From c9ad76e1f224b56145af534c0e377a43a4cddd62 Mon Sep 17 00:00:00 2001 From: Ryan O'Hara Date: Tue, 2 May 2023 08:41:14 -0500 Subject: [PATCH] Fix uninitialized reserved bytes Resolves: #2180861 --- ...cgi-fix-uninitialized-reserved-bytes.patch | 51 +++++++++++++++++++ haproxy.spec | 7 ++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch diff --git a/bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch b/bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch new file mode 100644 index 0000000..b38256a --- /dev/null +++ b/bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch @@ -0,0 +1,51 @@ +From 0c86fce8028d409de4181e82eec967cfb1e6268e Mon Sep 17 00:00:00 2001 +From: Youfu Zhang +Date: Fri, 9 Dec 2022 19:15:48 +0800 +Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes + +The output buffer is not zero-initialized. If we don't clear reserved +bytes, fcgi requests sent to backend will leak sensitive data. + +This patch must be backported as far as 2.2. + +(cherry picked from commit 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8) +Signed-off-by: Christopher Faulet +(cherry picked from commit db03179fee55c60a92ce6b86a0f04dbb9ba0328b) +Signed-off-by: Christopher Faulet +(cherry picked from commit f988992d16f45ef03d5bbb024a1042ed8123e4c5) +Signed-off-by: Christopher Faulet +(cherry picked from commit 0dc4cdc276d4a0e3347b7c3c4aedca2a2e0ab428) +Signed-off-by: Christopher Faulet +--- + src/fcgi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/fcgi.c b/src/fcgi.c +index 1c2543def..778ce9e25 100644 +--- a/src/fcgi.c ++++ b/src/fcgi.c +@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h) + out->area[len++] = ((h->len >> 8) & 0xff); + out->area[len++] = (h->len & 0xff); + out->area[len++] = h->padding; +- len++; /* rsv */ ++ out->area[len++] = 0; /* rsv */ + + out->data = len; + return 1; +@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques + out->area[len++] = ((r->role >> 8) & 0xff); + out->area[len++] = (r->role & 0xff); + out->area[len++] = r->flags; +- len += 5; /* rsv */ ++ out->area[len++] = 0; /* rsv */ ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; ++ out->area[len++] = 0; + + out->data = len; + return 1; +-- +2.39.2 + diff --git a/haproxy.spec b/haproxy.spec index a9671a1..f5a15f3 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -8,7 +8,7 @@ Name: haproxy Version: 2.4.17 -Release: 6%{?dist} +Release: 7%{?dist} Summary: HAProxy reverse proxy for high availability environments License: GPLv2+ @@ -24,6 +24,7 @@ Source6: halog.1 Patch0: bz2161140-refuse-response-end-stream-flag.patch Patch1: bz2169510-reject-empty-http-header-fields.patch +Patch2: bz2180861-fcgi-fix-uninitialized-reserved-bytes.patch BuildRequires: gcc BuildRequires: lua-devel @@ -55,6 +56,7 @@ availability environments. Indeed, it can: %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build regparm_opts= @@ -137,6 +139,9 @@ done %{_sysusersdir}/%{name}.conf %changelog +* Tue May 02 2023 Ryan O'Hara - 2.4.17-7 +- Fix uninitizalized resevered bytes (CVE-2023-0836, #2180861) + * Mon Feb 27 2023 Ryan O'Hara - 2.4.17-6 - Reject empty http header field names (CVE-2023-25725, #2169510)