diff --git a/CVE-2022-0711.patch b/CVE-2022-0711.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd75f80b8096477c1186ccad3645a61c4337b504 --- /dev/null +++ b/CVE-2022-0711.patch @@ -0,0 +1,40 @@ +From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001 +From: Andrew McDermott +Date: Fri, 11 Feb 2022 18:26:49 +0000 +Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in + http_manage_server_side_cookies + +Ensure calls to http_find_header() terminate. If a "Set-Cookie2" +header is found then the while(1) loop in +http_manage_server_side_cookies() will never terminate, resulting in +the watchdog firing and the process terminating via SIGABRT. + +The while(1) loop becomes unbounded because an unmatched call to +http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent +calls to check for "Set-Cookie2" will now enumerate from the beginning +of all the blocks and will once again match on subsequent +passes (assuming a match first time around), hence the loop becoming +unbounded. + +This issue was introduced with HTX and this fix should be backported +to all versions supporting HTX. + +Many thanks to Grant Spence (gspence@redhat.com) for working through +this issue with me. +--- + src/http_ana.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http_ana.c b/src/http_ana.c +index 715dd3a5c5..c2d9d9b439 100644 +--- a/src/http_ana.c ++++ b/src/http_ana.c +@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re + while (1) { + int is_first = 1; + +- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { ++ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { + if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) + break; + is_cookie2 = 1; diff --git a/haproxy.spec b/haproxy.spec index d8787ad6341d04467c75fbfe7a8e391ecda4e708..a6bed46a3d4f9ed4db0974aec7affea20326bb9e 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.2.16 -Release: 2 +Release: 3 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -17,6 +17,7 @@ Source3: %{name}.logrotate Source4: %{name}.sysconfig Patch0001: CVE-2021-40346.patch +Patch0002: CVE-2022-0711.patch BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic Requires: %{name}-help = %{version}-%{release} @@ -124,6 +125,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Fri Mar 11 2022 yaoxin - 2.2.16-3 +- Fix CVE-2022-0711 + * Sat Sep 18 2021 yaoxin - 2.2.16-2 - Fix CVE-2021-40346