From b857943b0f0b646f8a1fbb510ef1a58209f103c2 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 20 Mar 2026 20:01:52 +0530 Subject: [PATCH] [AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] (#16237) (cherry picked from commit 5b639962c33d76a80b217d3d33fe4105730f9fb4) --- SPECS/nghttp2/CVE-2026-27135.patch | 107 ++++++++++++++++++ SPECS/nghttp2/nghttp2.spec | 6 +- .../manifests/package/pkggen_core_aarch64.txt | 4 +- .../manifests/package/pkggen_core_x86_64.txt | 4 +- .../manifests/package/toolchain_aarch64.txt | 6 +- .../manifests/package/toolchain_x86_64.txt | 6 +- 6 files changed, 122 insertions(+), 11 deletions(-) create mode 100644 SPECS/nghttp2/CVE-2026-27135.patch diff --git a/SPECS/nghttp2/CVE-2026-27135.patch b/SPECS/nghttp2/CVE-2026-27135.patch new file mode 100644 index 00000000000..d209a2a6e8f --- /dev/null +++ b/SPECS/nghttp2/CVE-2026-27135.patch @@ -0,0 +1,107 @@ +From 5fb1bc89bc8ac155c1284e4a4b9fd8746e863d94 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Wed, 18 Feb 2026 18:04:30 +0900 +Subject: [PATCH] Fix missing iframe->state validations to avoid assertion + failure + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch +--- + lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c +index 004a4df..1711a39 100644 +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -6079,6 +6079,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + on_begin_frame_called = 1; + + rv = session_process_headers_frame(session); +@@ -6445,6 +6449,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } + } + +@@ -6701,6 +6709,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6761,6 +6773,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return (nghttp2_ssize)inlen; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + if (rv == NGHTTP2_ERR_PAUSE) { + in += hd_proclen; + iframe->payloadleft -= hd_proclen; +@@ -7004,6 +7020,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } else { + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK; + } +@@ -7189,6 +7209,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -7256,6 +7280,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + if (rv != 0) { + busy = 1; + +@@ -7274,6 +7302,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +-- +2.45.4 + diff --git a/SPECS/nghttp2/nghttp2.spec b/SPECS/nghttp2/nghttp2.spec index f9c40beeddb..1fd59a7123d 100644 --- a/SPECS/nghttp2/nghttp2.spec +++ b/SPECS/nghttp2/nghttp2.spec @@ -1,13 +1,14 @@ Summary: nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK. Name: nghttp2 Version: 1.61.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux Group: Applications/System URL: https://nghttp2.org Source0: https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz +Patch0: CVE-2026-27135.patch BuildRequires: gcc BuildRequires: make %if 0%{?with_check} @@ -59,6 +60,9 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/pkgconfig/*.pc %changelog +* Thu Mar 19 2026 Azure Linux Security Servicing Account - 1.61.0-3 +- Patch for CVE-2026-27135 + * Thu Aug 29 2024 Pawel Winogrodzki - 1.61.0-2 - Fix test-time dependency on CUnit. diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 8c6f092e8d3..cc9df1270d8 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.aarch64.rpm libssh2-devel-1.11.1-1.azl3.aarch64.rpm krb5-1.21.3-3.azl3.aarch64.rpm krb5-devel-1.21.3-3.azl3.aarch64.rpm -nghttp2-1.61.0-2.azl3.aarch64.rpm -nghttp2-devel-1.61.0-2.azl3.aarch64.rpm +nghttp2-1.61.0-3.azl3.aarch64.rpm +nghttp2-devel-1.61.0-3.azl3.aarch64.rpm curl-8.11.1-5.azl3.aarch64.rpm curl-devel-8.11.1-5.azl3.aarch64.rpm curl-libs-8.11.1-5.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 41f145e909b..2071c28565b 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.x86_64.rpm libssh2-devel-1.11.1-1.azl3.x86_64.rpm krb5-1.21.3-3.azl3.x86_64.rpm krb5-devel-1.21.3-3.azl3.x86_64.rpm -nghttp2-1.61.0-2.azl3.x86_64.rpm -nghttp2-devel-1.61.0-2.azl3.x86_64.rpm +nghttp2-1.61.0-3.azl3.x86_64.rpm +nghttp2-devel-1.61.0-3.azl3.x86_64.rpm curl-8.11.1-5.azl3.x86_64.rpm curl-devel-8.11.1-5.azl3.x86_64.rpm curl-libs-8.11.1-5.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 5626ad98b91..fd3c44aacf3 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -277,9 +277,9 @@ newt-0.52.23-1.azl3.aarch64.rpm newt-debuginfo-0.52.23-1.azl3.aarch64.rpm newt-devel-0.52.23-1.azl3.aarch64.rpm newt-lang-0.52.23-1.azl3.aarch64.rpm -nghttp2-1.61.0-2.azl3.aarch64.rpm -nghttp2-debuginfo-1.61.0-2.azl3.aarch64.rpm -nghttp2-devel-1.61.0-2.azl3.aarch64.rpm +nghttp2-1.61.0-3.azl3.aarch64.rpm +nghttp2-debuginfo-1.61.0-3.azl3.aarch64.rpm +nghttp2-devel-1.61.0-3.azl3.aarch64.rpm ninja-build-1.11.1-1.azl3.aarch64.rpm ninja-build-debuginfo-1.11.1-1.azl3.aarch64.rpm npth-1.6-4.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 3596c20a153..2d7cf3992b1 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -285,9 +285,9 @@ newt-0.52.23-1.azl3.x86_64.rpm newt-debuginfo-0.52.23-1.azl3.x86_64.rpm newt-devel-0.52.23-1.azl3.x86_64.rpm newt-lang-0.52.23-1.azl3.x86_64.rpm -nghttp2-1.61.0-2.azl3.x86_64.rpm -nghttp2-debuginfo-1.61.0-2.azl3.x86_64.rpm -nghttp2-devel-1.61.0-2.azl3.x86_64.rpm +nghttp2-1.61.0-3.azl3.x86_64.rpm +nghttp2-debuginfo-1.61.0-3.azl3.x86_64.rpm +nghttp2-devel-1.61.0-3.azl3.x86_64.rpm ninja-build-1.11.1-1.azl3.x86_64.rpm ninja-build-debuginfo-1.11.1-1.azl3.x86_64.rpm npth-1.6-4.azl3.x86_64.rpm