diff --git a/SOURCES/nginx-1.12.1-CVE-2019-9511.patch b/SOURCES/nginx-1.12.1-CVE-2019-9511.patch new file mode 100644 index 0000000..22de2eb --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2019-9511.patch @@ -0,0 +1,70 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 638ffaf..8b5975c 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4065,6 +4065,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 6c42fee..282de8f 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -181,6 +181,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index dac5046..e1928d1 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1017,22 +1017,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; diff --git a/SOURCES/nginx-1.12.1-CVE-2019-9513.patch b/SOURCES/nginx-1.12.1-CVE-2019-9513.patch new file mode 100644 index 0000000..173b351 --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2019-9513.patch @@ -0,0 +1,48 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 8b5975c..9e12243 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -247,6 +247,8 @@ ngx_http_v2_init(ngx_event_t *rev) + + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + ++ h2c->priority_limit = h2scf->concurrent_streams; ++ + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_close_connection(c); +@@ -1786,6 +1788,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -2846,6 +2855,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c) + + h2c->processing++; + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 282de8f..4a74a6a 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -117,6 +117,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + size_t send_window; + size_t recv_window; diff --git a/SOURCES/nginx-1.12.1-CVE-2019-9516.patch b/SOURCES/nginx-1.12.1-CVE-2019-9516.patch new file mode 100644 index 0000000..b2277bf --- /dev/null +++ b/SOURCES/nginx-1.12.1-CVE-2019-9516.patch @@ -0,0 +1,30 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 9e12243..5d6cadd 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1539,6 +1539,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -2994,10 +3002,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index dbcbe82..ec3d9b6 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -44,7 +44,7 @@ Name: %{?scl:%scl_prefix}nginx Epoch: 1 Version: 1.12.1 -Release: 2%{?dist}.1 +Release: 3%{?dist}.1 Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons # BSD License (two clause) @@ -75,6 +75,13 @@ Patch1: nginx-1.12.1-CVE-2018-16843.patch Patch2: nginx-1.12.1-CVE-2018-16844.patch Patch3: nginx-1.12.1-CVE-2018-16845.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1741860 +# https://bugzilla.redhat.com/show_bug.cgi?id=1735741 +# https://bugzilla.redhat.com/show_bug.cgi?id=1741864 +Patch200: nginx-1.12.1-CVE-2019-9511.patch +Patch201: nginx-1.12.1-CVE-2019-9513.patch +Patch202: nginx-1.12.1-CVE-2019-9516.patch + BuildRequires: gd-devel %if 0%{?with_gperftools} BuildRequires: gperftools-devel @@ -179,6 +186,11 @@ Requires: %{?scl:%scl_prefix}nginx %patch1 -p1 -b .CVE-2018-16843 %patch2 -p1 -b .CVE-2018-16844 %patch3 -p1 -b .CVE-2018-16845 + +%patch200 -p1 +%patch201 -p1 +%patch202 -p1 + cp %{SOURCE200} . %build @@ -615,13 +627,21 @@ fi %{_libdir}/nginx/modules/ngx_stream_module.so %changelog -* Thu Nov 15 2018 Lubos Uhliarik - 1:1.12.1-2.1 -- Resolves: #1648364 - CVE-2018-16845 rh-nginx112-nginx: nginx: - Denial of service and memory disclosure via mp4 module -- Resolves: #1650094 - CVE-2018-16844 rh-nginx112-nginx: nginx: - Excessive CPU usage via flaw in HTTP/2 implementation -- Resolves: #1650088 - CVE-2018-16843 rh-nginx112-nginx: nginx: +* Fri Aug 30 2019 Lubos Uhliarik - 1:1.12.1-3.1 +- Resolves: #1744816 - CVE-2019-9511 rh-nginx112-nginx: HTTP/2: large amount + of data request leads to denial of service +- Resolves: #1744332 - CVE-2019-9513 rh-nginx112-nginx: HTTP/2: flood using + PRIORITY frames resulting in excessive resource consumption +- Resolves: #1745039 - CVE-2019-9516 rh-nginx112-nginx: HTTP/2: 0-length + headers leads to denial of service + +* Wed Nov 14 2018 Lubos Uhliarik - 1:1.12.1-3 +- Resolves: #1648227 - CVE-2018-16843 rh-nginx112-nginx: nginx: Excessive memory consumption via flaw in HTTP/2 implementation +- Resolves: #1648224 - CVE-2018-16844 rh-nginx112-nginx: nginx: + Excessive CPU usage via flaw in HTTP/2 implementation +- Resolves: #1648221 - CVE-2018-16845 rh-nginx112-nginx: nginx: + Denial of service and memory disclosure via mp4 module * Tue Aug 08 2017 Luboš Uhliarik - 1:1.12.1-2 - Resolves: #1468712 - missing dependency for perl package