Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905203 (CVE-2023-30847) - www-servers/h2o: Uninitialized memory usage in proxy handler
Summary: www-servers/h2o: Uninitialized memory usage in proxy handler
Status: RESOLVED INVALID
Alias: CVE-2023-30847
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/h2o/h2o/security/a...
Whiteboard: B3 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-28 00:56 UTC by Sam James
Modified: 2023-10-23 04:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-04-28 00:56:04 UTC
See https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
"""
Impact

When the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to build an upstream URL by reading from uninitialized pointer. This behavior can lead to crashes or leak of information to back end HTTP servers.
Patches

PR #3229 fixes the issue. The pull request has been merged to master in commit f010336.
Workarounds

Upgrade to commit f010336 or later. At the moment, there is no tagged version with the fix incorporated.
Acknowledgements

This issue was reported by @ElijahGlover; see #3228.
"""

NEWS on the main site says (https://h2o.examp1e.net/):
"""
    Due to a security vulnerability, users using h2o as a reverse proxy are advised to update immediately CVE-2023-30847 (Apr 27 2023)
"""
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-04-28 00:56:45 UTC
Please backport the linked patch.
Comment 2 Akinori Hattori gentoo-dev 2023-10-22 12:44:36 UTC
They are updated the advisory.

> None of the non-beta released versions (i.e., versions up to 2.2.6) is affected by this vulnerability (May 15 2023).

There are no affected versions in the repository.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-10-23 04:57:08 UTC
Vulnerability not in any released versions according to upstream's updated advisory.