Fix for CVE-2024-27316

2024-04-12 12:08:52 +00:00 · 2024-04-12 12:08:52 +00:00 · 02c9d0f5d9
parent f716275667
commit 02c9d0f5d9
2 changed files with 64 additions and 1 deletions
--- a/SOURCES/mod_http2-1.15.7-CVE-2024-27316.patch
+++ b/SOURCES/mod_http2-1.15.7-CVE-2024-27316.patch
@ -0,0 +1,55 @@
+From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Fri, 23 Feb 2024 15:13:56 +0100
+Subject: [PATCH] RESET stream after 100 failed incoming headers
+
+---
+ mod_http2/h2_session.c | 10 +++++++---
+ mod_http2/h2_stream.c  |  1 +
+ mod_http2/h2_stream.h  |  1 +
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
+index a5cc306..4b38518 100644
+--- a/mod_http2/h2_session.c
+++ b/mod_http2/h2_session.c
+@@ -311,7 +311,12 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
+     
+     status = h2_stream_add_header(stream, (const char *)name, namelen,
+                                   (const char *)value, valuelen);
+-    if (status != APR_SUCCESS && !h2_stream_is_ready(stream)) {
+    if (status != APR_SUCCESS 
+        && (!h2_stream_is_ready(stream) ||
+            /* We accept a certain amount of failures in order to reply
+             * with an informative HTTP error response like 413. But of the
+             * client is too wrong, we fail the request an RESET the stream */
+            stream->request_headers_failed > 100)) {
+         return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+     }
+     return 0;
+diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
+index 6136baa..d3c4d99 100644
+--- a/mod_http2/h2_stream.c
+++ b/mod_http2/h2_stream.c
+@@ -733,6 +733,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
+     }
+     
+     if (error) {
+        ++stream->request_headers_failed;
+         set_error_response(stream, error);
+         return APR_EINVAL; 
+     }
+diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
+index 79cb39d..4ddf1a2 100644
+--- a/mod_http2/h2_stream.h
+++ b/mod_http2/h2_stream.h
+@@ -75,7 +75,8 @@ struct h2_stream {
+     struct h2_request *rtmp;    /* request being assembled */
+     apr_table_t *trailers;      /* optional incoming trailers */
+     int request_headers_added;  /* number of request headers added */
+-    
+    int request_headers_failed; /* number of request headers failed to add */
+
+     struct h2_bucket_beam *input;
+     apr_bucket_brigade *in_buffer;
+     int in_window_size;
--- a/SPECS/mod_http2.spec
+++ b/SPECS/mod_http2.spec
@ -3,7 +3,7 @@

 Name:		mod_http2
 Version:	1.15.7
-Release:	8%{?dist}.3
+Release:	8%{?dist}.5.alma.1
 Summary:	module implementing HTTP/2 for Apache 2
 Group:		System Environment/Daemons
 License:	ASL 2.0
@ -16,6 +16,9 @@ Patch4:		mod_http2-1.15.7-CVE-2021-44224.patch
 Patch5:		mod_http2-1.15.7-SNI.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
 Patch6:		mod_http2-1.15.7-CVE-2023-25690.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2268277
+Patch7:		mod_http2-1.15.7-CVE-2024-27316.patch
+

 BuildRequires:	pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
 Requires:	httpd-mmn = %{_httpd_mmn}
@ -33,6 +36,7 @@ top of libnghttp2 for httpd 2.4 servers.
 %patch4 -p1 -b .CVE-2021-44224
 %patch5 -p1 -b .SNI
 %patch6 -p1 -b .CVE-2023-25690
+%patch7 -p1 -b .CVE-2024-27316

 %build
 %configure
@ -59,6 +63,10 @@ make check
 %{_httpd_moddir}/mod_proxy_http2.so

 %changelog
+* Fri Apr 12 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 1.15.7-8.5.alma.1
+- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames
+  DoS (CVE-2024-27316)
+
 * Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3
 - Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
  with mod_rewrite and mod_proxy