diff --git a/SOURCES/nginx-1.10.2-CVE-2019-9511.patch b/SOURCES/nginx-1.10.2-CVE-2019-9511.patch new file mode 100644 index 0000000..0a027a4 --- /dev/null +++ b/SOURCES/nginx-1.10.2-CVE-2019-9511.patch @@ -0,0 +1,70 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 8d3eaf8..8c37854 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4035,6 +4035,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index c22d879..112779e 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -180,6 +180,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 09ce3f6..a104462 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -999,23 +999,32 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; +- ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; +- +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; diff --git a/SOURCES/nginx-1.10.2-CVE-2019-9513.patch b/SOURCES/nginx-1.10.2-CVE-2019-9513.patch new file mode 100644 index 0000000..0ad3ad2 --- /dev/null +++ b/SOURCES/nginx-1.10.2-CVE-2019-9513.patch @@ -0,0 +1,48 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 8c37854..90b10a8 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -245,6 +245,8 @@ ngx_http_v2_init(ngx_event_t *rev) + + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + ++ h2c->priority_limit = h2scf->concurrent_streams; ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_close_connection(c); +@@ -1763,6 +1765,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -2821,6 +2830,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c) + + h2c->processing++; + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 112779e..8e56ee5 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s { + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t priority_limit; + + size_t send_window; + size_t recv_window; diff --git a/SOURCES/nginx-1.10.2-CVE-2019-9516.patch b/SOURCES/nginx-1.10.2-CVE-2019-9516.patch new file mode 100644 index 0000000..974f031 --- /dev/null +++ b/SOURCES/nginx-1.10.2-CVE-2019-9516.patch @@ -0,0 +1,30 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 90b10a8..b2adcb9 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1516,6 +1516,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -2969,10 +2977,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index eae6994..383e8cf 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -39,7 +39,7 @@ Name: %{?scl:%scl_prefix}nginx Epoch: 1 Version: 1.10.2 -Release: 8%{?dist}.1 +Release: 9%{?dist}.1 Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -71,6 +71,13 @@ Patch1: nginx-1.10.2-CVE-2017-7529.patch Patch2: nginx-1.10.2-CVE-2018-16843.patch Patch3: nginx-1.10.2-CVE-2018-16845.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1741860 +# https://bugzilla.redhat.com/show_bug.cgi?id=1735741 +# https://bugzilla.redhat.com/show_bug.cgi?id=1741864 +Patch200: nginx-1.10.2-CVE-2019-9511.patch +Patch201: nginx-1.10.2-CVE-2019-9513.patch +Patch202: nginx-1.10.2-CVE-2019-9516.patch + BuildRequires: gd-devel %if 0%{?with_gperftools} BuildRequires: gperftools-devel @@ -174,6 +181,11 @@ Requires: %{?scl:%scl_prefix}nginx %patch1 -p0 -b .CVE-2017-7529 %patch2 -p1 -b .CVE-2018-16843 %patch3 -p1 -b .CVE-2018-16845 + +%patch200 -p1 +%patch201 -p1 +%patch202 -p1 + cp %{SOURCE200} . %build @@ -601,11 +613,19 @@ fi %{_libdir}/nginx/modules/ngx_stream_module.so %changelog -* Thu Nov 15 2018 Lubos Uhliarik - 1:1.10.2-8.1 -- Resolves: #1648363 - CVE-2018-16845 rh-nginx110-nginx: nginx: - Denial of service and memory disclosure via mp4 module -- Resolves: #1650091 - CVE-2018-16843 rh-nginx110-nginx: nginx: +* Fri Aug 30 2019 Lubos Uhliarik - 1:1.10.2-9.1 +- Resolves: #1744814 - CVE-2019-9511 rh-nginx110-nginx: HTTP/2: large amount + of data request leads to denial of service +- Resolves: #1744327 - CVE-2019-9513 rh-nginx110-nginx: HTTP/2: flood using + PRIORITY frames resulting in excessive resource consumption +- Resolves: #1745041 - CVE-2019-9516 rh-nginx110-nginx: HTTP/2: 0-length + headers leads to denial of service + +* Wed Nov 14 2018 Lubos Uhliarik - 1:1.10.2-9 +- Resolves: #1648226 - CVE-2018-16843 rh-nginx110-nginx: nginx: Excessive memory consumption via flaw in HTTP/2 implementation +- Resolves: #1648220 - CVE-2018-16845 rh-nginx110-nginx: nginx: + Denial of service and memory disclosure via mp4 module * Tue Aug 22 2017 Luboš Uhliarik - 1:1.10.2-8 - Resolves: CVE-2017-7529 rh-nginx110-nginx: nginx: Integer overflow