Date: Fri, 13 Apr 2018 00:20:40 +0900 From: Tatsuhiro Tsujikawa <tatsuhiro.t@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2018-1000168: nghttp2: Denial of service due to NULL pointer dereference. There are some typos in the previous post. Here is the corrected message: ## Security Advisory CVE-2018-1000168: nghttp2: Denial of service due to NULL pointer dereference. ### Vulnerability If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. ALTSVC frame is defined by RFC 7838. The largest frame size libnghttp2 accept is by default 16384 bytes. Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`. Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838. Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame. ### Affected Versions * Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 * Not affected versions: nghttp2 >= 1.31.1 ### The Solution Upgrade to nghttp2 v1.31.1. If the upgrade cannot be possible: For client, disable ALTSVC, removing the call to `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)` For server, because it is never expected to receive ALTSVC, just remove `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`. ### Time Line It was first reported to the nghttp2 team April 4 2018. nghttp2 v1.31.1 was released on April 12 2018. ### Credits Reported by Jordan Zebor at F5 Networks, and James M Snell from Node.js project. Fixed by the nghttp2 team. Thank you for all who involved. This security advisory format is inspired from curl/libcurl project.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ