diff --git a/CVE-2022-0711.patch b/CVE-2022-0711.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd75f80b8096477c1186ccad3645a61c4337b504 --- /dev/null +++ b/CVE-2022-0711.patch @@ -0,0 +1,40 @@ +From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001 +From: Andrew McDermott +Date: Fri, 11 Feb 2022 18:26:49 +0000 +Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in + http_manage_server_side_cookies + +Ensure calls to http_find_header() terminate. If a "Set-Cookie2" +header is found then the while(1) loop in +http_manage_server_side_cookies() will never terminate, resulting in +the watchdog firing and the process terminating via SIGABRT. + +The while(1) loop becomes unbounded because an unmatched call to +http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent +calls to check for "Set-Cookie2" will now enumerate from the beginning +of all the blocks and will once again match on subsequent +passes (assuming a match first time around), hence the loop becoming +unbounded. + +This issue was introduced with HTX and this fix should be backported +to all versions supporting HTX. + +Many thanks to Grant Spence (gspence@redhat.com) for working through +this issue with me. +--- + src/http_ana.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http_ana.c b/src/http_ana.c +index 715dd3a5c5..c2d9d9b439 100644 +--- a/src/http_ana.c ++++ b/src/http_ana.c +@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re + while (1) { + int is_first = 1; + +- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { ++ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { + if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) + break; + is_cookie2 = 1; diff --git a/haproxy.spec b/haproxy.spec index 6ef220545c6087f1cf3fcf48af256a43a3b53a5a..515d443f0d84c761b54b2b2291cb7b56f52b5837 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.2.16 -Release: 2 +Release: 3 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -17,6 +17,7 @@ Source3: %{name}.logrotate Source4: %{name}.sysconfig Patch0001: CVE-2021-40346.patch +Patch0002: CVE-2022-0711.patch BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic Requires(pre): shadow-utils @@ -122,10 +123,13 @@ exit 0 %{_mandir}/man1/* %changelog -* Sat Sep 18 yaoxin - 2.2.16-2 +* Fri Mar 11 2022 yaoxin - 2.2.16-3 +- Fix CVE-2022-0711 + +* Sat Sep 18 2021 yaoxin - 2.2.16-2 - Fix CVE-2021-40346 -* Mon Aug 30 yaoxin - 2.2.16-1 +* Mon Aug 30 2021 yaoxin - 2.2.16-1 - Upgrade 2.2.16 to fix CVE-2021-39240 * Thu Aug 26 liwu - 2.2.1-2