Fix uninitialized reserved bytes

Resolves: #2180861
2023-05-02 08:41:14 -05:00 · 2023-05-02 08:41:14 -05:00 · c9ad76e1f2
commit c9ad76e1f2
parent 79d6b19154
2 changed files with 57 additions and 1 deletions
--- a/bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch
+++ b/bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch
@ -0,0 +1,51 @@
+From 0c86fce8028d409de4181e82eec967cfb1e6268e Mon Sep 17 00:00:00 2001
+From: Youfu Zhang <zhangyoufu@gmail.com>
+Date: Fri, 9 Dec 2022 19:15:48 +0800
+Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
+
+The output buffer is not zero-initialized. If we don't clear reserved
+bytes, fcgi requests sent to backend will leak sensitive data.
+
+This patch must be backported as far as 2.2.
+
+(cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit f988992d16f45ef03d5bbb024a1042ed8123e4c5)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 0dc4cdc276d4a0e3347b7c3c4aedca2a2e0ab428)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+---
+ src/fcgi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/fcgi.c b/src/fcgi.c
+index 1c2543def..778ce9e25 100644
+--- a/src/fcgi.c
+++ b/src/fcgi.c
+@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
+ 	out->area[len++] = ((h->len >> 8) & 0xff);
+ 	out->area[len++] = (h->len & 0xff);
+ 	out->area[len++] = h->padding;
+-	len++; /* rsv */
+	out->area[len++] = 0; /* rsv */
+ 
+ 	out->data = len;
+ 	return 1;
+@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
+ 	out->area[len++] = ((r->role >> 8) & 0xff);
+ 	out->area[len++] = (r->role & 0xff);
+ 	out->area[len++] = r->flags;
+-	len += 5; /* rsv */
+	out->area[len++] = 0; /* rsv */
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+	out->area[len++] = 0;
+ 
+ 	out->data = len;
+ 	return 1;
+-- 
+2.39.2
+
--- a/haproxy.spec
+++ b/haproxy.spec
@ -8,7 +8,7 @@

 Name:           haproxy
 Version:        2.4.17
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        HAProxy reverse proxy for high availability environments

 License:        GPLv2+
@ -24,6 +24,7 @@ Source6:        halog.1

 Patch0: bz2161140-refuse-response-end-stream-flag.patch
 Patch1: bz2169510-reject-empty-http-header-fields.patch
+Patch2: bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch

 BuildRequires:  gcc
 BuildRequires:  lua-devel
@ -55,6 +56,7 @@ availability environments. Indeed, it can:
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1

 %build
 regparm_opts=
@ -137,6 +139,9 @@ done
 %{_sysusersdir}/%{name}.conf

 %changelog
+* Tue May 02 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-7
+- Fix uninitizalized resevered bytes (CVE-2023-0836, #2180861)
+
 * Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-6
 - Reject empty http header field names (CVE-2023-25725, #2169510)