Ryan O'Hara
parent
79d6b19154
commit
c9ad76e1f2
|
|
@ -0,0 +1,51 @@
|
|||
From 0c86fce8028d409de4181e82eec967cfb1e6268e Mon Sep 17 00:00:00 2001
|
||||
From: Youfu Zhang <zhangyoufu@gmail.com>
|
||||
Date: Fri, 9 Dec 2022 19:15:48 +0800
|
||||
Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
|
||||
|
||||
The output buffer is not zero-initialized. If we don't clear reserved
|
||||
bytes, fcgi requests sent to backend will leak sensitive data.
|
||||
|
||||
This patch must be backported as far as 2.2.
|
||||
|
||||
(cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8)
|
||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
||||
(cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b)
|
||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
||||
(cherry picked from commit f988992d16f45ef03d5bbb024a1042ed8123e4c5)
|
||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
||||
(cherry picked from commit 0dc4cdc276d4a0e3347b7c3c4aedca2a2e0ab428)
|
||||
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
||||
---
|
||||
src/fcgi.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/fcgi.c b/src/fcgi.c
|
||||
index 1c2543def..778ce9e25 100644
|
||||
--- a/src/fcgi.c
|
||||
+++ b/src/fcgi.c
|
||||
@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
|
||||
out->area[len++] = ((h->len >> 8) & 0xff);
|
||||
out->area[len++] = (h->len & 0xff);
|
||||
out->area[len++] = h->padding;
|
||||
- len++; /* rsv */
|
||||
+ out->area[len++] = 0; /* rsv */
|
||||
|
||||
out->data = len;
|
||||
return 1;
|
||||
@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
|
||||
out->area[len++] = ((r->role >> 8) & 0xff);
|
||||
out->area[len++] = (r->role & 0xff);
|
||||
out->area[len++] = r->flags;
|
||||
- len += 5; /* rsv */
|
||||
+ out->area[len++] = 0; /* rsv */
|
||||
+ out->area[len++] = 0;
|
||||
+ out->area[len++] = 0;
|
||||
+ out->area[len++] = 0;
|
||||
+ out->area[len++] = 0;
|
||||
|
||||
out->data = len;
|
||||
return 1;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
Name: haproxy
|
||||
Version: 2.4.17
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: HAProxy reverse proxy for high availability environments
|
||||
|
||||
License: GPLv2+
|
||||
|
|
@ -24,6 +24,7 @@ Source6: halog.1
|
|||
|
||||
Patch0: bz2161140-refuse-response-end-stream-flag.patch
|
||||
Patch1: bz2169510-reject-empty-http-header-fields.patch
|
||||
Patch2: bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: lua-devel
|
||||
|
|
@ -55,6 +56,7 @@ availability environments. Indeed, it can:
|
|||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
regparm_opts=
|
||||
|
|
@ -137,6 +139,9 @@ done
|
|||
%{_sysusersdir}/%{name}.conf
|
||||
|
||||
%changelog
|
||||
* Tue May 02 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-7
|
||||
- Fix uninitizalized resevered bytes (CVE-2023-0836, #2180861)
|
||||
|
||||
* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-6
|
||||
- Reject empty http header field names (CVE-2023-25725, #2169510)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue