Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Apr 2018 00:20:40 +0900
From: Tatsuhiro Tsujikawa <tatsuhiro.t@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-1000168: nghttp2: Denial of service due to NULL pointer dereference.

There are some typos in the previous post.  Here is the corrected message:

## Security Advisory

CVE-2018-1000168: nghttp2: Denial of service due to NULL pointer
dereference.

### Vulnerability

If ALTSVC frame is received by libnghttp2 and it is larger than it can
accept, the pointer field which points to ALTSVC frame payload is left
NULL.  Later libnghttp2 attempts to access another field through the
pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default.  Application has to
enable it explicitly by calling
`nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.

Transmission of ALTSVC is always enabled, and it does not cause this
vulnerability.

ALTSVC frame is expected to be sent by server, and received by client
as defined in RFC 7838.

Client and server are both affected by this vulnerability if the
reception of ALTSVC frame is enabled.  As written earlier, it is
useless to enable reception of ALTSVC frame on server side.  So,
server is generally safe unless application accidentally enabled the
reception of ALTSVC frame.

### Affected Versions

* Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
* Not affected versions: nghttp2 >= 1.31.1

### The Solution

Upgrade to nghttp2 v1.31.1.

If the upgrade cannot be possible:

For client, disable ALTSVC, removing the call to
`nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`

For server, because it is never expected to receive ALTSVC, just
remove `nghttp2_option_set_builtin_recv_extension_type(opt,
NGHTTP2_ALTSVC)`.

### Time Line

It was first reported to the nghttp2 team April 4 2018.

nghttp2 v1.31.1 was released on April 12 2018.

### Credits

Reported by Jordan Zebor at F5 Networks, and James M Snell from
Node.js project.  Fixed by the nghttp2 team.

Thank you for all who involved.

This security advisory format is inspired from curl/libcurl project.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.