import haproxy-1.8.27-2.el8

2021-05-18 02:58:41 -04:00 · 2021-05-18 02:58:41 -04:00 · 95e8a10778
commit 95e8a10778
parent c3fff9f648
6 changed files with 56 additions and 98 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/haproxy-1.8.23.tar.gz
+SOURCES/haproxy-1.8.27.tar.gz
--- a/.haproxy.metadata
+++ b/.haproxy.metadata
@ -1 +1 @@
-c1b6c1d4d5de55bcad874a0a7a02a94db5638b1f SOURCES/haproxy-1.8.23.tar.gz
+5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz
--- a/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
+++ b/SOURCES/bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
@ -1,40 +0,0 @@
 From 57c9ecf43f1ae0211367d8ba79540e3a5d288d34 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Mon, 31 Dec 2018 07:41:24 +0100
 Subject: BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY is used
 MIME-Version: 1.0
 Content-Type: text/plain; charset=latin1
 Content-Transfer-Encoding: 8bit
 Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
 when the PRIORITY flag is present. A check is missing to ensure the 5
 extra bytes needed with this flag are actually part of the frame. As per
 RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
 Many thanks to Tim for responsibly reporting this issue with a working
 config and reproducer. This issue was assigned CVE-2018-20615.
 This fix must be backported to 1.9 and 1.8.
 ---
 src/mux_h2.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/mux_h2.c b/src/mux_h2.c
 index 5803a84ff..a67bbb049 100644
 --- a/src/mux_h2.c
 +++ b/src/mux_h2.c
@@ -3297,6 +3297,11 @@ next_frame:
 			goto fail;
 		}
 +		if (flen < 5) {
 +			h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
 +			goto fail;
 +		}
 +
 		hdrs += 5; // stream dep = 4, weight = 1
 		flen -= 5;
 	}
 -- 
 2.20.1
--- a/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
+++ b/SOURCES/bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
@ -1,51 +0,0 @@
 From 4e372dc350be5c72b88546bf03392a5793cea179 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Sun, 29 Mar 2020 08:53:31 +0200
 Subject: BUG/CRITICAL: hpack: never index a header into the headroom after
 wrapping
 The HPACK header table is implemented as a wrapping list inside a contigous
 area. Headers names and values are stored from right to left while indexes
 are stored from left to right. When there's no more room to store a new one,
 we wrap to the right again, or possibly defragment it if needed. The condition
 do use the right part (called tailroom) or the left part (called headroom)
 depends on the location of the last inserted header. After wrapping happens,
 the code forces to stick to tailroom by pretending there's no more headroom,
 so that the size fit test always fails. The problem is that nothing prevents
 from storing a header with an empty name and empty value, resulting in a
 total size of zero bytes, which satisfies the condition to use the headroom.
 Doing this in a wrapped buffer results in changing the "front" header index
 and causing miscalculations on the available size and the addresses of the
 next headers. This may even allow to overwrite some parts of the index,
 opening the possibility to perform arbitrary writes into a 32-bit relative
 address space.
 This patch fixes the issue by making sure the headroom is considered only
 when the buffer does not wrap, instead of relying on the zero size. This
 must be backported to all versions supporting H2, which is as far as 1.8.
 Many thanks to Felix Wilhelm of Google Project Zero for responsibly
 reporting this problem with a reproducer and a detailed analysis.
 ---
 src/hpack-tbl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
 index 70d7f35834..727ff7a17b 100644
 --- a/src/hpack-tbl.c
 +++ b/src/hpack-tbl.c
@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
 	 * room left in the tail to suit the protocol, but tests show that in
 	 * practice it almost never happens in other situations so the extra
 	 * test is useless and we simply fill the headroom as long as it's
 -	 * available.
 +	 * available and we don't wrap.
 	 */
 -	if (headroom >= name.len + value.len) {
 +	if (prev == dht->front && headroom >= name.len + value.len) {
 		/* install upfront and update ->front */
 		dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
 		dht->front = head;
 -- 
 2.20.1
--- a/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
+++ b/SOURCES/rhbz1838319-mworker-fix-again-copy_argv.patch
@ -0,0 +1,45 @@
 From 58b3d8676bbef52bc76dd79ecfcf74582c34ec97 Mon Sep 17 00:00:00 2001
 From: William Lallemand <wlallemand@haproxy.org>
 Date: Thu, 17 Dec 2020 18:48:06 +0100
 Subject: [PATCH] BUG/MEDIUM: mworker: fix again copy_argv()
 When backporting patch df6c5a8 ("BUG/MEDIUM: mworker: fix the copy of
 options in copy_argv()") part of the patch was removed by mistake.
 Letting the bug #644 unfixed.
 This patch fixes the problem by reintroducing the missing part.
 1.8 only, no backport needed.
 ---
 src/haproxy.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 diff --git a/src/haproxy.c b/src/haproxy.c
 index 5ddf4d05..3947505b 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -1328,6 +1328,21 @@ static char **copy_argv(int argc, char **argv)
 						}
 						break;
 +					case 'C':
 +					case 'n':
 +					case 'm':
 +					case 'N':
 +					case 'L':
 +					case 'f':
 +					case 'p':
 +						/* these options have only 1 parameter which must be copied and can start with a '-' */
 +						*newargv++ = *argv++;
 +						argc--;
 +						if (argc == 0)
 +							goto error;
 +						*newargv++ = *argv++;
 +						argc--;
 +						break;
 					default:
 						/* for other options just copy them without parameters, this is also done
 						 * for options like "--foo", but this  will fail in the argument parser.
 -- 
 2.26.2
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@ -7,8 +7,8 @@
 %global _hardened_build 1
 Name:           haproxy
-Version:        1.8.23
+Version:        1.8.27
-Release:        5%{?dist}
+Release:        2%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments
 Group:          System Environment/Daemons
@ -22,8 +22,7 @@ Source3:        %{name}.logrotate
 Source4:        %{name}.sysconfig
 Source5:        halog.1
-Patch0:		bz1664533-fix-handling-priority-flag-HTTP2-decoder.patch
+Patch0:		rhbz1838319-mworker-fix-again-copy_argv.patch
 Patch1:		bz1819519-fix-handling-hpack-zero-bytes-overwrite.patch
 BuildRequires:  lua-devel
 BuildRequires:  pcre-devel
@ -54,7 +53,6 @@ availability environments. Indeed, it can:
 %prep
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %build
 regparm_opts=
@ -140,6 +138,12 @@ exit 0
 %{_mandir}/man1/*
 %changelog
 * Thu Dec 17 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-2
 - Fix copy_argv for arguments that begin with hypen (#1838319)
 * Thu Dec 10 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.27-1
 - Update to 1.8.27 (#1905663, #1838319)
 * Thu Jun 18 2020 Ryan O'Hara <rohara@redhat.com> - 1.8.23-5
 - Use OPTIONS from systemd EnvironmentFile (#1845611)
`@ -1 +1 @@`
	`SOURCES/haproxy-1.8.23.tar.gz`	`SOURCES/haproxy-1.8.27.tar.gz`
`@ -1 +1 @@`
	`c1b6c1d4d5de55bcad874a0a7a02a94db5638b1f SOURCES/haproxy-1.8.23.tar.gz`	`5a8a12d07da986d2ecba5f57a07a9e68fe597bfd SOURCES/haproxy-1.8.27.tar.gz`