Bug 1565035 (CVE-2018-1000168)

Summary: CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC frame is received
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, gzaronik, hhorak, jclere, jorton, kdudka, luhliari, mbabacek, mturk, security-response-team, twalsh, zsvetlik
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nghttp2 1.31.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:19:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1566989, 1566990, 1566991    
Bug Blocks: 1565488    
Attachments:
Description Flags
Upstream patch none

Description Adam Mariš 2018-04-09 08:25:21 UTC 
If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL.  Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default.  Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
Comment 1 Adam Mariš 2018-04-09 08:25:23 UTC 
Acknowledgments:

Name: the Nghttp2 project
Comment 2 Adam Mariš 2018-04-10 06:29:05 UTC 
Created attachment 1419700 [details]
Upstream patch
Comment 3 Stefan Cornelius 2018-04-12 11:30:25 UTC 
Although rh-nodejs8-nodejs includes nghttp2, it is not affected: support for the ALTSVC frame was added in 9.4.0 via https://github.com/nodejs/node/commit/ce22d6f9178507c7a41b04ac4097b9ea902049e3#diff-8d67cefebb5e07f8f3cad3c90c402bb2
Comment 4 Stefan Cornelius 2018-04-13 09:31:56 UTC 
Public via:
http://www.openwall.com/lists/oss-security/2018/04/12/4
Comment 5 Stefan Cornelius 2018-04-13 09:32:25 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1566990]
Affects: epel-7 [bug 1566989]
Comment 8 errata-xmlrpc 2019-02-18 16:55:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0366
Comment 9 errata-xmlrpc 2019-02-18 16:58:31 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2019:0367 https://access.redhat.com/errata/RHSA-2019:0367