Bugzilla – Bug 1088639
VUL-0: CVE-2018-1000168: nghttp2: ALTSVC frame client side DoS
Last modified: 2021-03-24 19:00:56 UTC
From: Tatsuhiro Tsujikawa via distros nghttp2 is a C library which implements HTTP/2. The denial of service vulnerability was reported, and I, as a maintainer of the project, confirmed it. The detailed description of vulnerability is attached below. The planned release date of fix and disclosure is April, 12. """ ### Vulnerability If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. ALTSVC frame is defined by RFC 7838. The largest frame size libnghttp2 accept is by default 16384 bytes. Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`. Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838. Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame. ### Affected Versions * Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 * Not affected versions: nghttp2 >= 1.31.1 ### The Solution Upgrade to nghttp2 v1.31.1. If the upgrade cannot be possible: For client, disable ALTSVC, removing the call to `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)` For server, because it is never expected to receive ALTSVC, just remove `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.
Factory and SLE 15 affected. CRD: 2018-04-12
(In reply to Johannes Segitz from comment #1) > Factory and SLE 15 affected. > > CRD: 2018-04-12 Since both are not protected by US I will do the update on 2018-04-12 after I eat lunch :)
Created attachment 766479 [details] Upstream patch
public
Factory and SLE-15 submissions sent.
This is an autogenerated message for OBS integration: This bug (1088639) was mentioned in https://build.opensuse.org/request/show/596227 Factory / nghttp2
done
SUSE-SU-2021:0932-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514 CVE References: CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): nghttp2-1.39.2-3.5.1 SUSE OpenStack Cloud Crowbar 8 (src): nghttp2-1.39.2-3.5.1 SUSE OpenStack Cloud 9 (src): nghttp2-1.39.2-3.5.1 SUSE OpenStack Cloud 8 (src): nghttp2-1.39.2-3.5.1 SUSE OpenStack Cloud 7 (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP5 (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): nghttp2-1.39.2-3.5.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): nghttp2-1.39.2-3.5.1 HPE Helion Openstack 8 (src): nghttp2-1.39.2-3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.