diff --git a/CVE-2023-0836.patch b/CVE-2023-0836.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7086966d3d79d7241e5430412e410902dfc55ce --- /dev/null +++ b/CVE-2023-0836.patch @@ -0,0 +1,47 @@ +From f988992d16f45ef03d5bbb024a1042ed8123e4c5 Mon Sep 17 00:00:00 2001 +From: Youfu Zhang +Date: Fri, 9 Dec 2022 19:15:48 +0800 +Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes + +The output buffer is not zero-initialized. If we don't clear reserved +bytes, fcgi requests sent to backend will leak sensitive data. + +This patch must be backported as far as 2.2. + +(cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8) +Signed-off-by: Christopher Faulet +(cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b) +Signed-off-by: Christopher Faulet +--- + src/fcgi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/fcgi.c b/src/fcgi.c +index dcf2db2..1d1a82b 100644 +--- a/src/fcgi.c ++++ b/src/fcgi.c +@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h) + out->area[len++] = ((h->len >> 8) & 0xff); + out->area[len++] = (h->len & 0xff); + out->area[len++] = h->padding; +- len++; /* rsv */ ++ out->area[len++] = 0; /* rsv */ + + out->data = len; + return 1; +@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques + out->area[len++] = ((r->role >> 8) & 0xff); + out->area[len++] = (r->role & 0xff); + out->area[len++] = r->flags; +- len += 5; /* rsv */ ++ out->area[len++] = 0; /* rsv */ ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; + + out->data = len; + return 1; +-- +1.7.10.4 + diff --git a/CVE-2023-45539.patch b/CVE-2023-45539.patch new file mode 100644 index 0000000000000000000000000000000000000000..60c1f073fbf5befbcc972e2c458f880a52421330 --- /dev/null +++ b/CVE-2023-45539.patch @@ -0,0 +1,107 @@ +From 2eab6d354322932cfec2ed54de261e4347eca9a6 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Tue, 8 Aug 2023 16:17:22 +0200 +Subject: [PATCH] BUG/MINOR: h1: do not accept '#' as part of the URI component + +Seth Manesse and Paul Plasil reported that the "path" sample fetch +function incorrectly accepts '#' as part of the path component. This +can in some cases lead to misrouted requests for rules that would apply +on the suffix: + + use_backend static if { path_end .png .jpg .gif .css .js } + +Note that this behavior can be selectively configured using +"normalize-uri fragment-encode" and "normalize-uri fragment-strip". + +The problem is that while the RFC says that this '#' must never be +emitted, as often it doesn't suggest how servers should handle it. A +diminishing number of servers still do accept it and trim it silently, +while others are rejecting it, as indicated in the conversation below +with other implementers: + + https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html + +Looking at logs from publicly exposed servers, such requests appear at +a rate of roughly 1 per million and only come from attacks or poorly +written web crawlers incorrectly following links found on various pages. + +Thus it looks like the best solution to this problem is to simply reject +such ambiguous requests by default, and include this in the list of +controls that can be disabled using "option accept-invalid-http-request". + +We're already rejecting URIs containing any control char anyway, so we +should also reject '#'. + +In the H1 parser for the H1_MSG_RQURI state, there is an accelerated +parser for bytes 0x21..0x7e that has been tightened to 0x24..0x7e (it +should not impact perf since 0x21..0x23 are not supposed to appear in +a URI anyway). This way '#' falls through the fine-grained filter and +we can add the special case for it also conditionned by a check on the +proxy's option "accept-invalid-http-request", with no overhead for the +vast majority of valid URIs. Here this information is available through +h1m->err_pos that's set to -2 when the option is here (so we don't need +to change the API to expose the proxy). Example with a trivial GET +through netcat: + + [08/Aug/2023:16:16:52.651] frontend layer1 (#2): invalid request + backend (#-1), server (#-1), event #0, src 127.0.0.1:50812 + buffer starts at 0 (including 0 out), 16361 free, + len 23, wraps at 16336, error at position 7 + H1 connection flags 0x00000000, H1 stream flags 0x00000810 + H1 msg state MSG_RQURI(4), H1 msg flags 0x00001400 + H1 chunk len 0 bytes, H1 body len 0 bytes : + + 00000 GET /aa#bb HTTP/1.0\r\n + 00021 \r\n + +This should be progressively backported to all stable versions along with +the following patch: + + REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests + +Similar fixes for h2 and h3 will come in followup patches. + +Thanks to Seth Manesse and Paul Plasil for reporting this problem with +detailed explanations. +--- + src/h1.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/h1.c b/src/h1.c +index 88a54c4a593d..4e224f895422 100644 +--- a/src/h1.c ++++ b/src/h1.c +@@ -551,13 +551,13 @@ int h1_headers_to_hdr_list(char *start, const char *stop, + case H1_MSG_RQURI: + http_msg_rquri: + #ifdef HA_UNALIGNED_LE +- /* speedup: skip bytes not between 0x21 and 0x7e inclusive */ ++ /* speedup: skip bytes not between 0x24 and 0x7e inclusive */ + while (ptr <= end - sizeof(int)) { +- int x = *(int *)ptr - 0x21212121; ++ int x = *(int *)ptr - 0x24242424; + if (x & 0x80808080) + break; + +- x -= 0x5e5e5e5e; ++ x -= 0x5b5b5b5b; + if (!(x & 0x80808080)) + break; + +@@ -569,8 +569,15 @@ int h1_headers_to_hdr_list(char *start, const char *stop, + goto http_msg_ood; + } + http_msg_rquri2: +- if (likely((unsigned char)(*ptr - 33) <= 93)) /* 33 to 126 included */ ++ if (likely((unsigned char)(*ptr - 33) <= 93)) { /* 33 to 126 included */ ++ if (*ptr == '#') { ++ if (h1m->err_pos < -1) /* PR_O2_REQBUG_OK not set */ ++ goto invalid_char; ++ if (h1m->err_pos == -1) /* PR_O2_REQBUG_OK set: just log */ ++ h1m->err_pos = ptr - start + skip; ++ } + EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rquri2, http_msg_ood, state, H1_MSG_RQURI); ++ } + + if (likely(HTTP_IS_SPHT(*ptr))) { + sl.rq.u.len = ptr - sl.rq.u.ptr; diff --git a/haproxy.spec b/haproxy.spec index 19ed43768337e7f527c1fe4b9230044bd226937e..b28dc2381303c99a0c75eb01695ad4dfb51674d9 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.6.6 -Release: 5 +Release: 6 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -28,6 +28,10 @@ Patch8: backport-BUG-MEDIUM-connection-Preserve-flags-when-a-conn-is-. Patch9: backport-BUG-MINOR-protocol-fix-minor-memory-leak-in-protocol.patch Patch10: backport-BUG-MEDIUM-stream-do-not-try-to-free-a-failed-stream.patch Patch11: backport-BUG-MINOR-server-inherit-from-netns-in-srv_settings_.patch +# https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=f988992d16f45ef03d5bbb024a1042ed8123e4c5 +Patch12: CVE-2023-0836.patch +# https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6 +Patch13: CVE-2023-45539.patch BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils @@ -129,6 +133,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Wed Dec 06 2023 yaoxin - 2.6.6-6 +- Fix CVE-2023-0836 and CVE-2023-45539 + * Wed Sep 27 2023 xinghe - 2.6.6-5 - Type:bugfix - CVE:NA