Bug 905203 (CVE-2023-30847)

Summary:	www-servers/h2o: Uninitialized memory usage in proxy handler
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	hattya
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
Whiteboard:	B3 [upstream/ebuild]
Package list:		Runtime testing required:	---

Description Sam James archtester

2023-04-28 00:56:04 UTC

See https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
"""
Impact

When the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers.
Patches

PR #3229 fixes the issue. The pull request has been merged to master in commit f010336.
Workarounds

Upgrade to commit f010336 or later. At the moment, there is no tagged version with the fix incorporated.
Acknowledgements

This issue was reported by @ElijahGlover; see #3228.
"""

NEWS on the main site says (https://h2o.examp1e.net/):
"""
    Due to a security vulnerability, users using h2o as a reverse proxy are advised to update immediately CVE-2023-30847 (Apr 27 2023)
"""

Comment 1 Sam James archtester

2023-04-28 00:56:45 UTC

Please backport the linked patch.

Comment 2 Akinori Hattori gentoo-dev

2023-10-22 12:44:36 UTC

They are updated the advisory.

> None of the non-beta released versions (i.e., versions up to 2.2.6) is affected by this vulnerability (May 15 2023).

There are no affected versions in the repository.

Comment 3 John Helmert III archtester

2023-10-23 04:57:08 UTC

Vulnerability not in any released versions according to upstream's updated advisory.