import haproxy-1.8.27-2.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
c5e5f42744
commit
011b533269
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/haproxy-1.8.23.tar.gz
|
||||
SOURCES/haproxy-1.8.27.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
c1b6c1d4d5de55bcad874a0a7a02a94db5638b1f SOURCES/haproxy-1.8.23.tar.gz
|
||||
5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz
|
||||
|
||||
@ -1,40 +0,0 @@
|
||||
From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Mon, 31 Dec 2018 07:41:24 +0100
|
||||
Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=latin1
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
|
||||
when the PRIORITY flag is present. A check is missing to ensure the 5
|
||||
extra bytes needed with this flag are actually part of the frame. As per
|
||||
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
|
||||
|
||||
Many thanks to Tim for responsibly reporting this issue with a working
|
||||
config and reproducer. This issue was assigned CVE-2018-20615.
|
||||
|
||||
This fix must be backported to 1.9 and 1.8.
|
||||
---
|
||||
src/mux_h2.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/mux_h2.c b/src/mux_h2.c
|
||||
index 5803a84ff..a67bbb049 100644
|
||||
--- a/src/mux_h2.c
|
||||
+++ b/src/mux_h2.c
|
||||
@@ -3297,6 +3297,11 @@ next_frame:
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+ if (flen < 5) {
|
||||
+ h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
hdrs += 5; // stream dep = 4, weight = 1
|
||||
flen -= 5;
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
|
||||
From: Willy Tarreau <w@1wt.eu>
|
||||
Date: Sun, 29 Mar 2020 08:53:31 +0200
|
||||
Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
|
||||
wrapping
|
||||
|
||||
The HPACK header table is implemented as a wrapping list inside a contigous
|
||||
area. Headers names and values are stored from right to left while indexes
|
||||
are stored from left to right. When there's no more room to store a new one,
|
||||
we wrap to the right again, or possibly defragment it if needed. The condition
|
||||
do use the right part (called tailroom) or the left part (called headroom)
|
||||
depends on the location of the last inserted header. After wrapping happens,
|
||||
the code forces to stick to tailroom by pretending there's no more headroom,
|
||||
so that the size fit test always fails. The problem is that nothing prevents
|
||||
from storing a header with an empty name and empty value, resulting in a
|
||||
total size of zero bytes, which satisfies the condition to use the headroom.
|
||||
Doing this in a wrapped buffer results in changing the "front" header index
|
||||
and causing miscalculations on the available size and the addresses of the
|
||||
next headers. This may even allow to overwrite some parts of the index,
|
||||
opening the possibility to perform arbitrary writes into a 32-bit relative
|
||||
address space.
|
||||
|
||||
This patch fixes the issue by making sure the headroom is considered only
|
||||
when the buffer does not wrap, instead of relying on the zero size. This
|
||||
must be backported to all versions supporting H2, which is as far as 1.8.
|
||||
|
||||
Many thanks to Felix Wilhelm of Google Project Zero for responsibly
|
||||
reporting this problem with a reproducer and a detailed analysis.
|
||||
---
|
||||
src/hpack-tbl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
|
||||
index 70d7f35834..727ff7a17b 100644
|
||||
--- a/src/hpack-tbl.c
|
||||
+++ b/src/hpack-tbl.c
|
||||
@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
|
||||
* room left in the tail to suit the protocol, but tests show that in
|
||||
* practice it almost never happens in other situations so the extra
|
||||
* test is useless and we simply fill the headroom as long as it's
|
||||
- * available.
|
||||
+ * available and we don't wrap.
|
||||
*/
|
||||
- if (headroom >= name.len + value.len) {
|
||||
+ if (prev == dht->front && headroom >= name.len + value.len) {
|
||||
/* install upfront and update ->front */
|
||||
dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
|
||||
dht->front = head;
|
||||
--
|
||||
2.20.1
|
||||
|
||||
45
SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
Normal file
45
SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From 58b3d8676bbef52bc76dd79ecfcf74582c34ec97 Mon Sep 17 00:00:00 2001
|
||||
From: William Lallemand <wlallemand@haproxy.org>
|
||||
Date: Thu, 17 Dec 2020 18:48:06 +0100
|
||||
Subject: [PATCH] BUG/MEDIUM: mworker: fix again copy_argv()
|
||||
|
||||
When backporting patch df6c5a8 ("BUG/MEDIUM: mworker: fix the copy of
|
||||
options in copy_argv()") part of the patch was removed by mistake.
|
||||
Letting the bug #644 unfixed.
|
||||
|
||||
This patch fixes the problem by reintroducing the missing part.
|
||||
|
||||
1.8 only, no backport needed.
|
||||
---
|
||||
src/haproxy.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/src/haproxy.c b/src/haproxy.c
|
||||
index 5ddf4d05..3947505b 100644
|
||||
--- a/src/haproxy.c
|
||||
+++ b/src/haproxy.c
|
||||
@@ -1328,6 +1328,21 @@ static char **copy_argv(int argc, char **argv)
|
||||
}
|
||||
break;
|
||||
|
||||
+ case 'C':
|
||||
+ case 'n':
|
||||
+ case 'm':
|
||||
+ case 'N':
|
||||
+ case 'L':
|
||||
+ case 'f':
|
||||
+ case 'p':
|
||||
+ /* these options have only 1 parameter which must be copied and can start with a '-' */
|
||||
+ *newargv++ = *argv++;
|
||||
+ argc--;
|
||||
+ if (argc == 0)
|
||||
+ goto error;
|
||||
+ *newargv++ = *argv++;
|
||||
+ argc--;
|
||||
+ break;
|
||||
default:
|
||||
/* for other options just copy them without parameters, this is also done
|
||||
* for options like "--foo", but this will fail in the argument parser.
|
||||
--
|
||||
2.26.2
|
||||
|
||||
@ -7,8 +7,8 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
Name: haproxy
|
||||
Version: 1.8.23
|
||||
Release: 5%{?dist}
|
||||
Version: 1.8.27
|
||||
Release: 2%{?dist}
|
||||
Summary: HAProxy reverse proxy for high availability environments
|
||||
|
||||
Group: System Environment/Daemons
|
||||
@ -22,8 +22,7 @@ Source3: %{name}.logrotate
|
||||
Source4: %{name}.sysconfig
|
||||
Source5: halog.1
|
||||
|
||||
Patch0: bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
|
||||
Patch1: bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
|
||||
Patch0: rhbz1838319-mworker-fix-again-copy_argv.patch
|
||||
|
||||
BuildRequires: lua-devel
|
||||
BuildRequires: pcre-devel
|
||||
@ -54,7 +53,6 @@ availability environments. Indeed, it can:
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
regparm_opts=
|
||||
@ -140,6 +138,12 @@ exit 0
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 17 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-2
|
||||
- Fix copy_argv for arguments that begin with hypen (#1838319)
|
||||
|
||||
* Thu Dec 10 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-1
|
||||
- Update to 1.8.27 (#1905663, #1838319)
|
||||
|
||||
* Thu Jun 18 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.23-5
|
||||
- Use OPTIONS from systemd EnvironmentFile (#1845611)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user