diff --git a/CVE-2024-53008-1.patch b/CVE-2024-53008-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..0cb6f33ed616ab523cf173c85a6102a9660d5217 --- /dev/null +++ b/CVE-2024-53008-1.patch @@ -0,0 +1,77 @@ +From 87fefebfbe3df218103502046a0871b235a48087 Mon Sep 17 00:00:00 2001 +From: Amaury Denoyelle +Date: Fri, 28 Jun 2024 10:43:19 +0200 +Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally + valid +Origin: https://github.com/haproxy/haproxy/commit/87fefebfbe3df218103502046a0871b235a48087 + +Ensure pseudo-header method is only constitued of valid characters +according to RFC 9110. If an invalid value is found, the request is +rejected and stream is resetted. + +Previously only characters forbidden in headers were rejected (NUL/CR/LF), +but this is insufficient for :method, where some other forbidden chars +might be used to trick a non-compliant backend server into seeing a +different path from the one seen by haproxy. Note that header injection +is not possible though. + +This must be backported up to 2.6. + +Many thanks to Yuki Mogi of FFRI Security Inc for the detailed report +that allowed to quicky spot, confirm and fix the problem. + +(cherry picked from commit 789d4abd7328f0a745d67698e89bbb888d4d9b2c) +Signed-off-by: Christopher Faulet +(cherry picked from commit 47d13c68cf198467a94e85a1caa44484a1e2e75c) +[cf: adapted] +Signed-off-by: Christopher Faulet +--- + include/haproxy/http.h | 15 +++++++++++++++ + src/h3.c | 8 ++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/include/haproxy/http.h b/include/haproxy/http.h +index 299264051d28e..a297fa59b444a 100644 +--- a/include/haproxy/http.h ++++ b/include/haproxy/http.h +@@ -192,6 +192,21 @@ static inline int http_header_has_forbidden_char(const struct ist ist, const cha + return 0; + } + ++/* Check that method only contains token as required. ++ * See RFC 9110 9. Methods ++ */ ++static inline int http_method_has_forbidden_char(const struct ist ist) ++{ ++ const char *start = istptr(ist); ++ ++ do { ++ if (!HTTP_IS_TOKEN(*start)) ++ return 1; ++ start++; ++ } while (start < istend(ist)); ++ return 0; ++} ++ + /* Looks into for forbidden characters for :path values (0x00..0x1F, + * 0x20, 0x23), starting at pointer which must be within . + * Returns non-zero if such a character is found, 0 otherwise. When run on +diff --git a/src/h3.c b/src/h3.c +index 9e415b3b56303..4e21f6b92f535 100644 +--- a/src/h3.c ++++ b/src/h3.c +@@ -625,6 +625,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, + len = -1; + goto out; + } ++ ++ if (!istlen(list[hdr_idx].v) || http_method_has_forbidden_char(list[hdr_idx].v)) { ++ TRACE_ERROR("invalid method pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs); ++ h3s->err = H3_MESSAGE_ERROR; ++ len = -1; ++ goto out; ++ } ++ + meth = list[hdr_idx].v; + } + else if (isteq(list[hdr_idx].n, ist(":path"))) { diff --git a/CVE-2024-53008-2.patch b/CVE-2024-53008-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..55226bf20ee6a7b41cfed09a6ca1fc8a91407333 --- /dev/null +++ b/CVE-2024-53008-2.patch @@ -0,0 +1,45 @@ +From 6748a47819c263d4631187b6f121b5344ab50d57 Mon Sep 17 00:00:00 2001 +From: Amaury Denoyelle +Date: Fri, 28 Jun 2024 10:50:19 +0200 +Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally + valid +Origin: https://github.com/haproxy/haproxy/commit/6748a47819c263d4631187b6f121b5344ab50d57 + +Ensure pseudo-header scheme is only constitued of valid characters +according to RFC 9110. If an invalid value is found, the request is +rejected and stream is resetted. + +It's the same as for previous commit "BUG/MEDIUM: h3: ensure the +":method" pseudo header is totally valid" except that this time it +applies to the ":scheme" pseudo header. + +This must be backported up to 2.6. + +(cherry picked from commit a3bed52d1f84ba36af66be4317a5f746d498bdf4) +Signed-off-by: Christopher Faulet +(cherry picked from commit 5ddc4004cb0c3c4ea4f4596577c85f004678e9c0) +[cf: adapted] +Signed-off-by: Christopher Faulet +--- + src/h3.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/h3.c b/src/h3.c +index 4e21f6b92f535..1984f984f7daf 100644 +--- a/src/h3.c ++++ b/src/h3.c +@@ -666,6 +666,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, + len = -1; + goto out; + } ++ ++ if (!http_validate_scheme(list[hdr_idx].v)) { ++ TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs); ++ h3s->err = H3_MESSAGE_ERROR; ++ len = -1; ++ goto out; ++ } ++ + scheme = list[hdr_idx].v; + } + else if (isteq(list[hdr_idx].n, ist(":authority"))) { diff --git a/haproxy.spec b/haproxy.spec index 23fbda8e44a620d0762fb7acb7e5dcda7b0afea8..c8060adac09e82a9df45130048264b72c43cebdd 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.9.5 -Release: 6 +Release: 7 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -20,6 +20,8 @@ Patch1: backport-BUG-MINOR-server-source-interface-ignored-from-defau. Patch2: Backport-CVE-2024-45506-BUG-MAJOR-mux-h2-always.patch Patch3: CVE-2024-49214.patch Patch4: backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch +Patch5: CVE-2024-53008-1.patch +Patch6: CVE-2024-53008-2.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils @@ -124,6 +126,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Tue Dec 10 2024 wangkai <13474090681@163.com> - 2.9.5-7 +- Fix CVE-2024-53008 + * Thu Nov 21 2024 xinghe - 2.9.5-6 - Type:bugfix - CVE:NA