~ubuntu-branches/ubuntu/saucy/haproxy/saucy

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2013-1912.patch

Committer: Package Import Robot
Author(s): Vincent Bernat, Apollon Oikonomopoulos, Vincent Bernat, Prach Pongpanich
Date: 2013-05-06 20:02:14 UTC
mfrom: (1.1.13) (14.1.1 sid)
Revision ID: package-import@ubuntu.com-20130506200214-21m58va04oazl7ot

Tags: 1.4.23-1

http://bugs.debian.org/643650

http://bugs.debian.org/678953

http://bugs.debian.org/674447

http://bugs.debian.org/704611

http://bugs.debian.org/702893

http://bugs.debian.org/641762

http://bugs.debian.org/649085

http://bugs.debian.org/706890

[ Apollon Oikonomopoulos ]
* New upstream version (Closes: #643650, #678953)
   + This fixes CVE-2012-2942 (Closes: #674447)
   + This fixes CVE-2013-1912 (Closes: #704611)
* Ship vim addon as vim-haproxy (Closes: #702893)
* Check for the configuration file after sourcing /etc/default/haproxy
  (Closes: #641762)
* Use /dev/log for logging by default (Closes: #649085)

[ Vincent Bernat ]
* debian/control:
   + add Vcs-* fields
   + switch maintenance to Debian HAProxy team. (Closes: #706890)
   + drop dependency to quilt: 3.0 (quilt) format is in use.
* debian/rules:
   + don't explicitly call dh_installchangelog.
   + use dh_installdirs to install directories.
   + use dh_install to install error and configuration files.
   + switch to `linux2628` Makefile target for Linux.
* debian/postrm:
   + remove haproxy user and group on purge.
* Ship a more minimal haproxy.cfg file: no `listen` blocks but `global`
  and `defaults` block with appropriate configuration to use chroot and
  logging in the expected way.

[ Prach Pongpanich ]
* debian/copyright:
   + add missing copyright holders
   + update years of copyright
* debian/rules:
   + build with -Wl,--as-needed to get rid of unnecessary depends
* Remove useless files in debian/haproxy.{docs,examples}
* Update debian/watch file, thanks to Bart Martens

files added:
.pc/0001-Replace-bash-with-sh-and-fix-bashisms.patch

.pc/0001-Replace-bash-with-sh-and-fix-bashisms.patch/examples

.pc/0001-Replace-bash-with-sh-and-fix-bashisms.patch/examples/debugfind

.pc/0001-Replace-bash-with-sh-and-fix-bashisms.patch/examples/stats_haproxy.sh

.pc/0002-Fix-typo-in-src-haproxy.c.patch

.pc/0002-Fix-typo-in-src-haproxy.c.patch/src

.pc/0002-Fix-typo-in-src-haproxy.c.patch/src/haproxy.c

contrib/iprange

contrib/iprange/Makefile

contrib/iprange/iprange.c

debian/NEWS

debian/haproxy.README.Debian

debian/haproxy.dirs

debian/haproxy.install

debian/haproxy.postrm

debian/haproxy.vim

debian/logrotate.conf

debian/patches/0001-Replace-bash-with-sh-and-fix-bashisms.patch

debian/patches/0002-Fix-typo-in-src-haproxy.c.patch

debian/rsyslog.conf

debian/vim-haproxy.install

debian/vim-haproxy.yaml

tests/test-http-send-name-hdr.cfg

files removed:
.pc/CVE-2012-2942.patch

.pc/CVE-2012-2942.patch/include

.pc/CVE-2012-2942.patch/include/types

.pc/CVE-2012-2942.patch/include/types/global.h

.pc/CVE-2012-2942.patch/src

.pc/CVE-2012-2942.patch/src/acl.c

.pc/CVE-2012-2942.patch/src/cfgparse.c

.pc/CVE-2012-2942.patch/src/checks.c

.pc/CVE-2012-2942.patch/src/dumpstats.c

.pc/CVE-2012-2942.patch/src/haproxy.c

.pc/CVE-2012-2942.patch/src/proto_http.c

.pc/CVE-2012-2942.patch/tests

.pc/CVE-2012-2942.patch/tests/0000-debug-stats.diff

.pc/CVE-2013-1912.patch

.pc/CVE-2013-1912.patch/src

.pc/CVE-2013-1912.patch/src/proto_http.c

.pc/bashism

.pc/bashism/examples

.pc/bashism/examples/debugfind

.pc/bashism/examples/stats_haproxy.sh

contrib/halog/fgets2-64.c

debian/NEWS.Debian

debian/README.source

debian/haproxy.lintian-overrides

debian/patches/CVE-2012-2942.patch

debian/patches/CVE-2013-1912.patch

debian/patches/bashism

files modified:
.pc/applied-patches

CHANGELOG

Makefile

README

VERDATE

VERSION

contrib/halog/Makefile

contrib/halog/fgets2.c

contrib/halog/halog.c

debian/changelog

debian/control

debian/copyright

debian/haproxy.cfg

debian/haproxy.docs

debian/haproxy.examples

debian/haproxy.init

debian/haproxy.postinst

debian/patches/series

debian/rules

debian/watch

doc/architecture.txt

doc/configuration.txt

ebtree/eb32tree.h

ebtree/eb64tree.h

ebtree/ebimtree.h

ebtree/ebistree.h

ebtree/ebmbtree.h

ebtree/ebsttree.h

ebtree/ebtree.h

examples/haproxy.spec

include/common/standard.h

include/common/time.h

include/proto/backend.h

include/proto/dumpstats.h

include/proto/proto_http.h

include/proto/queue.h

include/proto/task.h

include/types/backend.h

include/types/proto_http.h

include/types/proxy.h

include/types/server.h

src/acl.c

src/appsession.c

src/backend.c

src/cfgparse.c

src/checks.c

src/client.c

src/dumpstats.c

src/ev_epoll.c

src/ev_poll.c

src/ev_select.c

src/ev_sepoll.c

src/freq_ctr.c

src/haproxy.c

src/proto_http.c

src/proto_tcp.c

src/proxy.c

src/queue.c

src/session.c

src/signal.c

src/stream_sock.c

src/time.c

src/uri_auth.c

Show diffs side-by-side

added added

removed removed

debian/patches/CVE-2013-1912.patch

Backport of:

From: Willy Tarreau <w@1wt.eu>

Date: Fri, 29 Mar 2013 11:31:49 +0000 (+0100)

Subject: BUG/CRITICAL: using HTTP information in tcp-request content may crash the process

X-Git-Tag: v1.4.23~1

X-Git-Url: http://git.1wt.eu:81/web?p=haproxy-1.4.git;a=commitdiff_plain;h=dc80672211

BUG/CRITICAL: using HTTP information in tcp-request content may crash the process

During normal HTTP request processing, request buffers are realigned if

there are less than global.maxrewrite bytes available after them, in

order to leave enough room for rewriting headers after the request. This

is done in http_wait_for_request().

However, if some HTTP inspection happens during a "tcp-request content"

rule, this realignment is not performed. In theory this is not a problem

because empty buffers are always aligned and TCP inspection happens at

the beginning of a connection. But with HTTP keep-alive, it also happens

at the beginning of each subsequent request. So if a second request was

pipelined by the client before the first one had a chance to be forwarded,

the second request will not be realigned. Then, http_wait_for_request()

will not perform such a realignment either because the request was

already parsed and marked as such. The consequence of this, is that the

rewrite of a sufficient number of such pipelined, unaligned requests may

leave less room past the request been processed than the configured

reserve, which can lead to a buffer overflow if request processing appends

some data past the end of the buffer.

A number of conditions are required for the bug to be triggered :

- HTTP keep-alive must be enabled ;

- HTTP inspection in TCP rules must be used ;

- some request appending rules are needed (reqadd, x-forwarded-for)

- since empty buffers are always realigned, the client must pipeline

enough requests so that the buffer always contains something till

the point where there is no more room for rewriting.

While such a configuration is quite unlikely to be met (which is

confirmed by the bug's lifetime), a few people do use these features

together for very specific usages. And more importantly, writing such

a configuration and the request to attack it is trivial.

A quick workaround consists in forcing keep-alive off by adding

"option httpclose" or "option forceclose" in the frontend. Alternatively,

disabling HTTP-based TCP inspection rules enough if the application

supports it.

At first glance, this bug does not look like it could lead to remote code

execution, as the overflowing part is controlled by the configuration and

not by the user. But some deeper analysis should be performed to confirm

this. And anyway, corrupting the process' memory and crashing it is quite

trivial.

Special thanks go to Yves Lafon from the W3C who reported this bug and

deployed significant efforts to collect the relevant data needed to

understand it in less than one week.

CVE-2013-1912 was assigned to this issue.

Note that 1.4 is also affected so the fix must be backported.

(cherry picked from commit aae75e3279c6c9bd136413a72dafdcd4986bb89a)

---

Index: haproxy-1.4.18/src/proto_http.c

===================================================================

--- haproxy-1.4.18.orig/src/proto_http.c 2013-04-05 10:10:55.606062123 -0400

+++ haproxy-1.4.18/src/proto_http.c 2013-04-05 10:10:55.602062123 -0400

@@ -8097,6 +8097,14 @@

return 1;

}

+ /* If the buffer does not leave enough free space at the end,

+ * we must first realign it.

+ */

+ if (unlikely(req->lr > req->data &&

+ (req->r < req->lr || req->r > req->data + req->size - global.tune.maxrewrite)) &&

+ (req->l <= req->size - global.tune.maxrewrite))

+ http_buffer_heavy_realign(req, msg);

/* Try to decode HTTP request */

if (likely(req->lr < req->r))

http_msg_analyzer(req, msg, &txn->hdr_idx);

@@ -8114,6 +8122,20 @@

/* OK we got a valid HTTP request. We have some minor preparation to

* perform so that further checks can rely on HTTP tests.

+ /* If the request was parsed but was too large, we must absolutely

+ * return an error so that it is not processed. At the moment this

+ * cannot happen, but if the parsers are to change in the future,

+ * we want this check to be maintained.

+ */

+ if (unlikely(req->lr > req->data &&

+ (req->r < req->lr || req->l > req->size - global.tune.maxrewrite ||

+ req->r > req->data + req->size - global.tune.maxrewrite))) {

+ msg->msg_state = HTTP_MSG_ERROR;

+ test->flags |= ACL_TEST_F_SET_RES_PASS;

+ return 1;

+ }

100

101

txn->meth = find_http_meth(msg->sol, msg->sl.rq.m_l);

102

if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)

103

s->flags |= SN_REDIRECTABLE;

Older »