aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-04-14 11:28:39 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-04-14 11:28:39 -0300
commit7ce71a261b936c5390c3a099f38bce164e895ce6 (patch)
tree05b3ea1eafca7ddd5956a8871358741d38989ada
parentbf12d0cce2f7c5041a183d56c53bfbc2bf890930 (diff)
downloadaports-7ce71a261b936c5390c3a099f38bce164e895ce6.tar.bz2
aports-7ce71a261b936c5390c3a099f38bce164e895ce6.tar.xz
main/haproxy: fixes CVE-2020-11100
See #11389
-rw-r--r--main/haproxy/APKBUILD7
-rw-r--r--main/haproxy/CVE-2020-11100.patch56
2 files changed, 61 insertions, 2 deletions
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index e1b6eaf91d..5256ceb09f 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -17,7 +17,9 @@ subpackages="$pkgname-doc"
source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.gz
libressl-2.7.patch
haproxy.initd
- haproxy.cfg"
+ haproxy.cfg
+ CVE-2020-11100.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
@@ -56,4 +58,5 @@ package() {
sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f haproxy-1.8.23.tar.gz
06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c libressl-2.7.patch
3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26 haproxy.initd
-26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg"
+26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f haproxy.cfg
+9070591a22adff38d6451e7170f7e91265cac8bce249f09ded61b261025ffeff606ee50c4ffeb26ba619abd701d1caf1925c92603539d84ad037d6f90c1d0a86 CVE-2020-11100.patch"
diff --git a/main/haproxy/CVE-2020-11100.patch b/main/haproxy/CVE-2020-11100.patch
new file mode 100644
index 0000000000..d1dd13a514
--- /dev/null
+++ b/main/haproxy/CVE-2020-11100.patch
@@ -0,0 +1,56 @@
+From f17f86304f187b0f10ca6a8d46346afd9851a543 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 29 Mar 2020 08:53:31 +0200
+Subject: [PATCH] BUG/CRITICAL: hpack: never index a header into the headroom
+ after wrapping
+
+The HPACK header table is implemented as a wrapping list inside a contigous
+area. Headers names and values are stored from right to left while indexes
+are stored from left to right. When there's no more room to store a new one,
+we wrap to the right again, or possibly defragment it if needed. The condition
+do use the right part (called tailroom) or the left part (called headroom)
+depends on the location of the last inserted header. After wrapping happens,
+the code forces to stick to tailroom by pretending there's no more headroom,
+so that the size fit test always fails. The problem is that nothing prevents
+from storing a header with an empty name and empty value, resulting in a
+total size of zero bytes, which satisfies the condition to use the headroom.
+Doing this in a wrapped buffer results in changing the "front" header index
+and causing miscalculations on the available size and the addresses of the
+next headers. This may even allow to overwrite some parts of the index,
+opening the possibility to perform arbitrary writes into a 32-bit relative
+address space.
+
+This patch fixes the issue by making sure the headroom is considered only
+when the buffer does not wrap, instead of relying on the zero size. This
+must be backported to all versions supporting H2, which is as far as 1.8.
+
+Many thanks to Felix Wilhelm of Google Project Zero for responsibly
+reporting this problem with a reproducer and a detailed analysis.
+CVE-2020-11100 was assigned to this issue.
+
+(cherry picked from commit 5dfc5d5cd0d2128d77253ead3acf03a421ab5b88)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/hpack-tbl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hpack-tbl.c b/src/hpack-tbl.c
+index 70d7f35..727ff7a 100644
+--- a/src/hpack-tbl.c
++++ b/src/hpack-tbl.c
+@@ -346,9 +346,9 @@ int hpack_dht_insert(struct hpack_dht *dht, struct ist name, struct ist value)
+ * room left in the tail to suit the protocol, but tests show that in
+ * practice it almost never happens in other situations so the extra
+ * test is useless and we simply fill the headroom as long as it's
+- * available.
++ * available and we don't wrap.
+ */
+- if (headroom >= name.len + value.len) {
++ if (prev == dht->front && headroom >= name.len + value.len) {
+ /* install upfront and update ->front */
+ dht->dte[head].addr = dht->dte[dht->front].addr - (name.len + value.len);
+ dht->front = head;
+--
+1.7.10.4
+
+