Commit e86a2a9f authored by Jakub Jirutka's avatar Jakub Jirutka

main/nginx: fix CVE-2018-16843, CVE-2018-16844, CVE-2018-16845

Resolves: #9660 (https://bugs.alpinelinux.org/issues/9660)
parent 71bdcfe0
......@@ -4,12 +4,16 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
# 1.12.1-r4:
# - CVE-2018-16843
# - CVE-2018-16844
# - CVE-2018-16845
# 1.12.1-r0:
# - CVE-2017-7529
#
pkgname=nginx
pkgver=1.12.2
pkgrel=3
pkgrel=4
# Revision of nginx-tests to use for check().
_tests_hgrev=cdd44ff602db
pkgdesc="HTTP and reverse proxy server (stable version)"
......@@ -30,6 +34,9 @@ subpackages="$pkgname-doc $pkgname-vim::noarch"
replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
source="http://nginx.org/download/$pkgname-$pkgver.tar.gz
$pkgname-tests-$_tests_hgrev.tar.gz::http://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
CVE-2018-16843.patch
CVE-2018-16844.patch
CVE-2018-16845.patch
nginx.conf
default.conf
$pkgname.logrotate
......@@ -265,6 +272,9 @@ _module() {
sha512sums="3faa2043e237a7e1d15cc5661ac9d002a965220a78c25a863be9f19e01007347e53f776b61c229f6bd3d916cc1ccf92de260811f7b8092ec1b747fba7c0061f7 nginx-1.12.2.tar.gz
ca8be839aef71c537d6d3a79e2894f38790834d6310c6d15ad06900c7c2d7cf71a113847ab96ef9be0fbdfff3b7808e74dea427502b275cfd6c909550f9ba9ab nginx-tests-cdd44ff602db.tar.gz
8666c54b894bb21b0bfd9fd223538ff37c34e070c722e866c8ae54dbf13768206d1594011f116622d7a0105439bd84c7b439022938e72b816519212fecba6e22 CVE-2018-16843.patch
54a5093ead82c8625c68a8af714eb3f71fdbecd48aca7e138cdd6c2ca06d5486074659fdd8b19576055c5d0717b5e179339ff1689defcdc4b7cf344375a39b4e CVE-2018-16844.patch
0b64927635048185cb117d403a0a70b4f048a76cd7ef561098b1c5e4cf31ef6594beff4298c3ca444b06b382d153b34b56c19b3c8ba87402c2e7daec1850da6b CVE-2018-16845.patch
ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate
......
# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1541510975 -10800
# Node ID 1c6b6163c03945bcc65c252cc42b0af18744c085
# Parent fdc19a3289c1138bfe49ddbde310778ddc495729
HTTP/2: flood detection.
Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data. Fix
is to limit the number of allocated control frames.
Patch-Source: http://hg.nginx.org/nginx/rev/1c6b6163c039
diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:18 2018 +0300
+++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300
@@ -664,6 +664,7 @@
h2c->pool = NULL;
h2c->free_frames = NULL;
+ h2c->frames = 0;
h2c->free_fake_connections = NULL;
#if (NGX_HTTP_SSL)
@@ -2895,7 +2896,7 @@
frame->blocked = 0;
- } else {
+ } else if (h2c->frames < 10000) {
pool = h2c->pool ? h2c->pool : h2c->connection->pool;
frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
@@ -2919,6 +2920,15 @@
frame->last = frame->first;
frame->handler = ngx_http_v2_frame_handler;
+
+ h2c->frames++;
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+
+ h2c->connection->error = 1;
+ return NULL;
}
#if (NGX_DEBUG)
diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:18 2018 +0300
+++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300
@@ -120,6 +120,7 @@
ngx_http_connection_t *http_connection;
ngx_uint_t processing;
+ ngx_uint_t frames;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;
# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1541510989 -10800
# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860
# Parent 1c6b6163c03945bcc65c252cc42b0af18744c085
HTTP/2: limit the number of idle state switches.
An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.
This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.
Initially reported by Gal Goldshtein from F5 Networks.
Patch-Source: http://hg.nginx.org/nginx/rev/9200b41db765
diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300
+++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:49 2018 +0300
@@ -4481,12 +4481,19 @@
#endif
+ h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
+ ngx_http_v2_module);
+
+ if (h2c->idle++ > 10 * h2scf->max_requests) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "http2 flood detected");
+ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);
+ return;
+ }
+
c->destroyed = 0;
ngx_reusable_connection(c, 0);
- h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
- ngx_http_v2_module);
-
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
if (h2c->pool == NULL) {
ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300
+++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:49 2018 +0300
@@ -121,6 +121,7 @@
ngx_uint_t processing;
ngx_uint_t frames;
+ ngx_uint_t idle;
ngx_uint_t pushing;
ngx_uint_t concurrent_pushes;
Patch-Source: http://nginx.org/download/patch.2018.mp4.txt
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file
atom_size = ngx_mp4_get_64value(atom_header + 8);
atom_header_size = sizeof(ngx_mp4_atom_header64_t);
+ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 atom is too small:%uL",
+ mp4->file.name.data, atom_size);
+ return NGX_ERROR;
+ }
+
} else {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 atom is too small:%uL",
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment