From ee65e876ac20c6d0c6725e49cb4d09d72358c21b Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Wed, 12 Jul 2017 08:38:05 +0300 Subject: [PATCH 1/7] Handle CVE-2017-7529 Integer overflow in the range filter A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). When using nginx with standard modules this allows an attacker to obtain a cache file header if a response was returned from cache. In some configurations a cache file header may contain IP address of the backend server or other sensitive information. Besides, with 3rd party modules it is potentially possible that the issue may lead to a denial of service or a disclosure of a worker process memory. No such modules are currently known though. The issue affects nginx 0.5.6 - 1.13.2. The issue is fixed in nginx 1.13.3, 1.12.1. For older versions, the following configuration can be used as a temporary workaround: max_ranges 1; See http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html Closes: #868109 --- .../patches/CVE-2017-7529-Range-filter.patch | 46 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 47 insertions(+) create mode 100644 debian/patches/CVE-2017-7529-Range-filter.patch diff --git a/debian/patches/CVE-2017-7529-Range-filter.patch b/debian/patches/CVE-2017-7529-Range-filter.patch new file mode 100644 index 0000000..0a34876 --- /dev/null +++ b/debian/patches/CVE-2017-7529-Range-filter.patch @@ -0,0 +1,46 @@ +From 455bd729517f770b2e70a5f51f27c713f2e3973e Mon Sep 17 00:00:00 2001 +From: Maxim Dounin +Date: Tue, 11 Jul 2017 16:06:23 +0300 +Subject: [PATCH] Range filter: protect from total size overflows. + +The overflow can be used to circumvent the restriction on total size of +ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow +allows producing ranges with negative start (such ranges can be created +by using a suffix, "bytes=-100"; normally this results in 200 due to +the total size check). These can result in the following errors in logs: + +[crit] ... pread() ... failed (22: Invalid argument) +[alert] ... sendfile() failed (22: Invalid argument) + +When using cache, it can be also used to reveal cache file header. +It is believed that there are no other negative effects, at least with +standard nginx modules. + +In theory, this can also result in memory disclosure and/or segmentation +faults if multiple ranges are allowed, and the response is returned in a +single in-memory buffer. This never happens with standard nginx modules +though, as well as known 3rd party modules. + +Fix is to properly protect from possible overflow when incrementing size. +--- + src/http/modules/ngx_http_range_filter_module.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c +index 951a00de..59d273b7 100644 +--- a/src/http/modules/ngx_http_range_filter_module.c ++++ b/src/http/modules/ngx_http_range_filter_module.c +@@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, + range->start = start; + range->end = end; + ++ if (size > NGX_MAX_OFF_T_VALUE - (end - start)) { ++ return NGX_HTTP_RANGE_NOT_SATISFIABLE; ++ } ++ + size += end - start; + + if (ranges-- == 0) { +-- +2.13.2 + diff --git a/debian/patches/series b/debian/patches/series index 69175ec..1ca661b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ perl-use-dpkg-buildflags.patch 0004-SSL-error-messages-style.patch 0005-SSL-style.patch 0006-SSL-support-for-multiple-curves-ticket-885.patch +CVE-2017-7529-Range-filter.patch From fdd7e0ed32de011b7fe995dc79fcfd166834c26c Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Wed, 12 Jul 2017 08:46:19 +0300 Subject: [PATCH 2/7] Release 1.10.3-1+deb9u1 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index d73f283..f1a8fda 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +nginx (1.10.3-1+deb9u1) stretch-security; urgency=high + + * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) + + -- Christos Trochalakis Wed, 12 Jul 2017 08:44:59 +0300 + nginx (1.10.3-1) unstable; urgency=medium * New upstream release. (Closes: #855113) From b8e51f2a11d8b18a8fecbe0e29fe89c6c90efc85 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Fri, 14 Jul 2017 11:00:47 +0300 Subject: [PATCH 3/7] gbp: setup for stretch Gbp-Dch: Ignore --- debian/gbp.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/gbp.conf b/debian/gbp.conf index af46c8f..4d966fa 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,5 @@ [DEFAULT] pristine-tar = True +dist=stretch +debian-branch=stretch From 49e296609d73f56e3888ba6d0f0eaf82068bdab7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Wed, 7 Nov 2018 07:36:19 +0200 Subject: [PATCH 4/7] Handle CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 CVE-2018-16843 CVE-2018-16844 ============================= Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affects nginx 1.9.5 - 1.15.5. To mitigate CVE-2018-16844 the http2_max_requests was also backported from 1.14. To mitigate CVE-2018-16843 the allocated frames has to be checked in ngx_http_v2_send_settings() as well since SETTINGS frames are handled separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432) Thanks to Nginx's Maxim Dounin for his help. CVE-2018-16845 ============== A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file (CVE-2018-16845). The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the "mp4" directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module. The issue affects nginx 1.1.3+, 1.0.7+. --- ...-2018-16843-0-HTTP-2-flood-detection.patch | 65 ++++++++++ ...TP-2-flood-detection-to-nginx-1.10.3.patch | 45 +++++++ ...aximum-number-of-requests-in-connect.patch | 114 ++++++++++++++++++ ...it-the-number-of-idle-state-switches.patch | 63 ++++++++++ ...16845-Mp4-fixed-reading-64-bit-atoms.patch | 35 ++++++ debian/patches/series | 5 + 6 files changed, 327 insertions(+) create mode 100644 debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch create mode 100644 debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch create mode 100644 debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch create mode 100644 debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch create mode 100644 debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch diff --git a/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch b/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch new file mode 100644 index 0000000..d3e3fc7 --- /dev/null +++ b/debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch @@ -0,0 +1,65 @@ +From 1ee3bc11f75cc079494635974f6fabb1e25380d1 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 6 Nov 2018 16:29:35 +0300 +Subject: [PATCH 11/12] HTTP/2: flood detection. + +Fixed uncontrolled memory growth in case peer is flooding us with +some frames (e.g., SETTINGS and PING) and doesn't read data. Fix +is to limit the number of allocated control frames. +--- + src/http/v2/ngx_http_v2.c | 12 +++++++++++- + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 421ec6e9..334b558e 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -649,6 +649,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c) + + h2c->pool = NULL; + h2c->free_frames = NULL; ++ h2c->frames = 0; + h2c->free_fake_connections = NULL; + + #if (NGX_HTTP_SSL) +@@ -2620,7 +2621,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + + frame->blocked = 0; + +- } else { ++ } else if (h2c->frames < 10000) { + pool = h2c->pool ? h2c->pool : h2c->connection->pool; + + frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t)); +@@ -2644,6 +2645,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length, + frame->last = frame->first; + + frame->handler = ngx_http_v2_frame_handler; ++ ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + #if (NGX_DEBUG) +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 2f519e18..2638bb5f 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s { + ngx_http_connection_t *http_connection; + + ngx_uint_t processing; ++ ngx_uint_t frames; + + size_t send_window; + size_t recv_window; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch b/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch new file mode 100644 index 0000000..7525030 --- /dev/null +++ b/debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch @@ -0,0 +1,45 @@ +From 1e4a302630aeb7367ba0e31dc469f6919e766e5d Mon Sep 17 00:00:00 2001 +From: Christos Trochalakis +Date: Wed, 7 Nov 2018 14:48:22 +0200 +Subject: [PATCH] Adapt HTTP/2 flood detection to nginx 1.10.3 + +To mitigate CVE-2018-16843 the allocated frames has to be checked in +ngx_http_v2_send_settings() as well since SETTINGS frames are handled +separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432) +Thanks to Nginx's Maxim Dounin for his help. +--- + src/http/v2/ngx_http_v2.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 1d28fd6b..c8769e39 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1969,7 +1969,9 @@ ngx_http_v2_state_settings(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + +- ngx_http_v2_send_settings(h2c, 1); ++ if (ngx_http_v2_send_settings(h2c, 1) == NGX_ERROR) { ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); ++ } + + return ngx_http_v2_state_settings_params(h2c, pos, end); + } +@@ -2453,6 +2455,13 @@ ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, + "http2 send SETTINGS frame ack:%ui", ack); + ++ if (h2c->frames++ > 10000) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ h2c->connection->error = 1; ++ return NGX_ERROR; ++ } ++ + frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NGX_ERROR; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch b/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch new file mode 100644 index 0000000..fc3b698 --- /dev/null +++ b/debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch @@ -0,0 +1,114 @@ +From 7b96e3b569b1b8ab0939c61c834d23caba21d4fb Mon Sep 17 00:00:00 2001 +From: Valentin Bartenev +Date: Mon, 31 Oct 2016 16:33:02 +0300 +Subject: [PATCH 20/21] HTTP/2: limited maximum number of requests in + connection. + +The new directive "http2_max_requests" is introduced. From users point of +view it works quite similar to "keepalive_requests" but has significantly +bigger default value that is more suitable for HTTP/2. +--- + src/http/v2/ngx_http_v2.c | 30 ++++++++++++++++++++++-------- + src/http/v2/ngx_http_v2_module.c | 9 +++++++++ + src/http/v2/ngx_http_v2_module.h | 1 + + 3 files changed, 32 insertions(+), 8 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 70b6c607..1d28fd6b 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -325,16 +325,21 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + + if (c->close) { + c->close = 0; +- h2c->goaway = 1; + +- if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) { +- ngx_http_v2_finalize_connection(h2c, 0); +- return; +- } ++ if (!h2c->goaway) { ++ h2c->goaway = 1; + +- if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) { +- ngx_http_v2_finalize_connection(h2c, 0); +- return; ++ if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) ++ == NGX_ERROR) ++ { ++ ngx_http_v2_finalize_connection(h2c, 0); ++ return; ++ } ++ ++ if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) { ++ ngx_http_v2_finalize_connection(h2c, 0); ++ return; ++ } + } + + h2c->blocked = 0; +@@ -1155,6 +1160,15 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + ngx_http_v2_set_dependency(h2c, node, depend, excl); + } + ++ if (h2c->connection->requests >= h2scf->max_requests) { ++ h2c->goaway = 1; ++ ++ if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) { ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_INTERNAL_ERROR); ++ } ++ } ++ + return ngx_http_v2_state_header_block(h2c, pos, end); + + rst_stream: +diff --git a/src/http/v2/ngx_http_v2_module.c b/src/http/v2/ngx_http_v2_module.c +index b7d99e05..032abcb6 100644 +--- a/src/http/v2/ngx_http_v2_module.c ++++ b/src/http/v2/ngx_http_v2_module.c +@@ -73,6 +73,13 @@ static ngx_command_t ngx_http_v2_commands[] = { + offsetof(ngx_http_v2_srv_conf_t, concurrent_streams), + NULL }, + ++ { ngx_string("http2_max_requests"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_HTTP_SRV_CONF_OFFSET, ++ offsetof(ngx_http_v2_srv_conf_t, max_requests), ++ NULL }, ++ + { ngx_string("http2_max_field_size"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_size_slot, +@@ -322,6 +329,7 @@ ngx_http_v2_create_srv_conf(ngx_conf_t *cf) + h2scf->pool_size = NGX_CONF_UNSET_SIZE; + + h2scf->concurrent_streams = NGX_CONF_UNSET_UINT; ++ h2scf->max_requests = NGX_CONF_UNSET_UINT; + + h2scf->max_field_size = NGX_CONF_UNSET_SIZE; + h2scf->max_header_size = NGX_CONF_UNSET_SIZE; +@@ -347,6 +355,7 @@ ngx_http_v2_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + + ngx_conf_merge_uint_value(conf->concurrent_streams, + prev->concurrent_streams, 128); ++ ngx_conf_merge_uint_value(conf->max_requests, prev->max_requests, 1000); + + ngx_conf_merge_size_value(conf->max_field_size, prev->max_field_size, + 4096); +diff --git a/src/http/v2/ngx_http_v2_module.h b/src/http/v2/ngx_http_v2_module.h +index 91f97c25..540f8267 100644 +--- a/src/http/v2/ngx_http_v2_module.h ++++ b/src/http/v2/ngx_http_v2_module.h +@@ -23,6 +23,7 @@ typedef struct { + typedef struct { + size_t pool_size; + ngx_uint_t concurrent_streams; ++ ngx_uint_t max_requests; + size_t max_field_size; + size_t max_header_size; + size_t preread_size; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch b/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch new file mode 100644 index 0000000..28998ca --- /dev/null +++ b/debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch @@ -0,0 +1,63 @@ +From 175adc8124e3e1992d8bb85aef071f43535c09bc Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 6 Nov 2018 16:29:49 +0300 +Subject: [PATCH 12/12] HTTP/2: limit the number of idle state switches. + +An attack that continuously switches HTTP/2 connection between +idle and active states can result in excessive CPU usage. +This is because when a connection switches to the idle state, +all of its memory pool caches are freed. + +This change limits the maximum allowed number of idle state +switches to 10 * http2_max_requests (i.e., 10000 by default). +This limits possible CPU usage in one connection, and also +imposes a limit on the maximum lifetime of a connection. + +Initially reported by Gal Goldshtein from F5 Networks. +--- + src/http/v2/ngx_http_v2.c | 13 ++++++++++--- + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 334b558e..70b6c607 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4181,12 +4181,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev) + + #endif + +- c->destroyed = 0; +- ngx_reusable_connection(c, 0); +- + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, + ngx_http_v2_module); + ++ if (h2c->idle++ > 10 * h2scf->max_requests) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); ++ return; ++ } ++ ++ c->destroyed = 0; ++ ngx_reusable_connection(c, 0); ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 2638bb5f..c22991f3 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s { + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t idle; + + size_t send_window; + size_t recv_window; +-- +2.19.1 + diff --git a/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch b/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch new file mode 100644 index 0000000..a45ab9c --- /dev/null +++ b/debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch @@ -0,0 +1,35 @@ +From 88be1860f976962c23e300ba616fe491b60b36d7 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Tue, 6 Nov 2018 16:29:18 +0300 +Subject: [PATCH 10/12] Mp4: fixed reading 64-bit atoms. + +Previously there was no validation for the size of a 64-bit atom +in an mp4 file. This could lead to a CPU hog when the size is 0, +or various other problems due to integer underflow when calculating +atom data size, including segmentation fault or worker process +memory disclosure. +--- + src/http/modules/ngx_http_mp4_module.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 16ef83cf..c1d36879 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -896,6 +896,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file_t *mp4, + atom_size = ngx_mp4_get_64value(atom_header + 8); + atom_header_size = sizeof(ngx_mp4_atom_header64_t); + ++ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "\"%s\" mp4 atom is too small:%uL", ++ mp4->file.name.data, atom_size); ++ return NGX_ERROR; ++ } ++ + } else { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", +-- +2.19.1 + diff --git a/debian/patches/series b/debian/patches/series index 1ca661b..621e1ce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,8 @@ perl-use-dpkg-buildflags.patch 0005-SSL-style.patch 0006-SSL-support-for-multiple-curves-ticket-885.patch CVE-2017-7529-Range-filter.patch +CVE-2018-16843-0-HTTP-2-flood-detection.patch +CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch +CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch +CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch +CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch From 39217fc418555dcea5dfad63623a1932f6f01914 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Wed, 7 Nov 2018 07:44:35 +0200 Subject: [PATCH 5/7] Release 1.10.3-1+deb9u2 --- debian/changelog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/changelog b/debian/changelog index f1a8fda..acd7576 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +nginx (1.10.3-1+deb9u2) stretch-security; urgency=high + + * Backport http2_max_requests directive needed for + CVE-2018-16844 mitigation + * Backport upstream fixes for 3 CVEs (Closes: #913090) + + CVE-2018-16843 Excessive memory usage in HTTP/2 + + CVE-2018-16844 Excessive CPU usage in HTTP/2 + This change limits the maximum allowed number of idle state + switches to 10 * http2_max_requests (i.e., 10000 by default). + This limits possible CPU usage in one connection, and also + imposes a limit on the maximum lifetime of a connection + + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module + + -- Christos Trochalakis Wed, 07 Nov 2018 07:40:42 +0200 + nginx (1.10.3-1+deb9u1) stretch-security; urgency=high * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109) From 312dd9143da3a8ae05d900569aa1d6ba933d35b7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Tue, 13 Aug 2019 21:08:23 +0300 Subject: [PATCH 6/7] Handle CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. Adjusted for Nginx 1.10 --- debian/patches/CVE-2019-9511.patch | 88 ++++++++++++++++++++++++++++++ debian/patches/CVE-2019-9513.patch | 65 ++++++++++++++++++++++ debian/patches/CVE-2019-9516.patch | 45 +++++++++++++++ debian/patches/series | 3 + 4 files changed, 201 insertions(+) create mode 100644 debian/patches/CVE-2019-9511.patch create mode 100644 debian/patches/CVE-2019-9513.patch create mode 100644 debian/patches/CVE-2019-9516.patch diff --git a/debian/patches/CVE-2019-9511.patch b/debian/patches/CVE-2019-9511.patch new file mode 100644 index 0000000..2c3faf0 --- /dev/null +++ b/debian/patches/CVE-2019-9511.patch @@ -0,0 +1,88 @@ +From 28cb833d0db4d899e486991bda31dcffb2960592 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 9b1fbd7d..838d1b4f 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4072,6 +4072,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index c22991f3..792c0a3a 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -181,6 +181,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index fa53070c..8eed4456 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -999,23 +999,35 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9513.patch b/debian/patches/CVE-2019-9513.patch new file mode 100644 index 0000000..2841c92 --- /dev/null +++ b/debian/patches/CVE-2019-9513.patch @@ -0,0 +1,65 @@ +From 52c85196438b1a893fc3180d29dc5c5ced55b3bc Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:40 +0300 +Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames. + +Fixed excessive CPU usage caused by a peer that continuously shuffles +priority of streams. Fix is to limit the number of PRIORITY frames. + +Backported for Nginx 1.10 +--- + src/http/v2/ngx_http_v2.c | 11 +++++++++++ + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 12 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 838d1b4f..547864a6 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -247,6 +247,8 @@ ngx_http_v2_init(ngx_event_t *rev) + + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + ++ h2c->priority_limit = h2scf->concurrent_streams; ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_close_connection(c); +@@ -1790,6 +1792,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -2857,6 +2866,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c) + + h2c->processing++; + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 792c0a3a..1fba1b20 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -117,6 +117,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + size_t send_window; + size_t recv_window; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9516.patch b/debian/patches/CVE-2019-9516.patch new file mode 100644 index 0000000..83aa32e --- /dev/null +++ b/debian/patches/CVE-2019-9516.patch @@ -0,0 +1,45 @@ +From 6d953dc78fdc445acc00e02540bded7c3b3af921 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 13 Aug 2019 15:43:32 +0300 +Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR. + +Fixed uncontrolled memory growth if peer sends a stream of +headers with a 0-length header name and 0-length header value. +Fix is to reject headers with zero name length. +--- + src/http/v2/ngx_http_v2.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index c8769e39..9b1fbd7d 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1533,6 +1533,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -2986,10 +2994,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 621e1ce..6ddf3d7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,6 @@ CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch +CVE-2019-9516.patch +CVE-2019-9511.patch +CVE-2019-9513.patch From a2e1aba7a522736a2ee9a54e8b1e8b676fefffac Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Mon, 19 Aug 2019 12:32:31 +0300 Subject: [PATCH 7/7] Release 1.10.3-1+deb9u3 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index acd7576..3eb9ef2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +nginx (1.10.3-1+deb9u3) stretch-security; urgency=high + + * Backport upstream fixes for 3 CVEs (Closes: #935037) + Those fixes affect Nginx HTTP/2 implementation, which might cause + excessive memory consumption and CPU usage. + (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + -- Christos Trochalakis Mon, 19 Aug 2019 12:31:19 +0300 + nginx (1.10.3-1+deb9u2) stretch-security; urgency=high * Backport http2_max_requests directive needed for