fatal error.
nghttp2 defines 2 fatal error codes:
- NGHTTP2_ERR_NOMEM
- NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It
is unlikely that a process gets short of memory with this simple PoC
scenario unless application does something memory heavy processing.
NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
callback function (nghttp2_on_stream_close_callback, in this case),
which indicates something fatal happened inside a callback, and a
connection must be closed immediately without any further action. As
nghttp2_on_stream_close_error_callback documentation says, any error
code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
error code. More specifically, it is treated as if
NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns
NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated
into NGHTTP2_ERR_CALLBACK_FAILURE.
[1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
[2] https://github.com/nghttp2/nghttp2/pull/1929
---
lib/nghttp2_session.c | 10 +++++-----
tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 5 deletions(-)
Index: nghttp2-1.52.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -3300,6 +3300,7 @@ static ssize_t nghttp2_session_mem_send_
if (rv < 0) {
int32_t opened_stream_id = 0;
uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
+ int rv2 = 0;
DEBUGF("send: frame preparation failed with %s\n",
nghttp2_strerror(rv));
@@ -3342,19 +3343,18 @@ static ssize_t nghttp2_session_mem_send_
}
if (opened_stream_id) {
/* careful not to override rv */
- int rv2;
rv2 = nghttp2_session_close_stream(session, opened_stream_id,
error_code);
-
- if (nghttp2_is_fatal(rv2)) {
- return rv2;
- }
}
nghttp2_outbound_item_free(item, mem);
nghttp2_mem_free(mem, item);
active_outbound_item_reset(aob, mem);
+ if (nghttp2_is_fatal(rv2)) {
+ return rv2;
+ }
+
if (rv == NGHTTP2_ERR_HEADER_COMP) {
/* If header compression error occurred, should terminiate
connection. */
Index: nghttp2-1.52.0/tests/nghttp2_session_test.c
===================================================================
--- nghttp2-1.52.0.orig/tests/nghttp2_session_test.c
+++ nghttp2-1.52.0/tests/nghttp2_session_test.c
@@ -585,6 +585,15 @@ static int on_stream_close_callback(nght
return 0;
}
+static int fatal_error_on_stream_close_callback(nghttp2_session *session,
+ int32_t stream_id,
+ uint32_t error_code,
+ void *user_data) {
+ on_stream_close_callback(session, stream_id, error_code, user_data);
+
+ return NGHTTP2_ERR_CALLBACK_FAILURE;
+}
+
static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
size_t len, const nghttp2_frame *frame,
void *user_data) {
@@ -4297,6 +4306,8 @@ void test_nghttp2_session_on_goaway_rece
nghttp2_frame frame;
int i;
nghttp2_mem *mem;
+ const uint8_t *data;
+ ssize_t datalen;
mem = nghttp2_mem_default();
user_data.frame_recv_cb_called = 0;
@@ -4338,6 +4349,29 @@ void test_nghttp2_session_on_goaway_rece
nghttp2_frame_goaway_free(&frame.goaway, mem);
nghttp2_session_del(session);
+
+ /* Make sure that no memory leak when stream_close callback fails
+ with a fatal error */
+ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
+ callbacks.on_stream_close_callback = fatal_error_on_stream_close_callback;
+
+ memset(&user_data, 0, sizeof(user_data));
+
+ nghttp2_session_client_new(&session, &callbacks, &user_data);
+
+ nghttp2_frame_goaway_init(&frame.goaway, 0, NGHTTP2_NO_ERROR, NULL, 0);
+
+ CU_ASSERT(0 == nghttp2_session_on_goaway_received(session, &frame));
+
+ nghttp2_submit_request(session, NULL, reqnv, ARRLEN(reqnv), NULL, NULL);
+
+ datalen = nghttp2_session_mem_send(session, &data);
+
+ CU_ASSERT(NGHTTP2_ERR_CALLBACK_FAILURE == datalen);
+ CU_ASSERT(1 == user_data.stream_close_cb_called);
+
+ nghttp2_frame_goaway_free(&frame.goaway, mem);
+ nghttp2_session_del(session);
}
void test_nghttp2_session_on_window_update_received(void) {

103
nghttp2-CVE-2024-28182-1.patch
View File

@ -1,103 +0,0 @@
From 00201ecd8f982da3b67d4f6868af72a1b03b14e0 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
---
lib/includes/nghttp2/nghttp2.h | 7 ++++++-
lib/nghttp2_helper.c | 2 ++
lib/nghttp2_session.c | 7 +++++++
lib/nghttp2_session.h | 10 ++++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
===================================================================
--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
+++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
Index: nghttp2-1.52.0/lib/nghttp2_helper.c
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_helper.c
+++ nghttp2-1.52.0/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_c
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
Index: nghttp2-1.52.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -491,6 +491,7 @@ static int session_new(nghttp2_session *
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6838,6 +6839,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6959,6 +6962,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
Index: nghttp2-1.52.0/lib/nghttp2_session.h
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_session.h
+++ nghttp2-1.52.0/lib/nghttp2_session.h
@@ -105,6 +105,10 @@ typedef struct {
/* The default value of maximum number of concurrent streams. */
#define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -280,6 +284,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,

86
nghttp2-CVE-2024-28182-2.patch
View File

@ -1,86 +0,0 @@
From d71a4668c6bead55805d18810d633fbb98315af9 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:48:10 +0900
Subject: [PATCH] Add nghttp2_option_set_max_continuations
---
doc/Makefile.am | 1 +
lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
lib/nghttp2_option.c | 5 +++++
lib/nghttp2_option.h | 5 +++++
lib/nghttp2_session.c | 4 ++++
5 files changed, 26 insertions(+)
Index: nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
===================================================================
--- nghttp2-1.52.0.orig/lib/includes/nghttp2/nghttp2.h
+++ nghttp2-1.52.0/lib/includes/nghttp2/nghttp2.h
@@ -3215,6 +3215,17 @@ nghttp2_session_set_stream_user_data(ngh
/**
* @function
*
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
+/**
+ * @function
+ *
* Sets |user_data| to |session|, overwriting the existing user data
* specified in `nghttp2_session_client_new()`, or
* `nghttp2_session_server_new()`.
Index: nghttp2-1.52.0/lib/nghttp2_option.c
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_option.c
+++ nghttp2-1.52.0/lib/nghttp2_option.c
@@ -143,3 +143,8 @@ void nghttp2_option_set_no_rfc9113_leadi
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
option->no_rfc9113_leading_and_trailing_ws_validation = val;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
Index: nghttp2-1.52.0/lib/nghttp2_option.h
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_option.h
+++ nghttp2-1.52.0/lib/nghttp2_option.h
@@ -70,6 +70,7 @@ typedef enum {
NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -93,6 +94,10 @@ struct nghttp2_option {
*/
size_t max_settings;
/**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
+ /**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
*/
Index: nghttp2-1.52.0/lib/nghttp2_session.c
===================================================================
--- nghttp2-1.52.0.orig/lib/nghttp2_session.c
+++ nghttp2-1.52.0/lib/nghttp2_session.c
@@ -574,6 +574,10 @@ static int session_new(nghttp2_session *
(*session_ptr)->opt_flags |=
NGHTTP2_OPTMASK_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION;
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,

690
nghttp2.changes
View File

File diff suppressed because it is too large Load Diff

64
nghttp2.keyring Normal file
View File

@ -0,0 +1,64 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGiBEmgJCARBACDsyRcJt0cPqS5I3nooSD4ETmsqXSGoA1QP0NcD3mMDIxfwOk3
ZgaLAhQTpylqzYu4uQ5lDcvkpZtN8cA+R+9Bxq1VcY5Jra4t93Eyxd/14oufgg8w
GLZ8q2otuUliL+RWPEuuBLNJFrdHeLfITBX88ZyHz8tu0kpWBBVBLb5yYwCg3OmH
L59aPl0TIoKGIL/xYs80ixcD/3PA9z6SbChDHRKA647Smrw6QuQHl7Uubg6LYYxz
FoxeN3F/grZHNJyUzlkdraIcWWYi1Dr0D28TnuQUbPoj7ju248iPRv2ZEr7OpV9j
RksxJIBqzC698XwPuq2Jo8iBNgE2t25aY9UHXxehqg6zkyR1bdhFzDV1cEKGkU62
TAnvA/9tB77GiQ9H02oybfqYrdxrWCou3kRa7owd/tBqRMkzH4Vt86VIXwVdsMn1
sGeF4YGUqwY7GCT+jviFCdvGTRqeCJgaLJAYE8hSFIxpDTdUNxaPxwuOd3Jq5BKC
U7boXpLlAcdh47CMk4qvIDZfBb2iVjZCN1yFI9R/TCH7JCT9NLQrVGF0c3VoaXJv
IFRzdWppa2F3YSA8dGF0c3VoaXJvLnRAZ21haWwuY29tPohgBBMRAgAgBQJJoCQg
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQfoQD1dZzw2YoTgCgmzKU0uK/
fr2nVqYondsxppQS83wAoIPlXaxcUV39DvA7/Rui6+rBNljmuQQNBEmgJCAQEADi
J5vXLb+y5g2kQApYk/iPqlJV02jHX7VJnWwivfQNq0F56TiiAZx9B6QR71pShkv8
L4FgdmuNPcxamh4LAiVsiE3lW5dnlt6cp5bmWvNOTDZIojbxSfS4ZhQmt3Ij4vJ5
fnlgUeaLDzXqeuO5ezMZvpsoBcDMvPCnv8R28JX0z1LIjA42sC85Kvd8EeB7uyGJ
q0qzU7OMP6JdxN2IwvdGiqXAAHI2KZOU9Pp4Kvg4qj8v3ELXrhlrZVye6PAmbufJ
Gdcg73EEabhoWutzt1h++qUkhzSQRUoTIqa2DWyE/bTPGlxqKgHmur5okBn5iwcr
BijhE6d8AvBqlopxyHHIEsZ4YswvLR8VcOt//aT1ArYdrxAfyjujvimoW1+gDjsA
+Hc1wlrYW6uLgHwFIzQFOi4Yt/+hw26dlqJhO9pnK8vwpPsMnvkfHQx5A7EeZhpN
g1YIDhPEO+RSk81Gs0Y1xzJjLulncxlzprX6xmyZK/B2dQZy4XFl5K02Q7Zas++x
z70JvwOC8kDu117jb3QtersJHt09SGywCrkaU6P8+iKxPd2PEwaPWKqu4n7IpLZu
2Kg5GXO1h80fqhPSRJGbj5a6YVvfVHoRPaUL34Y4yYPxPVxjpgYR6ohhhoyURA4w
+qkhugcbYM9/wQTbwhgLc5mG62bq+WVkhehaGFOCwwADBRAAkzofRfa6dNtZC8kp
4bTmTydRCRrAAjUvCtRNL+PjB6JpTsIru/w6dR2i3TYDnUOBNkvVLUNG+Sk6fsR2
CcEefsa4AQwRb8G33FATsewFbImSrBNT9R5hr+hR33XWxo0KAcXrucnaboidQOBK
lDD0SEC6eBexVXa4/h9qum4Qmj0u9XBBqMqEOJY/Mao5SJ8EWZV+UAszgJdmHDvq
s9+1425NuzuG9/KQzx/5wWjQmtAHikE/oFQ1RZ3hWxRpe4YmsrKQuVqwHRfIjCrB
MdBteldVr4NN0eUqfnrXgTpInXSsUstDr1/04u2Q3+spQUjJOcZ+IluPLfr12EAH
UKc9/2CT6cLmBVEl2s2PijC5EoxH3UA2KkxcxBy5LleKvF5FZ3MHbXaj2RLMLBlW
aGhlFF2H85EEmq73Ex5ncLPT4BW2rHrkwdUOOXCN8riUZr42E3K+GTyfGyRbU9Ar
MBP62ytvamwBO9O+E6sJCVraoho4a2ERORh5PQzEot1Tmyf4u6AQf1+JVMn2yThc
ilRKWD1Q/AfEAibVbPANkXXjX5pZkIRc1Eunq5afYf2ixyS96RSjc6EZ+euaaaFC
96+MdDtlycafZIXYNgiNkrrm8mzPCb2i8tmF9aPnGYBknsnFLlda3Zz4afFDKyLN
LYRvqAujonL+HBOLW2InmeD5p6SISQQYEQIACQUCSaAkIAIbDAAKCRB+hAPV1nPD
ZqpZAJ9Kw73IdA3hw+wQEen991bFlMzHfQCgtG/GMjXB246Qt9XPVvToTSFJQPq5
Ag0EZdRdtAEQAMIqEK6XuVLgY6KPOUqHFjQZdi87hCX9sTSHVuvQ75Ko70Ayz/AH
I7YWnPoaJjWQwCugGOdEjXKQMUUKuGUrWAtGoGUg9MDFXdAXRrwBhhKz8ZGJzGPU
YXkanJSHo3AAFQ4QWSJmGvlZ2VhthB5v/njUlpzFvNusa5e71RRLM5f5R3kROUlj
vwAXUcosLESi864AKFzo1qiQB6KtatTLJH8aHQEFrVwzrleKdkF5OozfWw1poB4g
94QBkIzXgmEA3uTpXHLctIngpR8mZrQQtohI2zKlpnq9lCMZ7j3/xitZ6xS2KSlH
BU3Z4TXZKZuFP7IsITVTdlMg/OHua2l0i3ZewbIWPnnPJC8dQi+QdYe6FWjDwZPu
HBAbbxHVFCYnz5f4SP9LNqeWRGqHHnzb5pNe2xZHykPP84kvFvmRonqMBIvFrPhV
kw+Z43JBvxM4YwYp0GWEuDAik6KmbuM5SmwAiR67KigwwUoumJi9YdQlUIkNKO7P
SvmHCzaX47+AdLxDToMXCsIO2NlLGE5GN/RwQ8k0owWoK5WZYUI16pgZ39n/Z03y
Ig+W//qUJ7+eYTgvvCngR3kxUXipSVA0+skxWvdmRHla5MasuvtPuW/Xz6/+U3fS
4bmYTWA5TmhfrMublTncBXgEvX9LzyL+kPhf81OAix3RNUlD6Jp5+751ABEBAAGJ
ApYEGBECACAWIQT087kUdNHrKYib0O9+hAPV1nPDZgUCZdRdtAIbAgJACRB+hAPV
1nPDZsF0IAQZAQoAHRYhBFFrYikY0VxHirHqOlM5or6C4H3sBQJl1F20AAoJEFM5
or6C4H3sBa8QALx76ibbGN3vz9+Aa58gtk1oDIIfEF/U7PmMuPB9CA9738kgiXvq
nxKAkiBU9EkaiYsPfF/iv35xp44CrFz/mjqMQiMlWOxMtRVXjsQQoGKmkdei4THk
3pVE4u6bXXb38LUnXyYVV9P0XLNV/ilwvRlnozP4NqrjH7MuKLKLUoKNHMD6UK2/
UWUqHQPboFYTIb826+S8PiGQ/3PO7+Y+h0Jyq2o5c76N2PvMgtkQwvTTw6hPP8p1
EIffN1wUpZ5dG+Cxe9oN2FF6Lq89WCK1M7n3DU4JZqjKIcmxJKPPmjQjdVUUhyXQ
4naywi+h30esJ/CbrQ0oyDnr0jbiTg04c6IV5U5deVDywJ9gAAgV0g12NDwo2SCb
ZeLGul8/tZXpXiTYJdTQ0N3EUZYPbOvY8Kdh95stq9HtKJyozP/yemFBfiTtK0Kt
QISQHf0GNJR+D682S0iB3nSprzXpgwgjaHYLQXYdUomg7lMGrtf3XZQlUaHYLHp6
W0xhOweS/2kr5G461zSyJ3T9ITm59GapunXfuSGqA2mJvv9CXJqN8Qm6UzUD8QBk
JxiUC6IMVAoBShSPD9qC0jBxXETKNHC4zPoF0wfOVYjKJ29btfOjneL0IdLNR/6c
WcszscQx9Rm+vWArbDdcATTnImO1hIehxeQPp/8IRPpxHjD64GoNSbzyZkwAn0n6
KhOXkidphC12e/W/W3vSRrm5AKC2S6Ile4sLQr7aDSQZLvJz54gxYw==
=Rw9e
-----END PGP PUBLIC KEY BLOCK-----

101
nghttp2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package nghttp2
#
# Copyright (c) 2022 SUSE LLC
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -18,31 +18,25 @@
%global soname libnghttp2
%global sover 14
%global soname_asio libnghttp2_asio
%global sover_asio 1
%global flavor @BUILD_FLAVOR@%{nil}
# libnghttp2_asio has been deprecated in this repository due to maintenance
# issue and will be removed at the end of 2022
%bcond_with asio
Name: nghttp2
Version: 1.52.0
Version: 1.64.0
Release: 0
Summary: Implementation of Hypertext Transfer Protocol version 2 in C
License: MIT
Group: Development/Libraries/C and C++
URL: https://nghttp2.org/
Source: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
Source1: baselibs.conf
# CVE-2023-35945 [bsc#1215713], Fixes leak memory
Patch0: nghttp2-CVE-2023-35945.patch
# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch1: nghttp2-CVE-2024-28182-1.patch
# CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch2: nghttp2-CVE-2024-28182-2.patch
BuildRequires: autoconf
BuildRequires: automake
Source0: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
Source1: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz.asc
Source2: nghttp2.keyring
Source3: baselibs.conf
%if 0%{?suse_version} && 0%{?suse_version} == 1500
BuildRequires: gcc13-c++
%else
BuildRequires: gcc-c++
BuildRequires: libtool
%endif
BuildRequires: libboost_system-devel
BuildRequires: libboost_thread-devel
BuildRequires: pkgconfig
BuildRequires: python-rpm-macros
BuildRequires: pkgconfig(cunit)
@ -52,19 +46,11 @@ BuildRequires: pkgconfig(libev)
BuildRequires: pkgconfig(liblzma)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libxml-2.0)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(openssl) >= 1.1.1
BuildRequires: pkgconfig(zlib)
%ifnarch ppc %{arm}
%if 0%{?sle_version} >= 150000 && 0%{?is_opensuse}
BuildRequires: pkgconfig(jemalloc)
%endif
%endif
%if 0%{?suse_version} > 1325
BuildRequires: libboost_system-devel
BuildRequires: libboost_thread-devel
%else
BuildRequires: boost-devel
%endif
%description
This is an implementation of Hypertext Transfer Protocol version 2.
@ -83,14 +69,6 @@ Group: System/Libraries
Shared C libraries for implementation of Hypertext Transfer Protocol
version 2.
%package -n %{soname_asio}%{sover_asio}
Summary: Shared library for nghttp2
Group: System/Libraries
%description -n %{soname_asio}%{sover_asio}
Shared libraries for asynchronous implementation of Hypertext Transfer
Protocol version 2.
%package -n python3-nghttp2
Summary: Python3 bindings for nghttp2
Group: Development/Libraries/Python
@ -103,21 +81,12 @@ Python bindings for implementation of Hypertext Transfer Protocol version
Summary: Development files for nghttp2
Group: Development/Languages/C and C++
Requires: %{soname}-%{sover} = %{version}
Provides: %{name}-devel
Provides: %{name}-devel = %{version}
%description -n %{soname}-devel
Development files for usage with libnghttp2, which implements
Hypertext Transfer Protocol version 2.
%package -n %{soname_asio}-devel
Summary: Development files for nghttp2
Group: Development/Languages/C and C++
Requires: %{soname_asio}%{sover_asio} = %{version}
%description -n %{soname_asio}-devel
Development files for usage with libnghttp2_aio, which implements
asynchronous Hypertext Transfer Protocol version 2.
%package doc
Summary: Documentation for nghttp2
Group: Documentation/HTML
@ -129,15 +98,14 @@ HTTP/2 client, server and proxy.
%prep
%autosetup -p1 -n nghttp2-%{version}
# fix python shebang
sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
%build
autoreconf -fiv
%if 0%{?suse_version} && 0%{?suse_version} == 1500
export CC=/usr/bin/gcc-13
export CXX=/usr/bin/g++-13
%endif
%configure \
--disable-static \
--disable-silent-rules \
%{?with_asio:--enable-asio-lib} %{!?with_asio: --disable-asio-lib} \
--enable-app \
%{nil}
%make_build all
@ -146,24 +114,25 @@ autoreconf -fiv
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
# Do not ship theis
# Do not ship this
rm -rf %{buildroot}%{_datadir}/doc/nghttp2
# None of applications using these man pages are built.
rm -rf %{buildroot}%{_mandir}/man1/* \
doc/manual/html/.buildinfo
%check
# One test fails if python-sphinx is not present
%make_build check ||:
%post -n %{soname}-%{sover} -p /sbin/ldconfig
%postun -n %{soname}-%{sover} -p /sbin/ldconfig
%if %{with asio}
%post -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
%postun -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
# https://build.opensuse.org/request/show/1212476
%if %{suse_version} >= 1600
%python3_fix_shebang_path %{buildroot}%{_datadir}/%{name}/fetch-ocsp-response
%endif
%check
%make_build check
%ldconfig_scriptlets -n %{soname}-%{sover}
%files
%{_bindir}/deflatehd
%{_bindir}/inflatehd
@ -183,16 +152,4 @@ rm -rf %{buildroot}%{_mandir}/man1/* \
%{_libdir}/%{soname}.so
%{_libdir}/pkgconfig/%{soname}.pc
%if %{with asio}
%files -n %{soname_asio}%{sover_asio}
%license COPYING
%{_libdir}/%{soname_asio}.so.%{sover_asio}*
%files -n %{soname_asio}-devel
%dir %{_includedir}/%{name}/
%{_includedir}/%{name}/asio_http2*.h
%{_libdir}/%{soname_asio}.so
%{_libdir}/pkgconfig/%{soname_asio}.pc
%endif
%changelog