Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574780 (CVE-2016-1544) - <net-libs/nghttp2-1.7.1: out of memory error due to unlimited incoming HTTP header fields
Summary: <net-libs/nghttp2-1.7.1: out of memory error due to unlimited incoming HTTP h...
Status: RESOLVED FIXED
Alias: CVE-2016-1544
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-15 13:03 UTC by Agostino Sarubbo
Modified: 2016-12-05 01:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-15 13:03:04 UTC 
From ${URL} :

A vulnerability was found in a way nghttp2 processes incoming packets.
Nghttpd, nghttp, and libnghttp2_asio applications do not limit the
memory usage for the incoming HTTP header field. If peer sends
specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they
will crash with out of memory error.

Upstream report and fix:

https://github.com/tatsuhiro-t/nghttp2/releases/tag/v1.7.1


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-02-15 14:24:37 UTC 
1.7.1 is fine to stabilize
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-17 07:13:17 UTC 
Stable for HPPA PPC64.
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-02 13:59:04 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-03-15 16:43:10 UTC 
x86 stable
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-16 09:23:15 UTC 
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-16 12:07:15 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-19 11:39:27 UTC 
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-20 12:03:08 UTC 
ia64 stable
Comment 9 SpanKY gentoo-dev 2016-05-06 15:49:30 UTC 
done the rest now
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 15:10:51 UTC 
@ Security: Waiting for GLSA/CVE...
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 00:26:46 UTC 
New GLSA created.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-12-05 01:25:16 UTC 
This issue was resolved and addressed in
 GLSA 201612-13 at https://security.gentoo.org/glsa/201612-13
by GLSA coordinator Aaron Bauman (b-man).