diff --git a/CVE-2022-0711.patch b/CVE-2022-0711.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd75f80b8096477c1186ccad3645a61c4337b504 --- /dev/null +++ b/CVE-2022-0711.patch @@ -0,0 +1,40 @@ +From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001 +From: Andrew McDermott +Date: Fri, 11 Feb 2022 18:26:49 +0000 +Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in + http_manage_server_side_cookies + +Ensure calls to http_find_header() terminate. If a "Set-Cookie2" +header is found then the while(1) loop in +http_manage_server_side_cookies() will never terminate, resulting in +the watchdog firing and the process terminating via SIGABRT. + +The while(1) loop becomes unbounded because an unmatched call to +http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent +calls to check for "Set-Cookie2" will now enumerate from the beginning +of all the blocks and will once again match on subsequent +passes (assuming a match first time around), hence the loop becoming +unbounded. + +This issue was introduced with HTX and this fix should be backported +to all versions supporting HTX. + +Many thanks to Grant Spence (gspence@redhat.com) for working through +this issue with me. +--- + src/http_ana.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http_ana.c b/src/http_ana.c +index 715dd3a5c5..c2d9d9b439 100644 +--- a/src/http_ana.c ++++ b/src/http_ana.c +@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re + while (1) { + int is_first = 1; + +- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { ++ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { + if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) + break; + is_cookie2 = 1; diff --git a/haproxy.spec b/haproxy.spec index 8015e41487fb2932a28abfb4e523feb06953bb1d..9415ae4cf7f8154c24bf715d53d9bfb7a383f373 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -5,7 +5,7 @@ Name: haproxy Version: 2.4.8 -Release: 1 +Release: 2 Summary: The Reliable, High Performance TCP/HTTP Load Balancer License: GPLv2+ @@ -16,6 +16,8 @@ Source2: %{name}.cfg Source3: %{name}.logrotate Source4: %{name}.sysconfig +Patch0: CVE-2022-0711.patch + BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic Requires(pre): shadow-utils %{?systemd_requires} @@ -118,6 +120,9 @@ exit 0 %{_mandir}/man1/* %changelog +* Fri Mar 11 2022 yaoxin - 2.4.8-2 +- Fix CVE-2022-0711 + * Tue Dec 07 2021 yanglu - 2.4.8-1 - update haproxy to 2.4.8