diff --git a/debian/changelog b/debian/changelog index d73f283..9758a85 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,40 @@ +nginx (1.10.3-1+deb9u4) stretch-security; urgency=high + + * Handle CVE-2019-20372, error page request smuggling + (Closes: #948579) + + -- Christos Trochalakis Sat, 11 Jan 2020 09:28:05 +0200 + +nginx (1.10.3-1+deb9u3) stretch-security; urgency=high + + * Backport upstream fixes for 3 CVEs (Closes: #935037) + Those fixes affect Nginx HTTP/2 implementation, which might cause + excessive memory consumption and CPU usage. + (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + -- Christos Trochalakis Mon, 19 Aug 2019 12:31:19 +0300 + +nginx (1.10.3-1+deb9u2) stretch-security; urgency=high + + * Backport http2_max_requests directive needed for + CVE-2018-16844 mitigation + * Backport upstream fixes for 3 CVEs (Closes: #913090) + + CVE-2018-16843 Excessive memory usage in HTTP/2 + + CVE-2018-16844 Excessive CPU usage in HTTP/2 + This change limits the maximum allowed number of idle state + switches to 10 * http2_max_requests (i.e., 10000 by default). + This limits possible CPU usage in one connection, and also + imposes a limit on the maximum lifetime of a connection + + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module + + -- Christos Trochalakis Wed, 07 Nov 2018 07:40:42 +0200 + +nginx (1.10.3-1+deb9u1) stretch-security; urgency=high + + * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) + + -- Christos Trochalakis Wed, 12 Jul 2017 08:44:59 +0300 + nginx (1.10.3-1) unstable; urgency=medium * New upstream release. (Closes: #855113) diff --git a/debian/gbp.conf b/debian/gbp.conf index af46c8f..4d966fa 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,5 @@ [DEFAULT] pristine-tar = True +dist=stretch +debian-branch=stretch diff --git a/debian/patches/CVE-2017-7529-Range-filter.patch b/debian/patches/CVE-2017-7529-Range-filter.patch new file mode 100644 index 0000000..0a34876 --- /dev/null +++ b/debian/patches/CVE-2017-7529-Range-filter.patch @@ -0,0 +1,46 @@ +From 455bd729517f770b2e70a5f51f27c713f2e3973e Mon Sep 17 00:00:00 2001 +From: Maxim Dounin +Date: Tue, 11 Jul 2017 16:06:23 +0300 +Subject: [PATCH] Range filter: protect from total size overflows. + +The overflow can be used to circumvent the restriction on total size of +ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow +allows producing ranges with negative start (such ranges can be created +by using a suffix, "bytes=-100"; normally this results in 200 due to +the total size check). These can result in the following errors in logs: + +[crit] ... pread() ... failed (22: Invalid argument) +[alert] ... sendfile() failed (22: Invalid argument) + +When using cache, it can be also used to reveal cache file header. +It is believed that there are no other negative effects, at least with +standard nginx modules. + +In theory, this can also result in memory disclosure and/or segmentation +faults if multiple ranges are allowed, and the response is returned in a +single in-memory buffer. This never happens with standard nginx modules +though, as well as known 3rd party modules. + +Fix is to properly protect from possible overflow when incrementing size. +--- + src/http/modules/ngx_http_range_filter_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c +index 951a00de..59d273b7 100644 +--- a/src/http/modules/ngx_http_range_filter_module.c ++++ b/src/http/modules/ngx_http_range_filter_module.c +@@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, + range->start = start; + range->end = end; + ++ if (size > NGX_MAX_OFF_T_VALUE - (end - start)) { ++ return NGX_HTTP_RANGE_NOT_SATISFIABLE; ++ } ++ + size += end - start; + + if (ranges-- == 0) { +-- +2.13.2 + diff --git a/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch b/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch new file mode 100644 index 0000000..d3e3fc7 --- /dev/null +++ b/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch @@ -0,0 +1,65 @@ +From 1ee3bc11f75cc079494635974f6fabb1e25380d1 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 6 Nov 2018 16:29:35 +0300 +Subject: [PATCH 11/12] HTTP/2: flood detection. + +Fixed uncontrolled memory growth in case peer is flooding us with +some frames (e.g., SETTINGS and PING) and doesn't read data. Fix +is to limit the number of allocated control frames. +--- + src/http/v2/ngx_http_v2.c | 12 +++++++++++- + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 421ec6e9..334b558e 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -649,6 +649,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c) + + h2c->pool = NULL; + h2c->free_frames = NULL; ++ h2c->frames = 0; + h2c->free_fake_connections = NULL; + + #if (NGX_HTTP_SSL) +@@ -2620,7 +2621,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + + frame->blocked = 0; + +- } else { ++ } else if (h2c->frames < 10000) { + pool = h2c->pool ? h2c->pool : h2c->connection->pool; + + frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t)); +@@ -2644,6 +2645,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + frame->last = frame->first; + + frame->handler = ngx_http_v2_frame_handler; ++ ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + #if (NGX_DEBUG) +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 2f519e18..2638bb5f 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s { + ngx_http_connection_t *http_connection; + + ngx_uint_t processing; ++ ngx_uint_t frames; + + size_t send_window; + size_t recv_window; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch b/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch new file mode 100644 index 0000000..7525030 --- /dev/null +++ b/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch @@ -0,0 +1,45 @@ +From 1e4a302630aeb7367ba0e31dc469f6919e766e5d Mon Sep 17 00:00:00 2001 +From: Christos Trochalakis +Date: Wed, 7 Nov 2018 14:48:22 +0200 +Subject: [PATCH] Adapt HTTP/2 flood detection to nginx 1.10.3 + +To mitigate CVE-2018-16843 the allocated frames has to be checked in +ngx_http_v2_send_settings() as well since SETTINGS frames are handled +separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432) +Thanks to Nginx's Maxim Dounin for his help. +--- + src/http/v2/ngx_http_v2.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 1d28fd6b..c8769e39 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1969,7 +1969,9 @@ ngx_http_v2_state_settings(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + +- ngx_http_v2_send_settings(h2c, 1); ++ if (ngx_http_v2_send_settings(h2c, 1) == NGX_ERROR) { ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); ++ } + + return ngx_http_v2_state_settings_params(h2c, pos, end); + } +@@ -2453,6 +2455,13 @@ ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, + "http2 send SETTINGS frame ack:%ui", ack); + ++ if (h2c->frames++ > 10000) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ h2c->connection->error = 1; ++ return NGX_ERROR; ++ } ++ + frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NGX_ERROR; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch b/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch new file mode 100644 index 0000000..fc3b698 --- /dev/null +++ b/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch @@ -0,0 +1,114 @@ +From 7b96e3b569b1b8ab0939c61c834d23caba21d4fb Mon Sep 17 00:00:00 2001 +From: Valentin Bartenev +Date: Mon, 31 Oct 2016 16:33:02 +0300 +Subject: [PATCH 20/21] HTTP/2: limited maximum number of requests in + connection. + +The new directive "http2_max_requests" is introduced. From users point of +view it works quite similar to "keepalive_requests" but has significantly +bigger default value that is more suitable for HTTP/2. +--- + src/http/v2/ngx_http_v2.c | 30 ++++++++++++++++++++++-------- + src/http/v2/ngx_http_v2_module.c | 9 +++++++++ + src/http/v2/ngx_http_v2_module.h | 1 + + 3 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 70b6c607..1d28fd6b 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -325,16 +325,21 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + + if (c->close) { + c->close = 0; +- h2c->goaway = 1; + +- if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) { +- ngx_http_v2_finalize_connection(h2c, 0); +- return; +- } ++ if (!h2c->goaway) { ++ h2c->goaway = 1; + +- if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) { +- ngx_http_v2_finalize_connection(h2c, 0); +- return; ++ if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) ++ == NGX_ERROR) ++ { ++ ngx_http_v2_finalize_connection(h2c, 0); ++ return; ++ } ++ ++ if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) { ++ ngx_http_v2_finalize_connection(h2c, 0); ++ return; ++ } + } + + h2c->blocked = 0; +@@ -1155,6 +1160,15 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + ngx_http_v2_set_dependency(h2c, node, depend, excl); + } + ++ if (h2c->connection->requests >= h2scf->max_requests) { ++ h2c->goaway = 1; ++ ++ if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) { ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_INTERNAL_ERROR); ++ } ++ } ++ + return ngx_http_v2_state_header_block(h2c, pos, end); + + rst_stream: +diff --git a/src/http/v2/ngx_http_v2_module.c b/src/http/v2/ngx_http_v2_module.c +index b7d99e05..032abcb6 100644 +--- a/src/http/v2/ngx_http_v2_module.c ++++ b/src/http/v2/ngx_http_v2_module.c +@@ -73,6 +73,13 @@ static ngx_command_t ngx_http_v2_commands[] = { + offsetof(ngx_http_v2_srv_conf_t, concurrent_streams), + NULL }, + ++ { ngx_string("http2_max_requests"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_HTTP_SRV_CONF_OFFSET, ++ offsetof(ngx_http_v2_srv_conf_t, max_requests), ++ NULL }, ++ + { ngx_string("http2_max_field_size"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_size_slot, +@@ -322,6 +329,7 @@ ngx_http_v2_create_srv_conf(ngx_conf_t *cf) + h2scf->pool_size = NGX_CONF_UNSET_SIZE; + + h2scf->concurrent_streams = NGX_CONF_UNSET_UINT; ++ h2scf->max_requests = NGX_CONF_UNSET_UINT; + + h2scf->max_field_size = NGX_CONF_UNSET_SIZE; + h2scf->max_header_size = NGX_CONF_UNSET_SIZE; +@@ -347,6 +355,7 @@ ngx_http_v2_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + + ngx_conf_merge_uint_value(conf->concurrent_streams, + prev->concurrent_streams, 128); ++ ngx_conf_merge_uint_value(conf->max_requests, prev->max_requests, 1000); + + ngx_conf_merge_size_value(conf->max_field_size, prev->max_field_size, + 4096); +diff --git a/src/http/v2/ngx_http_v2_module.h b/src/http/v2/ngx_http_v2_module.h +index 91f97c25..540f8267 100644 +--- a/src/http/v2/ngx_http_v2_module.h ++++ b/src/http/v2/ngx_http_v2_module.h +@@ -23,6 +23,7 @@ typedef struct { + typedef struct { + size_t pool_size; + ngx_uint_t concurrent_streams; ++ ngx_uint_t max_requests; + size_t max_field_size; + size_t max_header_size; + size_t preread_size; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch b/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch new file mode 100644 index 0000000..28998ca --- /dev/null +++ b/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch @@ -0,0 +1,63 @@ +From 175adc8124e3e1992d8bb85aef071f43535c09bc Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 6 Nov 2018 16:29:49 +0300 +Subject: [PATCH 12/12] HTTP/2: limit the number of idle state switches. + +An attack that continuously switches HTTP/2 connection between +idle and active states can result in excessive CPU usage. +This is because when a connection switches to the idle state, +all of its memory pool caches are freed. + +This change limits the maximum allowed number of idle state +switches to 10 * http2_max_requests (i.e., 10000 by default). +This limits possible CPU usage in one connection, and also +imposes a limit on the maximum lifetime of a connection. + +Initially reported by Gal Goldshtein from F5 Networks. +--- + src/http/v2/ngx_http_v2.c | 13 ++++++++++--- + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 334b558e..70b6c607 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4181,12 +4181,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev) + + #endif + +- c->destroyed = 0; +- ngx_reusable_connection(c, 0); +- + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, + ngx_http_v2_module); + ++ if (h2c->idle++ > 10 * h2scf->max_requests) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); ++ return; ++ } ++ ++ c->destroyed = 0; ++ ngx_reusable_connection(c, 0); ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 2638bb5f..c22991f3 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s { + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t idle; + + size_t send_window; + size_t recv_window; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch b/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch new file mode 100644 index 0000000..a45ab9c --- /dev/null +++ b/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch @@ -0,0 +1,35 @@ +From 88be1860f976962c23e300ba616fe491b60b36d7 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 6 Nov 2018 16:29:18 +0300 +Subject: [PATCH 10/12] Mp4: fixed reading 64-bit atoms. + +Previously there was no validation for the size of a 64-bit atom +in an mp4 file. This could lead to a CPU hog when the size is 0, +or various other problems due to integer underflow when calculating +atom data size, including segmentation fault or worker process +memory disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 16ef83cf..c1d36879 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -896,6 +896,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file_t *mp4, + atom_size = ngx_mp4_get_64value(atom_header + 8); + atom_header_size = sizeof(ngx_mp4_atom_header64_t); + ++ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "\"%s\" mp4 atom is too small:%uL", ++ mp4->file.name.data, atom_size); ++ return NGX_ERROR; ++ } ++ + } else { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", +-- +2.19.1 + diff --git a/debian/patches/CVE-2019-20372.patch b/debian/patches/CVE-2019-20372.patch new file mode 100644 index 0000000..7793fa4 --- /dev/null +++ b/debian/patches/CVE-2019-20372.patch @@ -0,0 +1,31 @@ +From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 2c1ff174..e2a5e9dc 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.23.0 + diff --git a/debian/patches/CVE-2019-9511.patch b/debian/patches/CVE-2019-9511.patch new file mode 100644 index 0000000..2c3faf0 --- /dev/null +++ b/debian/patches/CVE-2019-9511.patch @@ -0,0 +1,88 @@ +From 28cb833d0db4d899e486991bda31dcffb2960592 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 9b1fbd7d..838d1b4f 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4072,6 +4072,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index c22991f3..792c0a3a 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -181,6 +181,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index fa53070c..8eed4456 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -999,23 +999,35 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9513.patch b/debian/patches/CVE-2019-9513.patch new file mode 100644 index 0000000..2841c92 --- /dev/null +++ b/debian/patches/CVE-2019-9513.patch @@ -0,0 +1,65 @@ +From 52c85196438b1a893fc3180d29dc5c5ced55b3bc Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:40 +0300 +Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames. + +Fixed excessive CPU usage caused by a peer that continuously shuffles +priority of streams. Fix is to limit the number of PRIORITY frames. + +Backported for Nginx 1.10 +--- + src/http/v2/ngx_http_v2.c | 11 +++++++++++ + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 838d1b4f..547864a6 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -247,6 +247,8 @@ ngx_http_v2_init(ngx_event_t *rev) + + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + ++ h2c->priority_limit = h2scf->concurrent_streams; ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_close_connection(c); +@@ -1790,6 +1792,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -2857,6 +2866,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c) + + h2c->processing++; + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 792c0a3a..1fba1b20 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -117,6 +117,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + size_t send_window; + size_t recv_window; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9516.patch b/debian/patches/CVE-2019-9516.patch new file mode 100644 index 0000000..83aa32e --- /dev/null +++ b/debian/patches/CVE-2019-9516.patch @@ -0,0 +1,45 @@ +From 6d953dc78fdc445acc00e02540bded7c3b3af921 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 13 Aug 2019 15:43:32 +0300 +Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR. + +Fixed uncontrolled memory growth if peer sends a stream of +headers with a 0-length header name and 0-length header value. +Fix is to reject headers with zero name length. +--- + src/http/v2/ngx_http_v2.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index c8769e39..9b1fbd7d 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1533,6 +1533,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -2986,10 +2994,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 69175ec..8aaeeeb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,13 @@ perl-use-dpkg-buildflags.patch 0004-SSL-error-messages-style.patch 0005-SSL-style.patch 0006-SSL-support-for-multiple-curves-ticket-885.patch +CVE-2017-7529-Range-filter.patch +CVE-2018-16843-0-HTTP-2-flood-detection.patch +CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch +CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch +CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch +CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch +CVE-2019-9516.patch +CVE-2019-9511.patch +CVE-2019-9513.patch +CVE-2019-20372.patch