1565035 – (CVE-2018-1000168) CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC frame is received

Bug 1565035 (CVE-2018-1000168) - CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC frame is received

Summary: CVE-2018-1000168 nghttp2: Null pointer dereference when too large ALTSVC fram...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1000168
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1566989 1566990 1566991
Blocks:	1565488
TreeView+	depends on / blocked

Reported:	2018-04-09 08:25 UTC by Adam Mariš
Modified:	2021-02-17 00:32 UTC (History)
CC List:	12 users (show)
Fixed In Version:	nghttp2 1.31.1
Clone Of:
Environment:
Last Closed:	2019-06-10 10:19:50 UTC
Embargoed:

Attachments	(Terms of Use)
Upstream patch (1.99 KB, patch) 2018-04-10 06:29 UTC, Adam Mariš	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:0366	0	None	None	None	2019-02-18 16:55:52 UTC
Red Hat Product Errata	RHSA-2019:0367	0	None	None	None	2019-02-18 16:58:32 UTC

Description Adam Mariš 2018-04-09 08:25:21 UTC

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL.  Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default.  Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0

Comment 1 Adam Mariš 2018-04-09 08:25:23 UTC

Acknowledgments:

Name: the Nghttp2 project

Comment 2 Adam Mariš 2018-04-10 06:29:05 UTC

Created attachment 1419700 [details]
Upstream patch

Comment 3 Stefan Cornelius 2018-04-12 11:30:25 UTC

Although rh-nodejs8-nodejs includes nghttp2, it is not affected: support for the ALTSVC frame was added in 9.4.0 via https://github.com/nodejs/node/commit/ce22d6f9178507c7a41b04ac4097b9ea902049e3#diff-8d67cefebb5e07f8f3cad3c90c402bb2

Comment 4 Stefan Cornelius 2018-04-13 09:31:56 UTC

Public via:
http://www.openwall.com/lists/oss-security/2018/04/12/4

Comment 5 Stefan Cornelius 2018-04-13 09:32:25 UTC

Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1566990]
Affects: epel-7 [bug 1566989]

Comment 8 errata-xmlrpc 2019-02-18 16:55:51 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:0366 https://access.redhat.com/errata/RHSA-2019:0366

Comment 9 errata-xmlrpc 2019-02-18 16:58:31 UTC

This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2019:0367 https://access.redhat.com/errata/RHSA-2019:0367

Note You need to log in before you can comment on or make changes to this bug.