Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch nghttp2 for CVE-2026-27135 [HIGH] - branch 3.0-dev" #16246

CBL-Mariner-Bot · azurelinux-security · web-flow · commit 9c9224aa2cac · 2026-03-20T07:36:56.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
diff --git a/SPECS/nghttp2/CVE-2026-27135.patch b/SPECS/nghttp2/CVE-2026-27135.patch
@@ -0,0 +1,107 @@
+From 5fb1bc89bc8ac155c1284e4a4b9fd8746e863d94 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Wed, 18 Feb 2026 18:04:30 +0900
+Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
+ failure
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1.patch
+---
+ lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c
+index 004a4df..1711a39 100644
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -6079,6 +6079,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (nghttp2_ssize)inlen;
++        }
++
+         on_begin_frame_called = 1;
+ 
+         rv = session_process_headers_frame(session);
+@@ -6445,6 +6449,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           if (nghttp2_is_fatal(rv)) {
+             return rv;
+           }
++
++          if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++            return (nghttp2_ssize)inlen;
++          }
+         }
+       }
+ 
+@@ -6701,6 +6709,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (nghttp2_ssize)inlen;
++        }
++
+         session_inbound_frame_reset(session);
+ 
+         break;
+@@ -6761,6 +6773,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           return (nghttp2_ssize)inlen;
+         }
+ 
++            if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++              return (nghttp2_ssize)inlen;
++            }
++
+         if (rv == NGHTTP2_ERR_PAUSE) {
+           in += hd_proclen;
+           iframe->payloadleft -= hd_proclen;
+@@ -7004,6 +7020,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+         if (nghttp2_is_fatal(rv)) {
+           return rv;
+         }
++
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (nghttp2_ssize)inlen;
++        }
+       } else {
+         iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
+       }
+@@ -7189,6 +7209,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (nghttp2_ssize)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+@@ -7256,6 +7280,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+           return rv;
+         }
+ 
++        if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++          return (nghttp2_ssize)inlen;
++        }
++
+         if (rv != 0) {
+           busy = 1;
+ 
+@@ -7274,6 +7302,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session,
+         return rv;
+       }
+ 
++      if (iframe->state == NGHTTP2_IB_IGN_ALL) {
++        return (nghttp2_ssize)inlen;
++      }
++
+       session_inbound_frame_reset(session);
+ 
+       break;
+-- 
+2.45.4
+
diff --git a/SPECS/nghttp2/nghttp2.spec b/SPECS/nghttp2/nghttp2.spec
@@ -1,13 +1,14 @@
 Summary:        nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
 Name:           nghttp2
 Version:        1.61.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/System
 URL:            https://nghttp2.org
 Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2026-27135.patch
 BuildRequires:  gcc
 BuildRequires:  make
 %if 0%{?with_check}
@@ -59,6 +60,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Thu Mar 19 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.61.0-3
+- Patch for CVE-2026-27135
+
 * Thu Aug 29 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.61.0-2
 - Fix test-time dependency on CUnit.
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.aarch64.rpm
 libssh2-devel-1.11.1-1.azl3.aarch64.rpm
 krb5-1.21.3-3.azl3.aarch64.rpm
 krb5-devel-1.21.3-3.azl3.aarch64.rpm
-nghttp2-1.61.0-2.azl3.aarch64.rpm
-nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
+nghttp2-1.61.0-3.azl3.aarch64.rpm
+nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
 curl-8.11.1-5.azl3.aarch64.rpm
 curl-devel-8.11.1-5.azl3.aarch64.rpm
 curl-libs-8.11.1-5.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -197,8 +197,8 @@ libssh2-1.11.1-1.azl3.x86_64.rpm
 libssh2-devel-1.11.1-1.azl3.x86_64.rpm
 krb5-1.21.3-3.azl3.x86_64.rpm
 krb5-devel-1.21.3-3.azl3.x86_64.rpm
-nghttp2-1.61.0-2.azl3.x86_64.rpm
-nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
+nghttp2-1.61.0-3.azl3.x86_64.rpm
+nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
 curl-8.11.1-5.azl3.x86_64.rpm
 curl-devel-8.11.1-5.azl3.x86_64.rpm
 curl-libs-8.11.1-5.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -277,9 +277,9 @@ newt-0.52.23-1.azl3.aarch64.rpm
 newt-debuginfo-0.52.23-1.azl3.aarch64.rpm
 newt-devel-0.52.23-1.azl3.aarch64.rpm
 newt-lang-0.52.23-1.azl3.aarch64.rpm
-nghttp2-1.61.0-2.azl3.aarch64.rpm
-nghttp2-debuginfo-1.61.0-2.azl3.aarch64.rpm
-nghttp2-devel-1.61.0-2.azl3.aarch64.rpm
+nghttp2-1.61.0-3.azl3.aarch64.rpm
+nghttp2-debuginfo-1.61.0-3.azl3.aarch64.rpm
+nghttp2-devel-1.61.0-3.azl3.aarch64.rpm
 ninja-build-1.11.1-1.azl3.aarch64.rpm
 ninja-build-debuginfo-1.11.1-1.azl3.aarch64.rpm
 npth-1.6-4.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -285,9 +285,9 @@ newt-0.52.23-1.azl3.x86_64.rpm
 newt-debuginfo-0.52.23-1.azl3.x86_64.rpm
 newt-devel-0.52.23-1.azl3.x86_64.rpm
 newt-lang-0.52.23-1.azl3.x86_64.rpm
-nghttp2-1.61.0-2.azl3.x86_64.rpm
-nghttp2-debuginfo-1.61.0-2.azl3.x86_64.rpm
-nghttp2-devel-1.61.0-2.azl3.x86_64.rpm
+nghttp2-1.61.0-3.azl3.x86_64.rpm
+nghttp2-debuginfo-1.61.0-3.azl3.x86_64.rpm
+nghttp2-devel-1.61.0-3.azl3.x86_64.rpm
 ninja-build-1.11.1-1.azl3.x86_64.rpm
 ninja-build-debuginfo-1.11.1-1.azl3.x86_64.rpm
 npth-1.6-4.azl3.x86_64.rpm
