diff --git a/CVE-2018-20102.patch b/CVE-2018-20102.patch deleted file mode 100644 index 69da7f2a70d5a2fcdf2c7deff5480c2449be15e2..0000000000000000000000000000000000000000 --- a/CVE-2018-20102.patch +++ /dev/null @@ -1,36 +0,0 @@ -From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Wed, 5 Dec 2018 17:56:29 +0100 -Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in - dns_validate_dns_response() - -We need to make sure that the record length is not making us read -past the end of the data we received. -Before this patch we could for example read the 16 bytes -corresponding to an AAAA record from the non-initialized part of -the buffer, possibly accessing anything that was left on the stack, -or even past the end of the 8193-byte buffer, depending on the -value of accepted_payload_size. - -To be backported to 1.8, probably also 1.7. ---- - src/dns.c | 5 +++++ - 1 file changed, 5 insertions(+) - -Index: haproxy-1.8.13/src/dns.c -=================================================================== ---- haproxy-1.8.13.orig/src/dns.c -+++ haproxy-1.8.13/src/dns.c -@@ -798,6 +798,11 @@ static int dns_validate_dns_response(uns - /* Move forward 2 bytes for data len */ - reader += 2; - -+ if (reader + dns_answer_record->data_len >= bufend) { -+ pool_free(dns_answer_item_pool, dns_answer_record); -+ return DNS_RESP_INVALID; -+ } -+ - /* Analyzing record content */ - switch (dns_answer_record->type) { - case DNS_RTYPE_A: - diff --git a/CVE-2018-20103.patch b/CVE-2018-20103.patch deleted file mode 100644 index 52fb6d4030f5244a4045d206d67106b1a6d9932c..0000000000000000000000000000000000000000 --- a/CVE-2018-20103.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 58df5aea0a0c926b2238f65908f5e9f83d1cca25 Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Wed, 5 Dec 2018 17:52:54 +0100 -Subject: [PATCH] BUG: dns: Prevent stack-exhaustion via recursion loop in - dns_read_name - -When a compressed pointer is encountered, dns_read_name() will call -itself with the pointed-to offset in the packet. -With a specially crafted packet, it was possible to trigger an -infinite-loop recursion by making the pointer points to itself. -While it would be possible to handle that particular case differently -by making sure that the target is different from the current offset, -it would still be possible to craft a packet with a very long chain -of valid pointers, always pointing backwards. To prevent a stack -exhaustion in that case, this patch restricts the number of recursive -calls to 100, which should be more than enough. - -To be backported to 1.8, probably also 1.7. ---- - src/dns.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -Index: haproxy-1.8.13/src/dns.c -=================================================================== ---- haproxy-1.8.13.orig/src/dns.c -+++ haproxy-1.8.13/src/dns.c -@@ -391,7 +391,7 @@ static inline unsigned short dns_respons - */ - int dns_read_name(unsigned char *buffer, unsigned char *bufend, - unsigned char *name, char *destination, int dest_len, -- int *offset) -+ int *offset, unsigned int depth) - { - int nb_bytes = 0, n = 0; - int label_len; -@@ -405,8 +405,11 @@ int dns_read_name(unsigned char *buffer, - if ((buffer + reader[1]) > reader) - goto err; - -+ if (depth++ > 100) -+ goto err; -+ - n = dns_read_name(buffer, bufend, buffer + reader[1], -- dest, dest_len - nb_bytes, offset); -+ dest, dest_len - nb_bytes, offset, depth); - if (n == 0) - goto err; - -@@ -692,7 +695,7 @@ static int dns_validate_dns_response(uns - * one query per response and the first one can't be compressed - * (using the 0x0c format) */ - offset = 0; -- len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset); -+ len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0); - - if (len == 0) - return DNS_RESP_INVALID; -@@ -729,7 +732,7 @@ static int dns_validate_dns_response(uns - return (DNS_RESP_INVALID); - - offset = 0; -- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); -+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); - - if (len == 0) { - pool_free(dns_answer_item_pool, dns_answer_record); -@@ -831,7 +834,7 @@ static int dns_validate_dns_response(uns - } - - offset = 0; -- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); -+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); - if (len == 0) { - pool_free(dns_answer_item_pool, dns_answer_record); - return DNS_RESP_INVALID; -@@ -861,7 +864,7 @@ static int dns_validate_dns_response(uns - dns_answer_record->port = read_n16(reader); - reader += sizeof(uint16_t); - offset = 0; -- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset); -+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0); - if (len == 0) { - pool_free(dns_answer_item_pool, dns_answer_record); - return DNS_RESP_INVALID; - diff --git a/CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch b/CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch deleted file mode 100644 index 2e7dc118ec8bee8fa5cea5ef59524ee7426f2c0b..0000000000000000000000000000000000000000 --- a/CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a01f45e3ced23c799f6e78b5efdbd32198a75354 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 31 Dec 2018 07:41:24 +0100 -Subject: [PATCH] BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY - is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder -when the PRIORITY flag is present. A check is missing to ensure the 5 -extra bytes needed with this flag are actually part of the frame. As per -RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR. - -Many thanks to Tim for responsibly reporting this issue with a working -config and reproducer. This issue was assigned CVE-2018-20615. - -This fix must be backported to 1.9 and 1.8. - -Signed-off-by: gaoyi ---- - src/mux_h2.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index dc67bc67..20ff9882 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -3316,6 +3316,11 @@ next_frame: - goto fail; - } - -+ if (flen < 5) { -+ h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); -+ goto fail; -+ } -+ - hdrs += 5; // stream dep = 4, weight = 1 - flen -= 5; - } --- -2.19.1 - - diff --git a/CVE-2020-11100.patch b/CVE-2020-11100.patch deleted file mode 100644 index a2468a41e922b6a7db96491fe33c66d59b9e6922..0000000000000000000000000000000000000000 --- a/CVE-2020-11100.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5dfc5d5cd0d2128d77253ead3acf03a421ab5b88 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Sun, 29 Mar 2020 08:53:31 +0200 -Subject: [PATCH 1/1] BUG/CRITICAL: hpack: never index a header into the - headroom after wrapping - -The HPACK header table is implemented as a wrapping list inside a contigous -area. Headers names and values are stored from right to left while indexes -are stored from left to right. When there's no more room to store a new one, -we wrap to the right again, or possibly defragment it if needed. The condition -do use the right part (called tailroom) or the left part (called headroom) -depends on the location of the last inserted header. After wrapping happens, -the code forces to stick to tailroom by pretending there's no more headroom, -so that the size fit test always fails. The problem is that nothing prevents -from storing a header with an empty name and empty value, resulting in a -total size of zero bytes, which satisfies the condition to use the headroom. -Doing this in a wrapped buffer results in changing the "front" header index -and causing miscalculations on the available size and the addresses of the -next headers. This may even allow to overwrite some parts of the index, -opening the possibility to perform arbitrary writes into a 32-bit relative -address space. - -This patch fixes the issue by making sure the headroom is considered only -when the buffer does not wrap, instead of relying on the zero size. This -must be backported to all versions supporting H2, which is as far as 1.8. - -Many thanks to Felix Wilhelm of Google Project Zero for responsibly -reporting this problem with a reproducer and a detailed analysis. -CVE-2020-11100 was assigned to this issue. ---- - src/hpack-tbl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c -index 70d7f35..727ff7a 100644 ---- a/src/hpack-tbl.c -+++ b/src/hpack-tbl.c -@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value) - * room left in the tail to suit the protocol, but tests show that in - * practice it almost never happens in other situations so the extra - * test is useless and we simply fill the headroom as long as it's -- * available. -+ * available and we don't wrap. - */ -- if (headroom >= name.len + value.len) { -+ if (prev == dht->front && headroom >= name.len + value.len) { - /* install upfront and update ->front */ - dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len); - dht->front = head; --- -1.7.10.4 - diff --git a/haproxy-1.8.14.tar.gz b/haproxy-1.8.14.tar.gz deleted file mode 100644 index 5aa159631537ef6abdfb761b86ff5859ceb9926c..0000000000000000000000000000000000000000 Binary files a/haproxy-1.8.14.tar.gz and /dev/null differ diff --git a/haproxy-2.0.14.tar.gz b/haproxy-2.0.14.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..d6b6b3a7cc2a3fc8066a7b5fe4679c97e1cbc18b Binary files /dev/null and b/haproxy-2.0.14.tar.gz differ diff --git a/haproxy.spec b/haproxy.spec index 6aedee8309e5a64133136c9fb9421056d40864e9..6f9dea0ee52c22c73ec9b696c3a21357f94baac4 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -4,8 +4,8 @@ %global _hardened_build 1 Name: haproxy -Version: 1.8.14 -Release: 5 +Version: 2.0.14 +Release: 1 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -16,12 +16,8 @@ Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig -Patch6000: CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch -Patch6001: CVE-2018-20103.patch -Patch6002: CVE-2018-20102.patch -Patch6003: CVE-2020-11100.patch -BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units +BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic Requires(pre): shadow-utils Requires(post): systemd Requires(preun): systemd @@ -42,7 +38,7 @@ use_regparm_opt= use_regparm_opt="USE_REGPARM=1" %endif -%make_build CPU="generic" TARGET="linux2628" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 \ +%make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 \ USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${use_regparm_opt} \ ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}" @@ -126,6 +122,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Wed Jul 22 2020 hanzhijun - 2.0.14-1 +- update to 2.0.14 + * Thu May 7 2020 cuibaobao - 1.8.14-5 - Type:cves - ID: CVE-2020-11100