Bug 1565035 (CVE-2018-1000168) - CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC frame is received
Summary: CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC fram...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000168
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1566989 1566990 1566991
Blocks: 1565488
TreeView+ depends on / blocked
 
Reported: 2018-04-09 08:25 UTC by Adam Mariš
Modified: 2019-09-29 14:35 UTC (History)
12 users (show)

Fixed In Version: nghttp2 1.31.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:19:50 UTC


Attachments (Terms of Use)
Upstream patch (1.99 KB, patch)
2018-04-10 06:29 UTC, Adam Mariš
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0366 None None None 2019-02-18 16:55:52 UTC
Red Hat Product Errata RHSA-2019:0367 None None None 2019-02-18 16:58:32 UTC

Description Adam Mariš 2018-04-09 08:25:21 UTC
If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL.  Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default.  Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0

Comment 1 Adam Mariš 2018-04-09 08:25:23 UTC
Acknowledgments:

Name: the Nghttp2 project

Comment 2 Adam Mariš 2018-04-10 06:29:05 UTC
Created attachment 1419700 [details]
Upstream patch

Comment 3 Stefan Cornelius 2018-04-12 11:30:25 UTC
Although rh-nodejs8-nodejs includes nghttp2, it is not affected: support for the ALTSVC frame was added in 9.4.0 via https://github.com/nodejs/node/commit/ce22d6f9178507c7a41b04ac4097b9ea902049e3#diff-8d67cefebb5e07f8f3cad3c90c402bb2

Comment 4 Stefan Cornelius 2018-04-13 09:31:56 UTC
Public via:
http://www.openwall.com/lists/oss-security/2018/04/12/4

Comment 5 Stefan Cornelius 2018-04-13 09:32:25 UTC
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1566990]
Affects: epel-7 [bug 1566989]

Comment 8 errata-xmlrpc 2019-02-18 16:55:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0366

Comment 9 errata-xmlrpc 2019-02-18 16:58:31 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2019:0367 https://access.redhat.com/errata/RHSA-2019:0367


Note You need to log in before you can comment on or make changes to this bug.