Backport patches for several CVEs

Resolves: RHEL-26530 RHEL-29879 RHEL-29871 RHEL-31269
This commit is contained in:
Jan Staněk 2024-04-09 17:58:50 +02:00
parent 30f3643e07
commit 53b27311ea
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D
10 changed files with 489 additions and 32 deletions

View File

@ -1,4 +1,4 @@
From 39f761838b5fc10af995642bd44e6bb4c79085f1 Mon Sep 17 00:00:00 2001 From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build> From: rpm-build <rpm-build>
Date: Tue, 30 May 2023 13:12:35 +0200 Date: Tue, 30 May 2023 13:12:35 +0200
Subject: [PATCH] Disable running gyp on shared deps Subject: [PATCH] Disable running gyp on shared deps
@ -22,5 +22,5 @@ index ef3eda2..8b52a4f 100644
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make $(PYTHON) tools/gyp_node.py -f make
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,4 @@
From b9370dcfba759c63e894f12abcf49699f1e8f0dc Mon Sep 17 00:00:00 2001 From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com> From: Honza Horak <hhorak@redhat.com>
Date: Thu, 12 Oct 2023 13:52:59 +0200 Date: Thu, 12 Oct 2023 13:52:59 +0200
Subject: [PATCH] disable fips options Subject: [PATCH] disable fips options
@ -22,5 +22,5 @@ index 59ae7f8..7343396 100644
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr) if (fips_provider == nullptr)
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,4 @@
From 3cdb8a61ff25e4d299d9d47284da5134bc5f1072 Mon Sep 17 00:00:00 2001 From de21a714db98bade7a0438af0a0351a9f53f2fb8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build> From: rpm-build <rpm-build>
Date: Thu, 12 Oct 2023 14:18:12 +0200 Date: Thu, 12 Oct 2023 14:18:12 +0200
Subject: [PATCH] deps(nghttp2): update to 1.57.0 Subject: [PATCH] deps(nghttp2): update to 1.57.0
@ -5798,5 +5798,5 @@ index 0dcd034..7b02f39 100644
} }
] ]
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,7 @@
Fix CVE-2024-22019 From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Mon, 15 Apr 2024 15:21:35 +0200
Subject: [PATCH] Fix CVE-2024-22019
Resolves: RHEL-28064 Resolves: RHEL-28064
@ -8,17 +11,20 @@ https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
chunk features. chunk features.
From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001 Original patch:
From: Paolo Insogna <paolo@cowtech.it> > From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
Date: Tue, 9 Jan 2024 18:10:04 +0100 > From: Paolo Insogna <paolo@cowtech.it>
Subject: [PATCH] http: add maximum chunk extension size > Date: Tue, 9 Jan 2024 18:10:04 +0100
> Subject: [PATCH] http: add maximum chunk extension size
>
> Cherry-picked from v18 patch:
> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
>
> PR-URL: https://github.com/nodejs-private/node-private/pull/520
> Refs: https://github.com/nodejs-private/node-private/pull/518
> CVE-ID: CVE-2024-22019
Cherry-picked from v18 patch: Signed-off-by: rpm-build <rpm-build>
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
PR-URL: https://github.com/nodejs-private/node-private/pull/520
Refs: https://github.com/nodejs-private/node-private/pull/518
CVE-ID: CVE-2024-22019
--- ---
deps/llhttp/.gitignore | 1 + deps/llhttp/.gitignore | 1 +
deps/llhttp/CMakeLists.txt | 2 +- deps/llhttp/CMakeLists.txt | 2 +-
@ -36,13 +42,13 @@ CVE-ID: CVE-2024-22019
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
new file mode 100644 new file mode 100644
index 0000000000..98438a2cd3 index 0000000..98438a2
--- /dev/null --- /dev/null
+++ b/deps/llhttp/.gitignore +++ b/deps/llhttp/.gitignore
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+libllhttp.pc +libllhttp.pc
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
index d0382038b9..747564a76f 100644 index d038203..747564a 100644
--- a/deps/llhttp/CMakeLists.txt --- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt +++ b/deps/llhttp/CMakeLists.txt
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
@ -55,7 +61,7 @@ index d0382038b9..747564a76f 100644
set(CMAKE_C_STANDARD 99) set(CMAKE_C_STANDARD 99)
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
index 2da66f15e6..78f27abc03 100644 index 2da66f1..78f27ab 100644
--- a/deps/llhttp/include/llhttp.h --- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h +++ b/deps/llhttp/include/llhttp.h
@@ -2,8 +2,8 @@ @@ -2,8 +2,8 @@
@ -80,7 +86,7 @@ index 2da66f15e6..78f27abc03 100644
llhttp_data_cb on_body; llhttp_data_cb on_body;
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
index c4ce197c58..d3065b3664 100644 index c4ce197..d3065b3 100644
--- a/deps/llhttp/src/api.c --- a/deps/llhttp/src/api.c
+++ b/deps/llhttp/src/api.c +++ b/deps/llhttp/src/api.c
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) { @@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
@ -98,7 +104,7 @@ index c4ce197c58..d3065b3664 100644
int err; int err;
CALLBACK_MAYBE(s, on_chunk_complete); CALLBACK_MAYBE(s, on_chunk_complete);
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
index 5e7c5d1093..e6db6e3188 100644 index 5e7c5d1..46f86a0 100644
--- a/deps/llhttp/src/llhttp.c --- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c +++ b/deps/llhttp/src/llhttp.c
@@ -340,6 +340,8 @@ enum llparse_state_e { @@ -340,6 +340,8 @@ enum llparse_state_e {
@ -188,7 +194,7 @@ index 5e7c5d1093..e6db6e3188 100644
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: { + s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
+ const unsigned char* start; + const unsigned char* start;
+ int err; + int err;
+ +
+ start = state->_span_pos0; + start = state->_span_pos0;
+ state->_span_pos0 = NULL; + state->_span_pos0 = NULL;
+ err = llhttp__on_chunk_parameters(state, start, p); + err = llhttp__on_chunk_parameters(state, start, p);
@ -293,7 +299,7 @@ index 5e7c5d1093..e6db6e3188 100644
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: { + s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
+ const unsigned char* start; + const unsigned char* start;
+ int err; + int err;
+ +
+ start = state->_span_pos0; + start = state->_span_pos0;
+ state->_span_pos0 = NULL; + state->_span_pos0 = NULL;
+ err = llhttp__on_chunk_parameters(state, start, p); + err = llhttp__on_chunk_parameters(state, start, p);
@ -312,7 +318,7 @@ index 5e7c5d1093..e6db6e3188 100644
state->error = 0x2; state->error = 0x2;
state->reason = "Invalid character in chunk parameters"; state->reason = "Invalid character in chunk parameters";
diff --git a/doc/api/errors.md b/doc/api/errors.md diff --git a/doc/api/errors.md b/doc/api/errors.md
index dcf8744d8b..a76bfe528d 100644 index dcf8744..a76bfe5 100644
--- a/doc/api/errors.md --- a/doc/api/errors.md
+++ b/doc/api/errors.md +++ b/doc/api/errors.md
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then @@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
@ -335,7 +341,7 @@ index dcf8744d8b..a76bfe528d 100644
### `HPE_UNEXPECTED_CONTENT_LENGTH` ### `HPE_UNEXPECTED_CONTENT_LENGTH`
diff --git a/lib/_http_server.js b/lib/_http_server.js diff --git a/lib/_http_server.js b/lib/_http_server.js
index 4e23266f63..325bce6f54 100644 index 4e23266..325bce6 100644
--- a/lib/_http_server.js --- a/lib/_http_server.js
+++ b/lib/_http_server.js +++ b/lib/_http_server.js
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from( @@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
@ -362,7 +368,7 @@ index 4e23266f63..325bce6f54 100644
response = requestTimeoutResponse; response = requestTimeoutResponse;
break; break;
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index 74f32480b9..b92e8486ae 100644 index 74f3248..b92e848 100644
--- a/src/node_http_parser.cc --- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc +++ b/src/node_http_parser.cc
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5; @@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
@ -424,7 +430,7 @@ index 74f32480b9..b92e8486ae 100644
Proxy<Call, &Parser::on_chunk_header>::Raw, Proxy<Call, &Parser::on_chunk_header>::Raw,
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
new file mode 100644 new file mode 100644
index 0000000000..6868b3da6c index 0000000..6868b3d
--- /dev/null --- /dev/null
+++ b/test/parallel/test-http-chunk-extensions-limit.js +++ b/test/parallel/test-http-chunk-extensions-limit.js
@@ -0,0 +1,131 @@ @@ -0,0 +1,131 @@
@ -560,7 +566,7 @@ index 0000000000..6868b3da6c
+ }); + });
+} +}
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
index 12e2f465d7..a95eef1237 100755 index 12e2f46..a95eef1 100755
--- a/tools/update-llhttp.sh --- a/tools/update-llhttp.sh
+++ b/tools/update-llhttp.sh +++ b/tools/update-llhttp.sh
@@ -59,5 +59,5 @@ echo "" @@ -59,5 +59,5 @@ echo ""
@ -571,5 +577,5 @@ index 12e2f465d7..a95eef1237 100755
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\"" +echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
echo "" echo ""
-- --
2.41.0 2.44.0

View File

@ -0,0 +1,42 @@
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 26 Mar 2024 15:55:13 -0300
Subject: [PATCH] src: ensure to close stream when destroying session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
PR-URL: https://github.com/nodejs-private/node-private/pull/561
Fixes: https://hackerone.com/reports/2319584
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
CVE-ID: CVE-2024-27983
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Signed-off-by: rpm-build <rpm-build>
---
src/node_http2.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 53216dc..9a6d63d 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
Http2Session::~Http2Session() {
CHECK(!is_in_scope());
Debug(this, "freeing nghttp2 session");
+ // Ensure that all `Http2Stream` instances and the memory they hold
+ // on to are destroyed before the nghttp2 session is.
+ for (const auto& [id, stream] : streams_) {
+ stream->Detach();
+ }
+ streams_.clear();
// Explicitly reset session_ so the subsequent
// current_nghttp2_memory_ check passes.
session_.reset();
--
2.44.0

View File

@ -0,0 +1,112 @@
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index fa22081..b394bde 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
index 93dd475..b3563d9 100644
--- a/deps/nghttp2/lib/nghttp2_helper.c
+++ b/deps/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index ec5024d..8e4d2e7 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
index b119329..ef8f7b2 100644
--- a/deps/nghttp2/lib/nghttp2_session.h
+++ b/deps/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.44.0

View File

@ -0,0 +1,94 @@
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:48:10 +0900
Subject: [PATCH] Add nghttp2_option_set_max_continuations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Related: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
4 files changed, 25 insertions(+)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index b394bde..4d3339b 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
uint64_t burst, uint64_t rate);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
index 43d4e95..53144b9 100644
--- a/deps/nghttp2/lib/nghttp2_option.c
+++ b/deps/nghttp2/lib/nghttp2_option.c
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
index 2259e18..c89cb97 100644
--- a/deps/nghttp2/lib/nghttp2_option.h
+++ b/deps/nghttp2/lib/nghttp2_option.h
@@ -71,6 +71,7 @@ typedef enum {
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -98,6 +99,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_SETTINGS
*/
size_t max_settings;
+ /**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index 8e4d2e7..ced7517 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
--
2.44.0

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,39 @@
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Thu, 22 Feb 2024 16:23:33 -0500
Subject: [PATCH] Address CVE-2024-25629
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-25629
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
index c62ad2a..16627e4 100644
--- a/deps/cares/src/lib/ares__read_line.c
+++ b/deps/cares/src/lib/ares__read_line.c
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
if (!fgets(*buf + offset, bytestoread, fp))
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
len = offset + strlen(*buf + offset);
+
+ /* Probably means there was an embedded NULL as the first character in
+ * the line, throw away line */
+ if (len == 0) {
+ offset = 0;
+ continue;
+ }
+
if ((*buf)[len - 1] == '\n')
{
(*buf)[len - 1] = 0;
--
2.44.0

View File

@ -30,7 +30,7 @@
# This is used by both the nodejs package and the npm subpackage that # This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec # has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end. # will bump this rather than adding .1 to the end.
%global baserelease 4 %global baserelease 5
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -184,7 +184,17 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-disable-fips-options.patch Patch2: 0002-disable-fips-options.patch
Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch
Patch4: nodejs-CVE-2024-22019.patch Patch4: 0004-Fix-CVE-2024-22019.patch
# CVE-2025-27983
Patch5: 0005-src-ensure-to-close-stream-when-destroying-session.patch
# CVE-2024-28182
Patch6: 0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
# CVE-2024-28182
Patch7: 0007-Add-nghttp2_option_set_max_continuations.patch
# CVE-2024-22025
Patch8: 0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
# CVE-2024-25629
Patch9: 0009-Address-CVE-2024-25629.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -724,6 +734,10 @@ end
%changelog %changelog
* Mon Apr 08 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-5
- Backport patches for several CVEs.
Fixes CVE-2024-22025 CVE-2024-25629 CVE-2024-27983 CVE-2024-28182
* Tue Mar 05 2024 Honza Horak <hhorak@redhat.com> - 1:16.20.2-4 * Tue Mar 05 2024 Honza Horak <hhorak@redhat.com> - 1:16.20.2-4
- Fix CVE-2024-22019 - Fix CVE-2024-22019