CVS commit: pkgsrc/www/nghttp2

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/nghttp2
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Sat, 15 Jul 2023 16:07:29 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Sat Jul 15 16:07:29 UTC 2023

Modified Files:
        pkgsrc/www/nghttp2: Makefile.common distinfo

Log Message:
nghttp2 nghttp2-tools: updated to 1.55.1

Nghttp2 v1.55.1

Security Advisory

CVE-2023-35945: HTTP/2 memory leak in nghttp2 codec

For more information, read the security advisory.

This CVE was filed by envoyproxy/envoy project, and has already been made public, and we did not take usual security procedure. See below why.

lib

This release fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be sent, and nghttp2_on_stream_close_callback fails with a fatal error. For example, if GOAWAY frame has been 
received, a HEADERS frame that opens new stream cannot be sent.

This issue has already been made public via CVE-2023-35945 issued by envoyproxy/envoy project. During embargo period, the patch to fix this bug was accidentally submitted to nghttp2/nghttp2 
repository. And they decided to disclose CVE early. I was notified just 1.5 hours before disclosure. I had no time to respond.

PoC described in CVE is quite simple, but I think it is not enough to trigger this bug. While it is true that receiving GOAWAY prevents a client from opening new stream, and nghttp2 enters error 
handling branch, in order to cause the memory leak, nghttp2_session_close_stream function must return a fatal error. nghttp2 defines 2 fatal error codes:

NGHTTP2_ERR_NOMEM
NGHTTP2_ERR_CALLBACK_FAILURE
NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of memory. It is unlikely that a process gets short of memory with this simple PoC scenario unless application does something memory heavy 
processing.

NGHTTP2_ERR_CALLBACK_FAILURE is returned from application defined callback function (nghttp2_on_stream_close_callback, in this case), which indicates something fatal happened inside a callback, and a 
connection must be closed immediately without any further action. As nghttp2_on_stream_close_error_callback documentation says, any error code other than 0 or NGHTTP2_ERR_CALLBACK_FAILURE is treated 
as fatal error code. More specifically, it is treated as if NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that envoy returns NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is translated 
into NGHTTP2_ERR_CALLBACK_FAILURE.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/nghttp2/Makefile.common
cvs rdiff -u -r1.62 -r1.63 pkgsrc/www/nghttp2/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/nghttp2/Makefile.common
diff -u pkgsrc/www/nghttp2/Makefile.common:1.16 pkgsrc/www/nghttp2/Makefile.common:1.17
--- pkgsrc/www/nghttp2/Makefile.common:1.16     Thu Jul 13 14:25:58 2023
+++ pkgsrc/www/nghttp2/Makefile.common  Sat Jul 15 16:07:29 2023
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile.common,v 1.16 2023/07/13 14:25:58 adam Exp $
+# $NetBSD: Makefile.common,v 1.17 2023/07/15 16:07:29 adam Exp $
 # used by www/nghttp2/Makefile
 # used by www/nghttp2-tools/Makefile
 
-DISTNAME=      nghttp2-1.55.0
+DISTNAME=      nghttp2-1.55.1
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=tatsuhiro-t/}
 EXTRACT_SUFX=  .tar.xz

Index: pkgsrc/www/nghttp2/distinfo
diff -u pkgsrc/www/nghttp2/distinfo:1.62 pkgsrc/www/nghttp2/distinfo:1.63
--- pkgsrc/www/nghttp2/distinfo:1.62    Thu Jul 13 14:25:58 2023
+++ pkgsrc/www/nghttp2/distinfo Sat Jul 15 16:07:29 2023
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.62 2023/07/13 14:25:58 adam Exp $
+$NetBSD: distinfo,v 1.63 2023/07/15 16:07:29 adam Exp $
 
-BLAKE2s (nghttp2-1.55.0.tar.xz) = 76377e74aa2b5e2c12da5e2a60510359c9111723f55f23ce354163bfa04f46aa
-SHA512 (nghttp2-1.55.0.tar.xz) = ccb13dd3067c5937d9b73132045788862b9cead6dc57611b1a9c55b6d1eea2c70c4d155e1a7b94ca6c6f31f4b75e45d0af680a50a061d6aab68ca75492dad640
-Size (nghttp2-1.55.0.tar.xz) = 1542356 bytes
+BLAKE2s (nghttp2-1.55.1.tar.xz) = fc6eb49cabb6793b15303944c95f6804d0632ad08c4853941254c49abd2552cb
+SHA512 (nghttp2-1.55.1.tar.xz) = ad948aa957ce429346b2a79933ba3b5f94e9386e1bc36961ed181685cd65f3d9d6937e3d4d228be17ac793e438776515b6a071ae1801b1481db9ad2c1166c1c3
+Size (nghttp2-1.55.1.tar.xz) = 1541884 bytes
 SHA1 (patch-Makefile.in) = a8b55c4e477ea285a9ba005a20e244b762968f3e

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index