[{"id":3673041,"web_url":"http://patchwork.ozlabs.org/comment/3673041/","msgid":"<20260403091627.57341-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-03T09:16:27","subject":"Re: [Buildroot] [PATCH 1/1] package/nghttp2: patch CVE-2026-27135","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"Only for 2025.02.x & 2026.02.x. Removed on patchwork and resent.\n\nIn reply of:\n> Fixes the following vulnerability:\n> \n> - CVE-2026-27135:\n> nghttp2 is an implementation of the Hypertext Transfer Protocol\n> version 2 in C. Prior to version 1.68.1, the nghttp2 library stops\n> reading the incoming data when user facing public API\n> `nghttp2_session_terminate_session` or\n> `nghttp2_session_terminate_session2` is called by the application.\n> They might be called internally by the library when it detects the\n> situation that is subject to connection error. Due to the missing\n> internal state validation, the library keeps reading the rest of the\n> data after one of those APIs is called. Then receiving a malformed\n> frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2\n> v1.68.1 adds missing state validation to avoid assertion failure. No\n> known workarounds are available.\n> \n> For more information, see:\n> - https://www.cve.org/CVERecord?id=CVE-2026-27135\n> - https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1\n> \n> Signed-off-by: Thomas Perale \n\n> ---\n> ...lidations-to-avoid-assertion-failure.patch | 105 ++++++++++++++++++\n> package/nghttp2/nghttp2.mk | 3 +\n> 2 files changed, 108 insertions(+)\n> create mode 100644 package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch\n> \n> diff --git a/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch b/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch\n> new file mode 100644\n> index 0000000000..ef8b9a5a5d\n> --- /dev/null\n> +++ b/package/nghttp2/0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch\n> @@ -0,0 +1,105 @@\n> +From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001\n> +From: Tatsuhiro Tsujikawa \n> +Date: Wed, 18 Feb 2026 18:04:30 +0900\n> +Subject: [PATCH] Fix missing iframe->state validations to avoid assertion\n> + failure\n> +\n> +CVE: CVE-2026-27135\n> +Upstream: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1\n> +Signed-off-by: Thomas Perale \n> +---\n> + lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++\n> + 1 file changed, 32 insertions(+)\n> +\n> +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c\n> +index bcea547343..0fbcc930b9 100644\n> +--- a/lib/nghttp2_session.c\n> ++++ b/lib/nghttp2_session.c\n> +@@ -5573,6 +5573,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + return rv;\n> + }\n> + \n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + on_begin_frame_called = 1;\n> + \n> + rv = session_process_headers_frame(session);\n> +@@ -6041,6 +6045,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + if (nghttp2_is_fatal(rv)) {\n> + return rv;\n> + }\n> ++\n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> + }\n> + }\n> + \n> +@@ -6293,6 +6301,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + return rv;\n> + }\n> + \n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + session_inbound_frame_reset(session);\n> + \n> + break;\n> +@@ -6599,6 +6611,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + if (nghttp2_is_fatal(rv)) {\n> + return rv;\n> + }\n> ++\n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> + } else {\n> + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;\n> + }\n> +@@ -6775,6 +6791,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + rv = session->callbacks.on_data_chunk_recv_callback(\n> + session, iframe->frame.hd.flags, iframe->frame.hd.stream_id,\n> + in - readlen, (size_t)data_readlen, session->user_data);\n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + if (rv == NGHTTP2_ERR_PAUSE) {\n> + return (nghttp2_ssize)(in - first);\n> + }\n> +@@ -6861,6 +6881,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + return rv;\n> + }\n> + \n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + if (rv != 0) {\n> + busy = 1;\n> + \n> +@@ -6879,6 +6903,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + return rv;\n> + }\n> + \n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + session_inbound_frame_reset(session);\n> + \n> + break;\n> +@@ -6907,6 +6935,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,\n> + return rv;\n> + }\n> + \n> ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) {\n> ++ return (nghttp2_ssize)inlen;\n> ++ }\n> ++\n> + session_inbound_frame_reset(session);\n> + \n> + break;\n> diff --git a/package/nghttp2/nghttp2.mk b/package/nghttp2/nghttp2.mk\n> index 98f837e28e..9e051d24ed 100644\n> --- a/package/nghttp2/nghttp2.mk\n> +++ b/package/nghttp2/nghttp2.mk\n> @@ -14,6 +14,9 @@ NGHTTP2_CPE_ID_VENDOR = nghttp2\n> NGHTTP2_DEPENDENCIES = host-pkgconf\n> NGHTTP2_CONF_OPTS = --enable-lib-only\n> \n> +# 0001-Fix-missing-iframe-state-validations-to-avoid-assertion-failure.patch\n> +NGHTTP2_IGNORE_CVES += CVE-2026-27135\n> +\n> define NGHTTP2_INSTALL_CLEAN_HOOK\n> \t# Remove fetch-ocsp-response script unused by library\n> \t$(Q)$(RM) -rf $(TARGET_DIR)/usr/share/nghttp2\n> -- \n> 2.53.0\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=dG2F/oLt;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnClY0jpKz1yCt\n\tfor ;\n Fri, 03 Apr 2026 20:16:40 +1100 (AEDT)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 7094081426;\n\tFri, 3 Apr 2026 09:16:34 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id b2Mlu23oDg44; Fri, 3 Apr 2026 09:16:33 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 7A18E8142A;\n\tFri, 3 Apr 2026 09:16:33 +0000 (UTC)","from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])\n by lists1.osuosl.org (Postfix) with ESMTP id 51B9F2CC\n for ; Fri, 3 Apr 2026 09:16:32 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 374AC40055\n for ; Fri, 3 Apr 2026 09:16:32 +0000 (UTC)","from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id GHPV98lCCkhG for ;\n Fri, 3 Apr 2026 09:16:31 +0000 (UTC)","from mail-wr1-x433.google.com (mail-wr1-x433.google.com\n [IPv6:2a00:1450:4864:20::433])\n by smtp2.osuosl.org (Postfix) with ESMTPS id 0C72A40028\n for ; Fri, 3 Apr 2026 09:16:30 +0000 (UTC)","by mail-wr1-x433.google.com with SMTP id\n ffacd0b85a97d-43cfa33a983so1076591f8f.1\n for ; Fri, 03 Apr 2026 02:16:30 -0700 (PDT)","from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43d1e2c5468sm14800860f8f.13.2026.04.03.02.16.27\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 03 Apr 2026 02:16:27 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7A18E8142A","OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0C72A40028"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1775207793;\n\tbh=NDXyh+v5eCky3ypj5wALjyeB9Ztv9FDd8IzT4sXK7Mg=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=dG2F/oLtPAJxK5nVho8AqYfxq6QRvP6z50K1YlmcNAkGo2iFWUskTSBYEXvXpjeW9\n\t AsnULTXXNAla47SLar6S7h0FK5Fy2+BIhudZVtJ0oVTx14A7KEDh8z91pN0rNDiRM6\n\t wHi7+lD/A3do2ktwV4/Lz2PH4Lrg6E/EiK1hbAg8gosh2BlxRYCI7353XepsTxQi6F\n\t 3JsU/yfTOIxxpKWxm0snD4fK9WLqk5rnwXHVNvYmq67YxObobDWvlUwRT1NdUh15l+\n\t 8SwvD7IY5VGwtHcTdANYyh4je7MTXzlvGA8FpeXDNYLNzuFGUVt0+RAtNgQ6hBYvqG\n\t 0VRlVIoXRu6BQ==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::433; helo=mail-wr1-x433.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp2.osuosl.org 0C72A40028","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775207788; x=1775812588;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=2RYCQ/hcrz5acXo2ZN+cJqyKdbnaqFFEdCn26LzRdK0=;\n b=aCHgS7nhT2Z2TvMxpnjlN90js2XK9klzGXo8nlGFbCmRIaH7RWPKaLyIlClW0tLktX\n 7O9p9LrmyOjEqC84vr0ILeVFkc3lFniyLrV1PhdvVBQI1NA8JagNDESbVbR9fg1mLOzh\n NxKZhLMtxXmFGUVukM4eQQcPOk2NngalY6YFqtfji/QV4kFPZswP+roTFj3BhGMtFgzj\n Vhy2Co6dffnGNzvEBBmz3hlZJfvmNnNucpkXGVoHrxmjnrpSBnICJa/Zql1kSLWeOfC3\n UMBrH9aD+RTiwjLlAO//Npu1vfKfo7y2RfzwFhMZdcBTz2IiuglI57xvrtHQqJ9783cr\n mGZw==","X-Gm-Message-State":"AOJu0Yzcsgq4TWxeWipeZFNcylENLZSxZgpRg/tjFBY3oDOZAd2r2WA9\n RGvfvX6Qm4ENON41vZxpF7xpI5czOfjcCohZgqybTfo1RHi7pVoeaA4USKbg1kTEjH+3iho4FLe\n oP6emcXA=","X-Gm-Gg":"AeBDievzuwnPXyGnSi9C84HV4ChsGC64mMDFhRf6zC9UUzAnGvMC0zQA7Oe6daKrPUZ\n S3dycf508nI9/MZGzLV3uuOlDKoaBu2U/8/r4aPjUrawYYuRkEw6lPEml3r6yjmbS5ZFDwYSlV6\n YVq8QHak5zPyCs57pgBAvHbWSEVMXqUDkS9TawGVkHbmmkKug1uAb+5zmt/IgVy4PiJgyfiDAjV\n A2O30DS4GGznGWxS501a6w6fUh3JAPBDBeb50fSWw4+fo+CCwON8hD41ZbKs1eEMHOAHcgglUdB\n ZeVXFjOJBNv1l7e7C1TXu4wp1LdwmSSRg4ybPs+CD+vpCEf8H+vF2VDufjbfDdYGrPYdUlkiFte\n FVlYp5hdW2r5vlU1iohu+8HIC1KSv7HQo1H9C70wrxgrGA9fEP2iIqC68SjNS2AlTYE+UlRKwcR\n gRWtJEQedxW59anLAk","X-Received":"by 2002:a5d:5f48:0:b0:43c:f40f:6c91 with SMTP id\n ffacd0b85a97d-43d29285606mr3733612f8f.10.1775207788343;\n Fri, 03 Apr 2026 02:16:28 -0700 (PDT)","To":"Thomas Perale ","Cc":"buildroot@buildroot.org","Date":"Fri, 3 Apr 2026 11:16:27 +0200","Message-ID":"<20260403091627.57341-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260403084221.35659-1-thomas.perale@mind.be>","References":"<20260403084221.35659-1-thomas.perale@mind.be>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1775207788; x=1775812588; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=2RYCQ/hcrz5acXo2ZN+cJqyKdbnaqFFEdCn26LzRdK0=;\n b=YOHMUea335/FkaEprDjMz916FO0dcapp/GAwmEOpqAdhaX1wVpwdJeZENItHOG/uFr\n terSN2i0d/9zSDbzHoGUUOK4wyWvsb9pFKUEdcwlR+vAneVHMOsUrC9MPHdHy8uUra5n\n cIEo9KecpzHQqc4jLIBXBEF3RHmlpohTdUlm5k/OpjevGqrbLAtWoByfEPzfQYwGih85\n 1PORGgZU5Wnfp+gqRs52b0cEa5EzAGfQHVU4xgZ0I6/jfIFfYwN2NlPqyJBm3eagavhO\n z1MoyJf81b+KTTsPm551WN7t64lLQzkvhsMJIMmfRcl3Cfz/ZRSKtOE9QRVAARza6jjS\n TFeQ==","X-Mailman-Original-Authentication-Results":["smtp2.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp2.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=YOHMUea3"],"Subject":"Re: [Buildroot] [PATCH 1/1] package/nghttp2: patch CVE-2026-27135","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]