Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 726834 (CVE-2020-11080)

Summary: <net-libs/nghttp2-1.41.0: denial of service via overly large SETTINGS frames (CVE-2020-11080)
Product: Gentoo Security Reporter: Jeroen Roovers (RETIRED) <jer>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nghttp2.org/blog/2020/06/02/nghttp2-v1-41-0/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=726836
Whiteboard: B3 [noglsa cve]
Package list:
net-libs/nghttp2-1.41.0
Runtime testing required: ---

Description Jeroen Roovers (RETIRED) gentoo-dev 2020-06-02 20:26:36 UTC
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Impact
The overly large HTTP/2 SETTINGS frame payload causes denial of service.

The proof of concept attack involves a malicious client
constructing a SETTINGS frame with a length of 14,400 bytes (2400
individual settings entries) over and over again. The attack
causes the CPU to spike at 100%.

Patches
nghttp2 v1.41.0 fixes this vulnerability.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-02 20:45:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=83969940dab82d3e44003f659eaec0a4668bcb45

commit 83969940dab82d3e44003f659eaec0a4668bcb45
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-02 20:45:07 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-02 20:45:19 +0000

    net-libs/nghttp2: Security bump to version 1.41.0
    
    Bug: https://bugs.gentoo.org/726834
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/nghttp2/Manifest              |  1 +
 net-libs/nghttp2/nghttp2-1.41.0.ebuild | 77 ++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2020-06-03 09:22:54 UTC
s390 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-03 10:27:45 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-03 15:11:21 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-03 15:13:57 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-03 15:16:06 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-03 15:18:18 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-03 15:27:59 UTC
sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-07 21:04:18 UTC
arm64 stable

----
@maintainer(s), please cleanup
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 02:14:17 UTC
ping
Comment 11 Larry the Git Cow gentoo-dev 2020-06-20 11:21:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3707631c00f4838f95dcedc2c64c622390a6a888

commit 3707631c00f4838f95dcedc2c64c622390a6a888
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-20 11:21:37 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-20 11:21:45 +0000

    net-libs/nghttp2: Security cleanup
    
    Bug: https://bugs.gentoo.org/726834
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-libs/nghttp2/Manifest              |  1 -
 net-libs/nghttp2/nghttp2-1.40.0.ebuild | 77 ----------------------------------
 2 files changed, 78 deletions(-)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-20 12:46:20 UTC
Thanka!