Re: [OE-core] [kirkstone][PATCH V2] nghttp2: fix CVE-2023-44487

[zahirhussas via lists.openembedded.org]

Apologies for the late reply. Can you please recheck the patch again?
Same patch works in our build without any Hunk failure issue, and also 
confirmed that the patch changes are available in the source code of nghttp2 
V1.47.0.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196390): 
https://lists.openembedded.org/g/openembedded-core/message/196390
Mute This Topic: https://lists.openembedded.org/mt/104049487/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH V2] nghttp2: fix CVE-2023-44487

[Steve Sakoman]

4
ERROR: Task 
(/home/steve/builds/poky-contrib-kirkstone/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb:do_patch)
failed with exit code '1'

Make sure you are using the current kirkstone head, and don't have a
bbappend for nghttp2 in another included layer.

Steve
__
> From: Steve Sakoman 
> Sent: Tuesday, January 30, 2024 10:39 PM
> To: aszh07 
> Cc: openembedded-core@lists.openembedded.org 
> ; Virendra Kumar Thakur 
> ; Zahir Hussain Sikkendar Basha 
> 
> Subject: Re: [OE-core][kirkstone][PATCH V2] nghttp2: fix CVE-2023-44487
>
> Caution: This email originated from outside of the KPIT. Do not click links 
> or open attachments unless you recognize the sender and know the content is 
> safe.
>
> This fails at build time:
>
> ERROR: nghttp2-1.47.0-r0 do_patch: Applying patch
> 'CVE-2023-44487.patch' on target directory
> '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/nghttp2/1.47.0-r0/nghttp2-1.47.0'
> CmdError('quilt --quiltrc
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/nghttp2/1.47.0-r0/recipe-sysroot-native/etc/quiltrc
> push', 0, 'stdout: Applying patch CVE-2023-44487.patch
> patching file CMakeLists.txt
> Hunk #1 succeeded at 301 (offset 39 lines).
> Hunk #2 succeeded at 342 (offset 39 lines).
> patching file cmakeconfig.h.in
> Hunk #1 succeeded at 31 (offset -3 lines).
> Hunk #2 succeeded at 76 (offset -3 lines).
> patching file configure.ac
> Hunk #1 succeeded at 922 (offset 315 lines).
> Hunk #2 succeeded at 997 (offset 315 lines).
> Hunk #3 succeeded at 1023 (offset 315 lines).
> patching file doc/Makefile.am
> Hunk #1 FAILED at 69.
> 1 out of 1 hunk FAILED -- rejects in file doc/Makefile.am
> patching file lib/CMakeLists.txt
> patching file lib/Makefile.am
> Hunk #1 FAILED at 49.
> Hunk #2 FAILED at 65.
> 2 out of 2 hunks FAILED -- rejects in file lib/Makefile.am
> patching file lib/includes/nghttp2/nghttp2.h
> Hunk #1 succeeded at 2800 (offset 37 lines).
> patching file lib/nghttp2_option.c
> patching file lib/nghttp2_ratelim.c
> patching file lib/nghttp2_ratelim.h
> patching file lib/nghttp2_session.c
> Hunk #4 succeeded at 4164 (offset 9 lines).
> Hunk #5 succeeded at 4210 (offset 9 lines).
> Hunk #6 succeeded at 6991 (offset -3 lines).
> patching file lib/nghttp2_session.h
> Hunk #4 succeeded at 234 (offset -3 lines).
> patching file lib/nghttp2_time.c
> patching file lib/nghttp2_time.h
> patching file tests/nghttp2_ratelim_test.c
> patching file tests/nghttp2_ratelim_test.h
> patching file tests/nghttp2_session_test.c
> Hunk #1 succeeded at 11089 (offset 276 lines).
> patching file tests/nghttp2_session_test.h
> Hunk #1 succeeded at 162 (offset 2 lines).
> patching file tests/CMakeLists.txt
> patching file tests/Makefile.am
> Hunk #1 FAILED at 40.
> 1 out of 1 hunk FAILED -- rejects in file tests/Makefile.am
> patching file lib/nghttp2_option.h
> patching file tests/main.c
> Hunk #2 succeeded at 330 (offset 6 lines).
> Hunk #3 succeeded at 428 (offset 7 lines).
> Patch CVE-2023-44487.patch does not apply (enforce with -f)
>
> Steve
>
> On Mon, Jan 29, 2024 at 9:17 PM aszh07  wrote:
> >
> > From: Zahir Hussain 
> >
> > The HTTP/2 protocol allows a denial of service (server resource consumption)
> > because request cancellation can reset many streams quickly, as exploited in
> > the wild in August through October 2023.
> >
> > References:
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2023-44487=05%7C02%7Czahir.basha%40kpit.com%7Ce5eb9b3c40f742bf7ecf08dc21b65033%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638422314179045832%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=pCq7emMjyZCqLQHlPRpJX%2Fhk7kgUe3YLRN4rQE2FB%2BQ%3D=0
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Fcommit%2F72b4af6143681f528f1d237b21a9a7aee1738832=05%7C02%7Czahir.basha%40kpit.com%7Ce5eb9b3c40f742bf7ecf08dc21b65033%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638422314179052912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=GONGty7xd57TIExm%2BoaI2oOQUfCW4h1%2BIMNO4vMB%2BDo%3D=0
> >
> > Signed-off-by: Zahir Hussain 
> > ---
> >  .../nghttp2/nghttp2/CVE-2023-44487.patch  | 926 ++
> >  .../recipes-support/nghttp2/nghttp2_1.47.0.bb |   1 +
> >  2 files changed, 927 insertions(+)
> >  create mode 100644 
> > meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
> >
> > diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch 
> > b/meta/recipes-suppor