Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1565035 - (CVE-2018-1000168) CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC frame is received
CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC fram...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180412,repor...
: Reopened, Security
Depends On: 1566991 1566989 1566990
Blocks: 1565488
  Show dependency treegraph
 
Reported: 2018-04-09 04:25 EDT by Adam Mariš
Modified: 2018-04-24 00:38 EDT (History)
12 users (show)

See Also:
Fixed In Version: nghttp2 1.31.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-13 05:31:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch (1.99 KB, patch)
2018-04-10 02:29 EDT, Adam Mariš 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2018-04-09 04:25:21 EDT 
If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL.  Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default.  Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
Comment 1 Adam Mariš 2018-04-09 04:25:23 EDT 
Acknowledgments:

Name: the Nghttp2 project
Comment 2 Adam Mariš 2018-04-10 02:29 EDT 
Created attachment 1419700 [details]
Upstream patch
Comment 3 Stefan Cornelius 2018-04-12 07:30:25 EDT 
Although rh-nodejs8-nodejs includes nghttp2, it is not affected: support for the ALTSVC frame was added in 9.4.0 via https://github.com/nodejs/node/commit/ce22d6f9178507c7a41b04ac4097b9ea902049e3#diff-8d67cefebb5e07f8f3cad3c90c402bb2
Comment 4 Stefan Cornelius 2018-04-13 05:31:56 EDT 
Public via:
http://www.openwall.com/lists/oss-security/2018/04/12/4
Comment 5 Stefan Cornelius 2018-04-13 05:32:25 EDT 
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1566990]
Affects: epel-7 [bug 1566989]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.