From 2c7cd439c5c4b3002b7fce378e478fb74da10ba7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 15 Apr 2024 12:46:24 +0200 Subject: [PATCH] Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames DoS (CVE-2024-27316) --- mod_http2-2.0.26-CVE-2024-27316.patch | 57 +++++++++++++++++++++++++++ mod_http2.spec | 13 ++++-- 2 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 mod_http2-2.0.26-CVE-2024-27316.patch diff --git a/mod_http2-2.0.26-CVE-2024-27316.patch b/mod_http2-2.0.26-CVE-2024-27316.patch new file mode 100644 index 0000000..ac52022 --- /dev/null +++ b/mod_http2-2.0.26-CVE-2024-27316.patch @@ -0,0 +1,57 @@ +From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 23 Feb 2024 15:13:56 +0100 +Subject: [PATCH] RESET stream after 100 failed incoming headers + +--- + mod_http2/h2_session.c | 10 +++++++--- + mod_http2/h2_stream.c | 1 + + mod_http2/h2_stream.h | 1 + + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c +index 1e560e47..6d379cc5 100644 +--- a/mod_http2/h2_session.c ++++ b/mod_http2/h2_session.c +@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, + + status = h2_stream_add_header(stream, (const char *)name, namelen, + (const char *)value, valuelen); +- if (status != APR_SUCCESS +- && (!stream->rtmp +- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) { ++ if (status != APR_SUCCESS && ++ (!stream->rtmp || ++ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET || ++ /* We accept a certain amount of failures in order to reply ++ * with an informative HTTP error response like 413. But of the ++ * client is too wrong, we fail the request an RESET the stream */ ++ stream->request_headers_failed > 100)) { + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + return 0; +diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c +index f6c92024..ee87555f 100644 +--- a/mod_http2/h2_stream.c ++++ b/mod_http2/h2_stream.c +@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream, + + cleanup: + if (error) { ++ ++stream->request_headers_failed; + set_error_response(stream, error); + return APR_EINVAL; + } +diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h +index d68d4260..405978a4 100644 +--- a/mod_http2/h2_stream.h ++++ b/mod_http2/h2_stream.h +@@ -91,6 +91,7 @@ struct h2_stream { + struct h2_request *rtmp; /* request being assembled */ + apr_table_t *trailers_in; /* optional, incoming trailers */ + int request_headers_added; /* number of request headers added */ ++ int request_headers_failed; /* number of request headers failed to add */ + + #if AP_HAS_RESPONSE_BUCKETS + ap_bucket_response *response; /* the final, non-interim response or NULL */ + diff --git a/mod_http2.spec b/mod_http2.spec index b20bdc7..113fbc6 100644 --- a/mod_http2.spec +++ b/mod_http2.spec @@ -3,7 +3,7 @@ Name: mod_http2 Version: 2.0.26 -Release: 1%{?dist} +Release: 2%{?dist} Summary: module implementing HTTP/2 for Apache 2 License: ASL 2.0 URL: https://icing.github.io/mod_h2/ @@ -11,8 +11,9 @@ Source0: https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2 # Patch1: ... # Security patches: -# -# Patch100: ... +# +# https://bugzilla.redhat.com/show_bug.cgi?id=2268277 +Patch100: mod_http2-2.0.26-CVE-2024-27316.patch BuildRequires: make BuildRequires: gcc @@ -27,7 +28,7 @@ The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. %prep -%setup -q +%autosetup -p1 %build autoreconf -i @@ -52,6 +53,10 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{ %{_httpd_moddir}/mod_proxy_http2.so %changelog +* Fri Apr 05 2024 Luboš Uhliarik - 2.0.26-2 +- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames + DoS (CVE-2024-27316) + * Thu Jan 18 2024 Luboš Uhliarik - 2.0.26-1 - Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26