Backport patches for several CVEs
Resolves: RHEL-26530 RHEL-29879 RHEL-29871 RHEL-31269
This commit is contained in:
parent
30f3643e07
commit
53b27311ea
@ -1,4 +1,4 @@
|
|||||||
From 39f761838b5fc10af995642bd44e6bb4c79085f1 Mon Sep 17 00:00:00 2001
|
From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Tue, 30 May 2023 13:12:35 +0200
|
Date: Tue, 30 May 2023 13:12:35 +0200
|
||||||
Subject: [PATCH] Disable running gyp on shared deps
|
Subject: [PATCH] Disable running gyp on shared deps
|
||||||
@ -22,5 +22,5 @@ index ef3eda2..8b52a4f 100644
|
|||||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||||
$(PYTHON) tools/gyp_node.py -f make
|
$(PYTHON) tools/gyp_node.py -f make
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From b9370dcfba759c63e894f12abcf49699f1e8f0dc Mon Sep 17 00:00:00 2001
|
From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
|
||||||
From: Honza Horak <hhorak@redhat.com>
|
From: Honza Horak <hhorak@redhat.com>
|
||||||
Date: Thu, 12 Oct 2023 13:52:59 +0200
|
Date: Thu, 12 Oct 2023 13:52:59 +0200
|
||||||
Subject: [PATCH] disable fips options
|
Subject: [PATCH] disable fips options
|
||||||
@ -22,5 +22,5 @@ index 59ae7f8..7343396 100644
|
|||||||
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
||||||
if (fips_provider == nullptr)
|
if (fips_provider == nullptr)
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 3cdb8a61ff25e4d299d9d47284da5134bc5f1072 Mon Sep 17 00:00:00 2001
|
From de21a714db98bade7a0438af0a0351a9f53f2fb8 Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Thu, 12 Oct 2023 14:18:12 +0200
|
Date: Thu, 12 Oct 2023 14:18:12 +0200
|
||||||
Subject: [PATCH] deps(nghttp2): update to 1.57.0
|
Subject: [PATCH] deps(nghttp2): update to 1.57.0
|
||||||
@ -5798,5 +5798,5 @@ index 0dcd034..7b02f39 100644
|
|||||||
}
|
}
|
||||||
]
|
]
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
||||||
|
@ -1,4 +1,7 @@
|
|||||||
Fix CVE-2024-22019
|
From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Honza Horak <hhorak@redhat.com>
|
||||||
|
Date: Mon, 15 Apr 2024 15:21:35 +0200
|
||||||
|
Subject: [PATCH] Fix CVE-2024-22019
|
||||||
|
|
||||||
Resolves: RHEL-28064
|
Resolves: RHEL-28064
|
||||||
|
|
||||||
@ -8,17 +11,20 @@ https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
|
|||||||
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
|
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
|
||||||
chunk features.
|
chunk features.
|
||||||
|
|
||||||
From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
|
Original patch:
|
||||||
From: Paolo Insogna <paolo@cowtech.it>
|
> From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
|
||||||
Date: Tue, 9 Jan 2024 18:10:04 +0100
|
> From: Paolo Insogna <paolo@cowtech.it>
|
||||||
Subject: [PATCH] http: add maximum chunk extension size
|
> Date: Tue, 9 Jan 2024 18:10:04 +0100
|
||||||
|
> Subject: [PATCH] http: add maximum chunk extension size
|
||||||
|
>
|
||||||
|
> Cherry-picked from v18 patch:
|
||||||
|
> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
|
||||||
|
>
|
||||||
|
> PR-URL: https://github.com/nodejs-private/node-private/pull/520
|
||||||
|
> Refs: https://github.com/nodejs-private/node-private/pull/518
|
||||||
|
> CVE-ID: CVE-2024-22019
|
||||||
|
|
||||||
Cherry-picked from v18 patch:
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
|
|
||||||
|
|
||||||
PR-URL: https://github.com/nodejs-private/node-private/pull/520
|
|
||||||
Refs: https://github.com/nodejs-private/node-private/pull/518
|
|
||||||
CVE-ID: CVE-2024-22019
|
|
||||||
---
|
---
|
||||||
deps/llhttp/.gitignore | 1 +
|
deps/llhttp/.gitignore | 1 +
|
||||||
deps/llhttp/CMakeLists.txt | 2 +-
|
deps/llhttp/CMakeLists.txt | 2 +-
|
||||||
@ -36,13 +42,13 @@ CVE-ID: CVE-2024-22019
|
|||||||
|
|
||||||
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
|
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000000..98438a2cd3
|
index 0000000..98438a2
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/deps/llhttp/.gitignore
|
+++ b/deps/llhttp/.gitignore
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+libllhttp.pc
|
+libllhttp.pc
|
||||||
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
|
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
|
||||||
index d0382038b9..747564a76f 100644
|
index d038203..747564a 100644
|
||||||
--- a/deps/llhttp/CMakeLists.txt
|
--- a/deps/llhttp/CMakeLists.txt
|
||||||
+++ b/deps/llhttp/CMakeLists.txt
|
+++ b/deps/llhttp/CMakeLists.txt
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
@ -55,7 +61,7 @@ index d0382038b9..747564a76f 100644
|
|||||||
|
|
||||||
set(CMAKE_C_STANDARD 99)
|
set(CMAKE_C_STANDARD 99)
|
||||||
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
|
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
|
||||||
index 2da66f15e6..78f27abc03 100644
|
index 2da66f1..78f27ab 100644
|
||||||
--- a/deps/llhttp/include/llhttp.h
|
--- a/deps/llhttp/include/llhttp.h
|
||||||
+++ b/deps/llhttp/include/llhttp.h
|
+++ b/deps/llhttp/include/llhttp.h
|
||||||
@@ -2,8 +2,8 @@
|
@@ -2,8 +2,8 @@
|
||||||
@ -80,7 +86,7 @@ index 2da66f15e6..78f27abc03 100644
|
|||||||
llhttp_data_cb on_body;
|
llhttp_data_cb on_body;
|
||||||
|
|
||||||
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
|
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
|
||||||
index c4ce197c58..d3065b3664 100644
|
index c4ce197..d3065b3 100644
|
||||||
--- a/deps/llhttp/src/api.c
|
--- a/deps/llhttp/src/api.c
|
||||||
+++ b/deps/llhttp/src/api.c
|
+++ b/deps/llhttp/src/api.c
|
||||||
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
|
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
|
||||||
@ -98,7 +104,7 @@ index c4ce197c58..d3065b3664 100644
|
|||||||
int err;
|
int err;
|
||||||
CALLBACK_MAYBE(s, on_chunk_complete);
|
CALLBACK_MAYBE(s, on_chunk_complete);
|
||||||
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
|
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
|
||||||
index 5e7c5d1093..e6db6e3188 100644
|
index 5e7c5d1..46f86a0 100644
|
||||||
--- a/deps/llhttp/src/llhttp.c
|
--- a/deps/llhttp/src/llhttp.c
|
||||||
+++ b/deps/llhttp/src/llhttp.c
|
+++ b/deps/llhttp/src/llhttp.c
|
||||||
@@ -340,6 +340,8 @@ enum llparse_state_e {
|
@@ -340,6 +340,8 @@ enum llparse_state_e {
|
||||||
@ -188,7 +194,7 @@ index 5e7c5d1093..e6db6e3188 100644
|
|||||||
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
||||||
+ const unsigned char* start;
|
+ const unsigned char* start;
|
||||||
+ int err;
|
+ int err;
|
||||||
+
|
+
|
||||||
+ start = state->_span_pos0;
|
+ start = state->_span_pos0;
|
||||||
+ state->_span_pos0 = NULL;
|
+ state->_span_pos0 = NULL;
|
||||||
+ err = llhttp__on_chunk_parameters(state, start, p);
|
+ err = llhttp__on_chunk_parameters(state, start, p);
|
||||||
@ -293,7 +299,7 @@ index 5e7c5d1093..e6db6e3188 100644
|
|||||||
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
+ s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
|
||||||
+ const unsigned char* start;
|
+ const unsigned char* start;
|
||||||
+ int err;
|
+ int err;
|
||||||
+
|
+
|
||||||
+ start = state->_span_pos0;
|
+ start = state->_span_pos0;
|
||||||
+ state->_span_pos0 = NULL;
|
+ state->_span_pos0 = NULL;
|
||||||
+ err = llhttp__on_chunk_parameters(state, start, p);
|
+ err = llhttp__on_chunk_parameters(state, start, p);
|
||||||
@ -312,7 +318,7 @@ index 5e7c5d1093..e6db6e3188 100644
|
|||||||
state->error = 0x2;
|
state->error = 0x2;
|
||||||
state->reason = "Invalid character in chunk parameters";
|
state->reason = "Invalid character in chunk parameters";
|
||||||
diff --git a/doc/api/errors.md b/doc/api/errors.md
|
diff --git a/doc/api/errors.md b/doc/api/errors.md
|
||||||
index dcf8744d8b..a76bfe528d 100644
|
index dcf8744..a76bfe5 100644
|
||||||
--- a/doc/api/errors.md
|
--- a/doc/api/errors.md
|
||||||
+++ b/doc/api/errors.md
|
+++ b/doc/api/errors.md
|
||||||
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
|
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
|
||||||
@ -335,7 +341,7 @@ index dcf8744d8b..a76bfe528d 100644
|
|||||||
|
|
||||||
### `HPE_UNEXPECTED_CONTENT_LENGTH`
|
### `HPE_UNEXPECTED_CONTENT_LENGTH`
|
||||||
diff --git a/lib/_http_server.js b/lib/_http_server.js
|
diff --git a/lib/_http_server.js b/lib/_http_server.js
|
||||||
index 4e23266f63..325bce6f54 100644
|
index 4e23266..325bce6 100644
|
||||||
--- a/lib/_http_server.js
|
--- a/lib/_http_server.js
|
||||||
+++ b/lib/_http_server.js
|
+++ b/lib/_http_server.js
|
||||||
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
|
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
|
||||||
@ -362,7 +368,7 @@ index 4e23266f63..325bce6f54 100644
|
|||||||
response = requestTimeoutResponse;
|
response = requestTimeoutResponse;
|
||||||
break;
|
break;
|
||||||
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
|
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
|
||||||
index 74f32480b9..b92e8486ae 100644
|
index 74f3248..b92e848 100644
|
||||||
--- a/src/node_http_parser.cc
|
--- a/src/node_http_parser.cc
|
||||||
+++ b/src/node_http_parser.cc
|
+++ b/src/node_http_parser.cc
|
||||||
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
|
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
|
||||||
@ -424,7 +430,7 @@ index 74f32480b9..b92e8486ae 100644
|
|||||||
Proxy<Call, &Parser::on_chunk_header>::Raw,
|
Proxy<Call, &Parser::on_chunk_header>::Raw,
|
||||||
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
|
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000000..6868b3da6c
|
index 0000000..6868b3d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/test/parallel/test-http-chunk-extensions-limit.js
|
+++ b/test/parallel/test-http-chunk-extensions-limit.js
|
||||||
@@ -0,0 +1,131 @@
|
@@ -0,0 +1,131 @@
|
||||||
@ -560,7 +566,7 @@ index 0000000000..6868b3da6c
|
|||||||
+ });
|
+ });
|
||||||
+}
|
+}
|
||||||
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
|
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
|
||||||
index 12e2f465d7..a95eef1237 100755
|
index 12e2f46..a95eef1 100755
|
||||||
--- a/tools/update-llhttp.sh
|
--- a/tools/update-llhttp.sh
|
||||||
+++ b/tools/update-llhttp.sh
|
+++ b/tools/update-llhttp.sh
|
||||||
@@ -59,5 +59,5 @@ echo ""
|
@@ -59,5 +59,5 @@ echo ""
|
||||||
@ -571,5 +577,5 @@ index 12e2f465d7..a95eef1237 100755
|
|||||||
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
|
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
|
||||||
echo ""
|
echo ""
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: RafaelGSS <rafael.nunu@hotmail.com>
|
||||||
|
Date: Tue, 26 Mar 2024 15:55:13 -0300
|
||||||
|
Subject: [PATCH] src: ensure to close stream when destroying session
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
|
||||||
|
PR-URL: https://github.com/nodejs-private/node-private/pull/561
|
||||||
|
Fixes: https://hackerone.com/reports/2319584
|
||||||
|
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
||||||
|
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
|
||||||
|
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
||||||
|
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
||||||
|
CVE-ID: CVE-2024-27983
|
||||||
|
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
src/node_http2.cc | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/node_http2.cc b/src/node_http2.cc
|
||||||
|
index 53216dc..9a6d63d 100644
|
||||||
|
--- a/src/node_http2.cc
|
||||||
|
+++ b/src/node_http2.cc
|
||||||
|
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
|
||||||
|
Http2Session::~Http2Session() {
|
||||||
|
CHECK(!is_in_scope());
|
||||||
|
Debug(this, "freeing nghttp2 session");
|
||||||
|
+ // Ensure that all `Http2Stream` instances and the memory they hold
|
||||||
|
+ // on to are destroyed before the nghttp2 session is.
|
||||||
|
+ for (const auto& [id, stream] : streams_) {
|
||||||
|
+ stream->Detach();
|
||||||
|
+ }
|
||||||
|
+ streams_.clear();
|
||||||
|
// Explicitly reset session_ so the subsequent
|
||||||
|
// current_nghttp2_memory_ check passes.
|
||||||
|
session_.reset();
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
112
0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
Normal file
112
0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||||
|
Date: Sat, 9 Mar 2024 16:26:42 +0900
|
||||||
|
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||||
|
Fixes: CVE-2024-28182
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
|
||||||
|
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
|
||||||
|
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
|
||||||
|
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
|
||||||
|
4 files changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
index fa22081..b394bde 100644
|
||||||
|
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
@@ -440,7 +440,12 @@ typedef enum {
|
||||||
|
* exhaustion on server side to send these frames forever and does
|
||||||
|
* not read network.
|
||||||
|
*/
|
||||||
|
- NGHTTP2_ERR_FLOODED = -904
|
||||||
|
+ NGHTTP2_ERR_FLOODED = -904,
|
||||||
|
+ /**
|
||||||
|
+ * When a local endpoint receives too many CONTINUATION frames
|
||||||
|
+ * following a HEADER frame.
|
||||||
|
+ */
|
||||||
|
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
||||||
|
} nghttp2_error;
|
||||||
|
|
||||||
|
/**
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
|
||||||
|
index 93dd475..b3563d9 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_helper.c
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_helper.c
|
||||||
|
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
|
||||||
|
"closed";
|
||||||
|
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
||||||
|
return "SETTINGS frame contained more than the maximum allowed entries";
|
||||||
|
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
||||||
|
+ return "Too many CONTINUATION frames following a HEADER frame";
|
||||||
|
default:
|
||||||
|
return "Unknown error code";
|
||||||
|
}
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
index ec5024d..8e4d2e7 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
|
||||||
|
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
||||||
|
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
||||||
|
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
||||||
|
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
||||||
|
|
||||||
|
if (option) {
|
||||||
|
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
||||||
|
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
session_inbound_frame_reset(session);
|
||||||
|
+
|
||||||
|
+ session->num_continuations = 0;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
|
||||||
|
}
|
||||||
|
#endif /* DEBUGBUILD */
|
||||||
|
|
||||||
|
+ if (++session->num_continuations > session->max_continuations) {
|
||||||
|
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
readlen = inbound_frame_buf_read(iframe, in, last);
|
||||||
|
in += readlen;
|
||||||
|
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
|
||||||
|
index b119329..ef8f7b2 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_session.h
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_session.h
|
||||||
|
@@ -110,6 +110,10 @@ typedef struct {
|
||||||
|
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
||||||
|
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
||||||
|
|
||||||
|
+/* The default max number of CONTINUATION frames following an incoming
|
||||||
|
+ HEADER frame. */
|
||||||
|
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
||||||
|
+
|
||||||
|
/* Internal state when receiving incoming frame */
|
||||||
|
typedef enum {
|
||||||
|
/* Receiving frame header */
|
||||||
|
@@ -290,6 +294,12 @@ struct nghttp2_session {
|
||||||
|
size_t max_send_header_block_length;
|
||||||
|
/* The maximum number of settings accepted per SETTINGS frame. */
|
||||||
|
size_t max_settings;
|
||||||
|
+ /* The maximum number of CONTINUATION frames following an incoming
|
||||||
|
+ HEADER frame. */
|
||||||
|
+ size_t max_continuations;
|
||||||
|
+ /* The number of CONTINUATION frames following an incoming HEADER
|
||||||
|
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
||||||
|
+ size_t num_continuations;
|
||||||
|
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
||||||
|
uint32_t next_stream_id;
|
||||||
|
/* The last stream ID this session initiated. For client session,
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
94
0007-Add-nghttp2_option_set_max_continuations.patch
Normal file
94
0007-Add-nghttp2_option_set_max_continuations.patch
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
|
||||||
|
Date: Sat, 9 Mar 2024 16:48:10 +0900
|
||||||
|
Subject: [PATCH] Add nghttp2_option_set_max_continuations
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||||
|
Related: CVE-2024-28182
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
|
||||||
|
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
|
||||||
|
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
|
||||||
|
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
|
||||||
|
4 files changed, 25 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
index b394bde..4d3339b 100644
|
||||||
|
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||||
|
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
|
||||||
|
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
||||||
|
uint64_t burst, uint64_t rate);
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * @function
|
||||||
|
+ *
|
||||||
|
+ * This function sets the maximum number of CONTINUATION frames
|
||||||
|
+ * following an incoming HEADER frame. If more than those frames are
|
||||||
|
+ * received, the remote endpoint is considered to be misbehaving and
|
||||||
|
+ * session will be closed. The default value is 8.
|
||||||
|
+ */
|
||||||
|
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
||||||
|
+ size_t val);
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* @function
|
||||||
|
*
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
|
||||||
|
index 43d4e95..53144b9 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_option.c
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_option.c
|
||||||
|
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
|
||||||
|
option->stream_reset_burst = burst;
|
||||||
|
option->stream_reset_rate = rate;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
||||||
|
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
||||||
|
+ option->max_continuations = val;
|
||||||
|
+}
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
|
||||||
|
index 2259e18..c89cb97 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_option.h
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_option.h
|
||||||
|
@@ -71,6 +71,7 @@ typedef enum {
|
||||||
|
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
|
||||||
|
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
|
||||||
|
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
||||||
|
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
||||||
|
} nghttp2_option_flag;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -98,6 +99,10 @@ struct nghttp2_option {
|
||||||
|
* NGHTTP2_OPT_MAX_SETTINGS
|
||||||
|
*/
|
||||||
|
size_t max_settings;
|
||||||
|
+ /**
|
||||||
|
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
||||||
|
+ */
|
||||||
|
+ size_t max_continuations;
|
||||||
|
/**
|
||||||
|
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
||||||
|
* are specified.
|
||||||
|
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
index 8e4d2e7..ced7517 100644
|
||||||
|
--- a/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
+++ b/deps/nghttp2/lib/nghttp2_session.c
|
||||||
|
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
|
||||||
|
option->stream_reset_burst,
|
||||||
|
option->stream_reset_rate);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
||||||
|
+ (*session_ptr)->max_continuations = option->max_continuations;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
150
0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
Normal file
150
0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
Normal file
File diff suppressed because one or more lines are too long
39
0009-Address-CVE-2024-25629.patch
Normal file
39
0009-Address-CVE-2024-25629.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brad House <brad@brad-house.com>
|
||||||
|
Date: Thu, 22 Feb 2024 16:23:33 -0500
|
||||||
|
Subject: [PATCH] Address CVE-2024-25629
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
|
||||||
|
|
||||||
|
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||||
|
Fixes: CVE-2024-25629
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
|
||||||
|
1 file changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
|
||||||
|
index c62ad2a..16627e4 100644
|
||||||
|
--- a/deps/cares/src/lib/ares__read_line.c
|
||||||
|
+++ b/deps/cares/src/lib/ares__read_line.c
|
||||||
|
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
|
||||||
|
if (!fgets(*buf + offset, bytestoread, fp))
|
||||||
|
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
|
||||||
|
len = offset + strlen(*buf + offset);
|
||||||
|
+
|
||||||
|
+ /* Probably means there was an embedded NULL as the first character in
|
||||||
|
+ * the line, throw away line */
|
||||||
|
+ if (len == 0) {
|
||||||
|
+ offset = 0;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((*buf)[len - 1] == '\n')
|
||||||
|
{
|
||||||
|
(*buf)[len - 1] = 0;
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
18
nodejs.spec
18
nodejs.spec
@ -30,7 +30,7 @@
|
|||||||
# This is used by both the nodejs package and the npm subpackage that
|
# This is used by both the nodejs package and the npm subpackage that
|
||||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||||
# will bump this rather than adding .1 to the end.
|
# will bump this rather than adding .1 to the end.
|
||||||
%global baserelease 4
|
%global baserelease 5
|
||||||
|
|
||||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -184,7 +184,17 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
|
|||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
Patch2: 0002-disable-fips-options.patch
|
Patch2: 0002-disable-fips-options.patch
|
||||||
Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch
|
Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch
|
||||||
Patch4: nodejs-CVE-2024-22019.patch
|
Patch4: 0004-Fix-CVE-2024-22019.patch
|
||||||
|
# CVE-2025-27983
|
||||||
|
Patch5: 0005-src-ensure-to-close-stream-when-destroying-session.patch
|
||||||
|
# CVE-2024-28182
|
||||||
|
Patch6: 0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
|
||||||
|
# CVE-2024-28182
|
||||||
|
Patch7: 0007-Add-nghttp2_option_set_max_continuations.patch
|
||||||
|
# CVE-2024-22025
|
||||||
|
Patch8: 0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
|
||||||
|
# CVE-2024-25629
|
||||||
|
Patch9: 0009-Address-CVE-2024-25629.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
@ -724,6 +734,10 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 08 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-5
|
||||||
|
- Backport patches for several CVEs.
|
||||||
|
Fixes CVE-2024-22025 CVE-2024-25629 CVE-2024-27983 CVE-2024-28182
|
||||||
|
|
||||||
* Tue Mar 05 2024 Honza Horak <hhorak@redhat.com> - 1:16.20.2-4
|
* Tue Mar 05 2024 Honza Horak <hhorak@redhat.com> - 1:16.20.2-4
|
||||||
- Fix CVE-2024-22019
|
- Fix CVE-2024-22019
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user