From 95e8a10778db48e3306c7b62c070bf77c72f87a4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:58:41 -0400 Subject: [PATCH] import haproxy-1.8.27-2.el8 --- .gitignore | 2 +- .haproxy.metadata | 2 +- ...handling-priority-flag-HTTP2-decoder.patch | 40 --------------- ...-handling-hpack-zero-bytes-overwrite.patch | 51 ------------------- ...z1838319-mworker-fix-again-copy_argv.patch | 45 ++++++++++++++++ SPECS/haproxy.spec | 14 +++-- 6 files changed, 56 insertions(+), 98 deletions(-) delete mode 100644 SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch delete mode 100644 SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch create mode 100644 SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch diff --git a/.gitignore b/.gitignore index b3c4ea2..1c46cf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/haproxy-1.8.23.tar.gz +SOURCES/haproxy-1.8.27.tar.gz diff --git a/.haproxy.metadata b/.haproxy.metadata index 3d2a7e7..1054205 100644 --- a/.haproxy.metadata +++ b/.haproxy.metadata @@ -1 +1 @@ -c1b6c1d4d5de55bcad874a0a7a02a94db5638b1f SOURCES/haproxy-1.8.23.tar.gz +5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz diff --git a/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch b/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch deleted file mode 100644 index a2f97d3..0000000 --- a/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 31 Dec 2018 07:41:24 +0100 -Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=latin1 -Content-Transfer-Encoding: 8bit - -Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder -when the PRIORITY flag is present. A check is missing to ensure the 5 -extra bytes needed with this flag are actually part of the frame. As per -RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR. - -Many thanks to Tim for responsibly reporting this issue with a working -config and reproducer. This issue was assigned CVE-2018-20615. - -This fix must be backported to 1.9 and 1.8. ---- - src/mux_h2.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index 5803a84ff..a67bbb049 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -3297,6 +3297,11 @@ next_frame: - goto fail; - } - -+ if (flen < 5) { -+ h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR); -+ goto fail; -+ } -+ - hdrs += 5; // stream dep = 4, weight = 1 - flen -= 5; - } --- -2.20.1 - diff --git a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch b/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch deleted file mode 100644 index 24ed204..0000000 --- a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Sun, 29 Mar 2020 08:53:31 +0200 -Subject: BUG/CRITICAL: hpack: never index a header into the headroom after - wrapping - -The HPACK header table is implemented as a wrapping list inside a contigous -area. Headers names and values are stored from right to left while indexes -are stored from left to right. When there's no more room to store a new one, -we wrap to the right again, or possibly defragment it if needed. The condition -do use the right part (called tailroom) or the left part (called headroom) -depends on the location of the last inserted header. After wrapping happens, -the code forces to stick to tailroom by pretending there's no more headroom, -so that the size fit test always fails. The problem is that nothing prevents -from storing a header with an empty name and empty value, resulting in a -total size of zero bytes, which satisfies the condition to use the headroom. -Doing this in a wrapped buffer results in changing the "front" header index -and causing miscalculations on the available size and the addresses of the -next headers. This may even allow to overwrite some parts of the index, -opening the possibility to perform arbitrary writes into a 32-bit relative -address space. - -This patch fixes the issue by making sure the headroom is considered only -when the buffer does not wrap, instead of relying on the zero size. This -must be backported to all versions supporting H2, which is as far as 1.8. - -Many thanks to Felix Wilhelm of Google Project Zero for responsibly -reporting this problem with a reproducer and a detailed analysis. ---- - src/hpack-tbl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c -index 70d7f35834..727ff7a17b 100644 ---- a/src/hpack-tbl.c -+++ b/src/hpack-tbl.c -@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value) - * room left in the tail to suit the protocol, but tests show that in - * practice it almost never happens in other situations so the extra - * test is useless and we simply fill the headroom as long as it's -- * available. -+ * available and we don't wrap. - */ -- if (headroom >= name.len + value.len) { -+ if (prev == dht->front && headroom >= name.len + value.len) { - /* install upfront and update ->front */ - dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len); - dht->front = head; --- -2.20.1 - diff --git a/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch new file mode 100644 index 0000000..2c20482 --- /dev/null +++ b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch @@ -0,0 +1,45 @@ +From 58b3d8676bbef52bc76dd79ecfcf74582c34ec97 Mon Sep 17 00:00:00 2001 +From: William Lallemand +Date: Thu, 17 Dec 2020 18:48:06 +0100 +Subject: [PATCH] BUG/MEDIUM: mworker: fix again copy_argv() + +When backporting patch df6c5a8 ("BUG/MEDIUM: mworker: fix the copy of +options in copy_argv()") part of the patch was removed by mistake. +Letting the bug #644 unfixed. + +This patch fixes the problem by reintroducing the missing part. + +1.8 only, no backport needed. +--- + src/haproxy.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/haproxy.c b/src/haproxy.c +index 5ddf4d05..3947505b 100644 +--- a/src/haproxy.c ++++ b/src/haproxy.c +@@ -1328,6 +1328,21 @@ static char **copy_argv(int argc, char **argv) + } + break; + ++ case 'C': ++ case 'n': ++ case 'm': ++ case 'N': ++ case 'L': ++ case 'f': ++ case 'p': ++ /* these options have only 1 parameter which must be copied and can start with a '-' */ ++ *newargv++ = *argv++; ++ argc--; ++ if (argc == 0) ++ goto error; ++ *newargv++ = *argv++; ++ argc--; ++ break; + default: + /* for other options just copy them without parameters, this is also done + * for options like "--foo", but this will fail in the argument parser. +-- +2.26.2 + diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec index 8a342f8..8255a7b 100644 --- a/SPECS/haproxy.spec +++ b/SPECS/haproxy.spec @@ -7,8 +7,8 @@ %global _hardened_build 1 Name: haproxy -Version: 1.8.23 -Release: 5%{?dist} +Version: 1.8.27 +Release: 2%{?dist} Summary: HAProxy reverse proxy for high availability environments Group: System Environment/Daemons @@ -22,8 +22,7 @@ Source3: %{name}.logrotate Source4: %{name}.sysconfig Source5: halog.1 -Patch0: bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch -Patch1: bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch +Patch0: rhbz1838319-mworker-fix-again-copy_argv.patch BuildRequires: lua-devel BuildRequires: pcre-devel @@ -54,7 +53,6 @@ availability environments. Indeed, it can: %prep %setup -q %patch0 -p1 -%patch1 -p1 %build regparm_opts= @@ -140,6 +138,12 @@ exit 0 %{_mandir}/man1/* %changelog +* Thu Dec 17 2020 Ryan O'Hara - 1.8.27-2 +- Fix copy_argv for arguments that begin with hypen (#1838319) + +* Thu Dec 10 2020 Ryan O'Hara - 1.8.27-1 +- Update to 1.8.27 (#1905663, #1838319) + * Thu Jun 18 2020 Ryan O'Hara - 1.8.23-5 - Use OPTIONS from systemd EnvironmentFile (#1845611)