Sync from SUSE:SLFO:Main nghttp2 revision 09f9e1a9740a265f91c767c467f42cf3

2024-05-03 17:02:25 +02:00 · 2024-05-03 17:02:25 +02:00 · adf7b273e1
commit adf7b273e1
6 changed files with 1869 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/baselibs.conf
+++ b/baselibs.conf
@ -0,0 +1,2 @@
+libnghttp2-14
+libnghttp2_asio1
--- a/nghttp2-1.52.0.tar.xz
+++ b/nghttp2-1.52.0.tar.xz
--- a/nghttp2-CVE-2023-35945.patch
+++ b/nghttp2-CVE-2023-35945.patch
@ -0,0 +1,146 @@
+From ce385d3f55a4b76da976b3bdf71fe2deddf315ba Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Fri, 14 Jul 2023 20:52:03 +0900
+Subject: [PATCH] Fix memory leak
+
+This commit fixes memory leak that happens when PUSH_PROMISE or
+HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback
+fails with a fatal error.  For example, if GOAWAY frame has been
+received, a HEADERS frame that opens new stream cannot be sent.
+
+This issue has already been made public via CVE-2023-35945 [1] issued
+by envoyproxy/envoy project.  During embargo period, the patch to fix
+this bug was accidentally submitted to nghttp2/nghttp2 repository [2].
+And they decided to disclose CVE early.  I was notified just 1.5 hours
+before disclosure.  I had no time to respond.
+
+PoC described in [1] is quite simple, but I think it is not enough to
+trigger this bug.  While it is true that receiving GOAWAY prevents a
+client from opening new stream, and nghttp2 enters error handling
+branch, in order to cause the memory leak,
+nghttp2_session_close_stream function must return a fatal error.
+nghttp2 defines 2 fatal error codes:
+
+- NGHTTP2_ERR_NOMEM
+- NGHTTP2_ERR_CALLBACK_FAILURE
+
+NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory.  It
+is unlikely that a process gets short of memory with this simple PoC
+scenario unless application does something memory heavy processing.
+
+NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined
+callback function (nghttp2_on_stream_close_callback, in this case),
+which indicates something fatal happened inside a callback, and a
+connection must be closed immediately without any further action.  As
+nghttp2_on_stream_close_error_callback documentation says, any error
+code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal
+error code.  More specifically, it is treated as if
+NGHTTP2_ERR_CALLBACK_FAILURE is returned.  I guess that envoy returns
+NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated
+into NGHTTP2_ERR_CALLBACK_FAILURE.
+
+[1] https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
+[2] https://github.com/nghttp2/nghttp2/pull/1929
+---
+ lib/nghttp2_session.c        | 10 +++++-----
+ tests/nghttp2_session_test.c | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 7509ceb5..71858a39 100644
+--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
+@@ -3296,6 +3296,7 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session,
+       if (rv < 0) {
+         int32_t opened_stream_id = 0;
+         uint32_t error_code = NGHTTP2_INTERNAL_ERROR;
+        int rv2 = 0;
+ 
+         DEBUGF("send: frame preparation failed with %s\n",
+                nghttp2_strerror(rv));
+@@ -3338,19 +3339,18 @@ static ssize_t nghttp2_session_mem_send_internal(nghttp2_session *session,
+         }
+         if (opened_stream_id) {
+           /* careful not to override rv */
+-          int rv2;
+           rv2 = nghttp2_session_close_stream(session, opened_stream_id,
+                                              error_code);
+-
+-          if (nghttp2_is_fatal(rv2)) {
+-            return rv2;
+-          }
+         }
+ 
+         nghttp2_outbound_item_free(item, mem);
+         nghttp2_mem_free(mem, item);
+         active_outbound_item_reset(aob, mem);
+ 
+        if (nghttp2_is_fatal(rv2)) {
+          return rv2;
+        }
+
+         if (rv == NGHTTP2_ERR_HEADER_COMP) {
+           /* If header compression error occurred, should terminiate
+              connection. */
+diff --git a/tests/nghttp2_session_test.c b/tests/nghttp2_session_test.c
+index b55ff534..74352426 100644
+--- a/tests/nghttp2_session_test.c
+++ b/tests/nghttp2_session_test.c
+@@ -584,6 +584,15 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
+   return 0;
+ }
+ 
+static int fatal_error_on_stream_close_callback(nghttp2_session *session,
+                                                int32_t stream_id,
+                                                uint32_t error_code,
+                                                void *user_data) {
+  on_stream_close_callback(session, stream_id, error_code, user_data);
+
+  return NGHTTP2_ERR_CALLBACK_FAILURE;
+}
+
+ static ssize_t pack_extension_callback(nghttp2_session *session, uint8_t *buf,
+                                        size_t len, const nghttp2_frame *frame,
+                                        void *user_data) {
+@@ -4296,6 +4305,8 @@ void test_nghttp2_session_on_goaway_received(void) {
+   nghttp2_frame frame;
+   int i;
+   nghttp2_mem *mem;
+  const uint8_t *data;
+  ssize_t datalen;
+ 
+   mem = nghttp2_mem_default();
+   user_data.frame_recv_cb_called = 0;
+@@ -4337,6 +4348,29 @@ void test_nghttp2_session_on_goaway_received(void) {
+ 
+   nghttp2_frame_goaway_free(&frame.goaway, mem);
+   nghttp2_session_del(session);
+
+  /* Make sure that no memory leak when stream_close callback fails
+     with a fatal error */
+  memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
+  callbacks.on_stream_close_callback = fatal_error_on_stream_close_callback;
+
+  memset(&user_data, 0, sizeof(user_data));
+
+  nghttp2_session_client_new(&session, &callbacks, &user_data);
+
+  nghttp2_frame_goaway_init(&frame.goaway, 0, NGHTTP2_NO_ERROR, NULL, 0);
+
+  CU_ASSERT(0 == nghttp2_session_on_goaway_received(session, &frame));
+
+  nghttp2_submit_request(session, NULL, reqnv, ARRLEN(reqnv), NULL, NULL);
+
+  datalen = nghttp2_session_mem_send(session, &data);
+
+  CU_ASSERT(NGHTTP2_ERR_CALLBACK_FAILURE == datalen);
+  CU_ASSERT(1 == user_data.stream_close_cb_called);
+
+  nghttp2_frame_goaway_free(&frame.goaway, mem);
+  nghttp2_session_del(session);
+ }
+ 
+ void test_nghttp2_session_on_window_update_received(void) {
+-- 
+2.35.3
+
--- a/nghttp2.changes
+++ b/nghttp2.changes
--- a/nghttp2.spec
+++ b/nghttp2.spec
@ -0,0 +1,194 @@
+#
+# spec file for package nghttp2
+#
+# Copyright (c) 2022 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global soname  libnghttp2
+%global sover   14
+%global soname_asio libnghttp2_asio
+%global sover_asio 1
+%global flavor @BUILD_FLAVOR@%{nil}
+# libnghttp2_asio has been deprecated in this repository due to maintenance
+# issue and will be removed at the end of 2022
+%bcond_with asio
+Name:           nghttp2
+Version:        1.52.0
+Release:        0
+Summary:        Implementation of Hypertext Transfer Protocol version 2 in C
+License:        MIT
+Group:          Development/Libraries/C and C++
+URL:            https://nghttp2.org/
+Source:         https://github.com/nghttp2/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz
+Source1:        baselibs.conf
+# CVE-2023-35945 [bsc#1215713], Fixes leak memory
+Patch0:         nghttp2-CVE-2023-35945.patch
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gcc-c++
+BuildRequires:  libtool
+BuildRequires:  pkgconfig
+BuildRequires:  python-rpm-macros
+BuildRequires:  pkgconfig(cunit)
+BuildRequires:  pkgconfig(jansson)
+BuildRequires:  pkgconfig(libcares)
+BuildRequires:  pkgconfig(libev)
+BuildRequires:  pkgconfig(liblzma)
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(libxml-2.0)
+BuildRequires:  pkgconfig(openssl)
+BuildRequires:  pkgconfig(zlib)
+%ifnarch ppc %{arm}
+%if 0%{?sle_version} >= 150000 && 0%{?is_opensuse}
+BuildRequires:  pkgconfig(jemalloc)
+%endif
+%endif
+%if 0%{?suse_version} > 1325
+BuildRequires:  libboost_system-devel
+BuildRequires:  libboost_thread-devel
+%else
+BuildRequires:  boost-devel
+%endif
+
+%description
+This is an implementation of Hypertext Transfer Protocol version 2.
+
+The framing layer of HTTP/2 is implemented as a form of reusable C library.
+On top of that, we have implemented HTTP/2 client, server and proxy. We
+have also developed load test and benchmarking tool for HTTP/2.
+
+HPACK encoder and decoder are available as public API.
+
+%package -n %{soname}-%{sover}
+Summary:        Shared library for nghttp2
+Group:          System/Libraries
+
+%description -n %{soname}-%{sover}
+Shared C libraries for implementation of Hypertext Transfer Protocol
+version 2.
+
+%package -n %{soname_asio}%{sover_asio}
+Summary:        Shared library for nghttp2
+Group:          System/Libraries
+
+%description -n %{soname_asio}%{sover_asio}
+Shared libraries for asynchronous implementation of Hypertext Transfer
+Protocol version 2.
+
+%package -n python3-nghttp2
+Summary:        Python3 bindings for nghttp2
+Group:          Development/Libraries/Python
+
+%description -n python3-nghttp2
+Python bindings for implementation of Hypertext Transfer Protocol version
+2.
+
+%package -n %{soname}-devel
+Summary:        Development files for nghttp2
+Group:          Development/Languages/C and C++
+Requires:       %{soname}-%{sover} = %{version}
+Provides:       %{name}-devel
+
+%description -n %{soname}-devel
+Development files for usage with libnghttp2, which implements
+Hypertext Transfer Protocol version 2.
+
+%package -n %{soname_asio}-devel
+Summary:        Development files for nghttp2
+Group:          Development/Languages/C and C++
+Requires:       %{soname_asio}%{sover_asio} = %{version}
+
+%description -n %{soname_asio}-devel
+Development files for usage with libnghttp2_aio, which implements
+asynchronous Hypertext Transfer Protocol version 2.
+
+%package doc
+Summary:        Documentation for nghttp2
+Group:          Documentation/HTML
+
+%description doc
+Documentation for nghttp2, which includes a shared C library,
+HTTP/2 client, server and proxy.
+
+%prep
+%setup -q -n nghttp2-%{version}
+%patch0 -p1
+# fix python shebang
+sed -i -e 's:#!%{_bindir}/env python:#!%{_bindir}/python3:g' script/fetch-ocsp-response
+
+%build
+autoreconf -fiv
+%configure \
+  --disable-static        \
+  --disable-silent-rules  \
+  %{?with_asio:--enable-asio-lib} %{!?with_asio: --disable-asio-lib} \
+  --enable-app            \
+  %{nil}
+%make_build all
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# Do not ship theis
+rm -rf %{buildroot}%{_datadir}/doc/nghttp2
+
+# None of applications using these man pages are built.
+rm -rf %{buildroot}%{_mandir}/man1/* \
+  doc/manual/html/.buildinfo
+
+%check
+# One test fails if python-sphinx is not present
+%make_build check ||:
+
+%post -n %{soname}-%{sover} -p /sbin/ldconfig
+%postun -n %{soname}-%{sover} -p /sbin/ldconfig
+%if %{with asio}
+%post -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
+%postun -n %{soname_asio}%{sover_asio} -p /sbin/ldconfig
+%endif
+
+%files
+%{_bindir}/deflatehd
+%{_bindir}/inflatehd
+%{_bindir}/h2load
+%{_bindir}/nghttp
+%{_bindir}/nghttpd
+%{_bindir}/nghttpx
+%{_datadir}/%{name}/
+
+%files -n %{soname}-%{sover}
+%license COPYING
+%{_libdir}/%{soname}.so.%{sover}*
+
+%files -n %{soname}-devel
+%dir %{_includedir}/%{name}/
+%{_includedir}/%{name}/%{name}*.h
+%{_libdir}/%{soname}.so
+%{_libdir}/pkgconfig/%{soname}.pc
+
+%if %{with asio}
+%files -n %{soname_asio}%{sover_asio}
+%license COPYING
+%{_libdir}/%{soname_asio}.so.%{sover_asio}*
+
+%files -n %{soname_asio}-devel
+%dir %{_includedir}/%{name}/
+%{_includedir}/%{name}/asio_http2*.h
+%{_libdir}/%{soname_asio}.so
+%{_libdir}/pkgconfig/%{soname_asio}.pc
+%endif
+
+%changelog