From dd40a04baf13fb3d1552383fad0cc924c2cbe59e Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Thu, 20 Apr 2023 09:08:25 +0800 Subject: [PATCH] Fix CVE-2023-25950 (cherry picked from commit a07ed8195c7bd67b6121a715af93ac9a810ceff2) --- CVE-2023-25950.patch | 75 ++++++++++++++++++++++++++++++++++++++++++++ haproxy.spec | 6 +++- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-25950.patch diff --git a/CVE-2023-25950.patch b/CVE-2023-25950.patch new file mode 100644 index 0000000..da6fdca --- /dev/null +++ b/CVE-2023-25950.patch @@ -0,0 +1,75 @@ +From 22b44d5f2c7ce1ed0e4b62c639991d5abbd42a50 Mon Sep 17 00:00:00 2001 +From: Amaury Denoyelle +Date: Wed, 7 Dec 2022 14:31:42 +0100 +Subject: [PATCH] BUG/MEDIUM: h3: reject request with invalid header name + +Reject request containing invalid header name. This concerns every +header containing uppercase letter or a non HTTP token such as a space. + +For the moment, this kind of errors triggers a connection close. In the +future, it should be handled only with a stream reset. To reduce +backport surface, this will be implemented in another commit. + +Thanks to Yuki Mogi from FFRI Security, Inc. for having reported this. + +This must be backported up to 2.6. + +(cherry picked from commit d6fb7a0e0f3a79afa1f4b6fc7b62053c3955dc4a) +Signed-off-by: Christopher Faulet +(cherry picked from commit 3ca4223c5e1f18a19dc93b0b09ffdbd295554d46) +Signed-off-by: Christopher Faulet +--- + src/h3.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/src/h3.c b/src/h3.c +index 97e821e..5f1c68a 100644 +--- a/src/h3.c ++++ b/src/h3.c +@@ -352,7 +352,27 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, + //struct ist scheme = IST_NULL, authority = IST_NULL; + struct ist authority = IST_NULL; + int hdr_idx, ret; +- int cookie = -1, last_cookie = -1; ++ int cookie = -1, last_cookie = -1, i; ++ ++ /* RFC 9114 4.1.2. Malformed Requests and Responses ++ * ++ * A malformed request or response is one that is an otherwise valid ++ * sequence of frames but is invalid due to: ++ * - the presence of prohibited fields or pseudo-header fields, ++ * - the absence of mandatory pseudo-header fields, ++ * - invalid values for pseudo-header fields, ++ * - pseudo-header fields after fields, ++ * - an invalid sequence of HTTP messages, ++ * - the inclusion of uppercase field names, or ++ * - the inclusion of invalid characters in field names or values. ++ * ++ * [...] ++ * ++ * Intermediaries that process HTTP requests or responses (i.e., any ++ * intermediary not acting as a tunnel) MUST NOT forward a malformed ++ * request or response. Malformed requests or responses that are ++ * detected MUST be treated as a stream error of type H3_MESSAGE_ERROR. ++ */ + + TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs); + +@@ -416,6 +436,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, + if (isteq(list[hdr_idx].n, ist(""))) + break; + ++ for (i = 0; i < list[hdr_idx].n.len; ++i) { ++ const char c = list[hdr_idx].n.ptr[i]; ++ if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) { ++ TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs); ++ return -1; ++ } ++ } ++ + if (isteq(list[hdr_idx].n, ist("cookie"))) { + http_cookie_register(list, hdr_idx, &cookie, &last_cookie); + continue; +-- +1.7.10.4 + diff --git a/haproxy.spec b/haproxy.spec index 5700e44..96aee98 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.6.6 -Release: 2 +Release: 3 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -18,6 +18,7 @@ Source4: %{name}.sysconfig Patch0: CVE-2023-25725.patch Patch1: CVE-2023-0056.patch +Patch2: CVE-2023-25950.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils @@ -119,6 +120,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Thu Apr 20 2023 yaoxin - 2.6.6-3 +- Fix CVE-2023-25950 + * Sat Feb 25 2023 yaoxin - 2.6.6-2 - Fix CVE-2023-25725 and CVE-2023-0056 -- Gitee