From 0939dce7d76fb1f4231d3db07a816c3415b2f751 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Fri, 1 Dec 2023 13:54:35 +0800
Subject: [PATCH] Fix CVE-2023-0836

(cherry picked from commit 0614a9b80f5fd35ef33e5b591f06d31e204873eb)
---
 CVE-2023-0836.patch | 41 +++++++++++++++++++++++++++++++++++++++++
 haproxy.spec        |  6 +++++-
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-0836.patch

diff --git a/CVE-2023-0836.patch b/CVE-2023-0836.patch
new file mode 100644
index 0000000..6767772
--- /dev/null
+++ b/CVE-2023-0836.patch
@@ -0,0 +1,41 @@
+From 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8 Mon Sep 17 00:00:00 2001
+From: Youfu Zhang <zhangyoufu@gmail.com>
+Date: Fri, 9 Dec 2022 19:15:48 +0800
+Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
+
+The output buffer is not zero-initialized. If we don't clear reserved
+bytes, fcgi requests sent to backend will leak sensitive data.
+
+This patch must be backported as far as 2.2.
+---
+ src/fcgi.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/fcgi.c b/src/fcgi.c
+index dcf2db2..1d1a82b 100644
+--- a/src/fcgi.c
++++ b/src/fcgi.c
+@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
+ 	out->area[len++] = ((h->len >> 8) & 0xff);
+ 	out->area[len++] = (h->len & 0xff);
+ 	out->area[len++] = h->padding;
+-	len++; /* rsv */
++	out->area[len++] = 0; /* rsv */
+ 
+ 	out->data = len;
+ 	return 1;
+@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
+ 	out->area[len++] = ((r->role >> 8) & 0xff);
+ 	out->area[len++] = (r->role & 0xff);
+ 	out->area[len++] = r->flags;
+-	len += 5; /* rsv */
++	out->area[len++] = 0; /* rsv */
++	out->area[len++] = 0;
++	out->area[len++] = 0;
++	out->area[len++] = 0;
++	out->area[len++] = 0;
+ 
+ 	out->data = len;
+ 	return 1;
+-- 
+1.7.10.4
diff --git a/haproxy.spec b/haproxy.spec
index 60e642f..293cb00 100644
--- a/haproxy.spec
+++ b/haproxy.spec
@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.2.16
-Release:          5
+Release:          6
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -21,6 +21,7 @@ Patch0002:        CVE-2022-0711.patch
 Patch0003:        CVE-2023-25725.patch
 Patch0004:        CVE-2023-0056.patch
 Patch0005:        CVE-2023-40225.patch
+Patch0006:        CVE-2023-0836.patch
 
 BuildRequires:    gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
 Requires:         %{name}-help = %{version}-%{release}
@@ -128,6 +129,9 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Fri Dec 1 2023 liningjie <liningjie@xfusion.com> - 2.2.16-6
+- Fix CVE-2023-0836
+
 * Mon Aug 21 2023 wangkai <wang_kai001@hoperun.com> - 2.2.16-5
 - Fix CVE-2023-40225
 
-- 
Gitee