Bugzilla – Bug 1097401
VUL-0: CVE-2018-1000168: nodejs8: nghttp2: ALTSVC frame client side DoS
Last modified: 2020-07-02 13:05:41 UTC
nodejs8 embeds nghttp2 (is this necessary?) +++ This bug was initially created as a clone of Bug #1088639 +++ From: Tatsuhiro Tsujikawa via distros nghttp2 is a C library which implements HTTP/2. The denial of service vulnerability was reported, and I, as a maintainer of the project, confirmed it. The detailed description of vulnerability is attached below. The planned release date of fix and disclosure is April, 12. """ ### Vulnerability If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. ALTSVC frame is defined by RFC 7838. The largest frame size libnghttp2 accept is by default 16384 bytes. Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`. Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838. Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame. ### Affected Versions * Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 * Not affected versions: nghttp2 >= 1.31.1 ### The Solution Upgrade to nghttp2 v1.31.1. If the upgrade cannot be possible: For client, disable ALTSVC, removing the call to `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)` For server, because it is never expected to receive ALTSVC, just remove `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.
(In reply to Marcus Meissner from comment #0) > nodejs8 embeds nghttp2 (is this necessary?) I'll removed this bundling for SLE-15 in the security update, which means that this bug should now be fixed in the nghttp2 library only.
This is an autogenerated message for OBS integration: This bug (1097401) was mentioned in https://build.opensuse.org/request/show/617096 Factory / nodejs8
SUSE-SU-2018:1918-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1091764,1097375,1097401,1097404 CVE References: CVE-2018-1000168,CVE-2018-7161,CVE-2018-7167 Sources used: SUSE Linux Enterprise Module for Web Scripting 15 (src): nodejs8-8.11.3-3.5.1
openSUSE-SU-2018:1963-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1091764,1097375,1097401,1097404 CVE References: CVE-2018-1000168,CVE-2018-7161,CVE-2018-7167 Sources used: openSUSE Leap 15.0 (src): nodejs8-8.11.3-lp150.2.3.1
This is an autogenerated message for OBS integration: This bug (1097401) was mentioned in https://build.opensuse.org/request/show/636889 42.3+Backports:SLE-12 / nodejs8
This is an autogenerated message for OBS integration: This bug (1097401) was mentioned in https://build.opensuse.org/request/show/642571 42.3+Backports:SLE-12 / nodejs8
This is an autogenerated message for OBS integration: This bug (1097401) was mentioned in https://build.opensuse.org/request/show/643179 42.3 / nodejs10
This is an autogenerated message for OBS integration: This bug (1097401) was mentioned in https://build.opensuse.org/request/show/649577 Backports:SLE-12-SP2 / nodejs8
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available. Category: security (important) Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743 CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.