From 0939dce7d76fb1f4231d3db07a816c3415b2f751 Mon Sep 17 00:00:00 2001 From: liningjie Date: Fri, 1 Dec 2023 13:54:35 +0800 Subject: [PATCH] Fix CVE-2023-0836 (cherry picked from commit 0614a9b80f5fd35ef33e5b591f06d31e204873eb) --- CVE-2023-0836.patch | 41 +++++++++++++++++++++++++++++++++++++++++ haproxy.spec | 6 +++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-0836.patch diff --git a/CVE-2023-0836.patch b/CVE-2023-0836.patch new file mode 100644 index 0000000..6767772 --- /dev/null +++ b/CVE-2023-0836.patch @@ -0,0 +1,41 @@ +From 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8 Mon Sep 17 00:00:00 2001 +From: Youfu Zhang +Date: Fri, 9 Dec 2022 19:15:48 +0800 +Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes + +The output buffer is not zero-initialized. If we don't clear reserved +bytes, fcgi requests sent to backend will leak sensitive data. + +This patch must be backported as far as 2.2. +--- + src/fcgi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/fcgi.c b/src/fcgi.c +index dcf2db2..1d1a82b 100644 +--- a/src/fcgi.c ++++ b/src/fcgi.c +@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h) + out->area[len++] = ((h->len >> 8) & 0xff); + out->area[len++] = (h->len & 0xff); + out->area[len++] = h->padding; +- len++; /* rsv */ ++ out->area[len++] = 0; /* rsv */ + + out->data = len; + return 1; +@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques + out->area[len++] = ((r->role >> 8) & 0xff); + out->area[len++] = (r->role & 0xff); + out->area[len++] = r->flags; +- len += 5; /* rsv */ ++ out->area[len++] = 0; /* rsv */ ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; + + out->data = len; + return 1; +-- +1.7.10.4 diff --git a/haproxy.spec b/haproxy.spec index 60e642f..293cb00 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.2.16 -Release: 5 +Release: 6 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -21,6 +21,7 @@ Patch0002: CVE-2022-0711.patch Patch0003: CVE-2023-25725.patch Patch0004: CVE-2023-0056.patch Patch0005: CVE-2023-40225.patch +Patch0006: CVE-2023-0836.patch BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic Requires: %{name}-help = %{version}-%{release} @@ -128,6 +129,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Fri Dec 1 2023 liningjie - 2.2.16-6 +- Fix CVE-2023-0836 + * Mon Aug 21 2023 wangkai - 2.2.16-5 - Fix CVE-2023-40225 -- Gitee