Fix CVE-2022-0711
This commit is contained in:
starlet-dx
parent
c32e7456fd
commit
42701aa8da
40
CVE-2022-0711.patch
Normal file
40
CVE-2022-0711.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew McDermott <aim@frobware.com>
|
||||
Date: Fri, 11 Feb 2022 18:26:49 +0000
|
||||
Subject: [PATCH] BUG/MAJOR: http/htx: prevent unbounded loop in
|
||||
http_manage_server_side_cookies
|
||||
|
||||
Ensure calls to http_find_header() terminate. If a "Set-Cookie2"
|
||||
header is found then the while(1) loop in
|
||||
http_manage_server_side_cookies() will never terminate, resulting in
|
||||
the watchdog firing and the process terminating via SIGABRT.
|
||||
|
||||
The while(1) loop becomes unbounded because an unmatched call to
|
||||
http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent
|
||||
calls to check for "Set-Cookie2" will now enumerate from the beginning
|
||||
of all the blocks and will once again match on subsequent
|
||||
passes (assuming a match first time around), hence the loop becoming
|
||||
unbounded.
|
||||
|
||||
This issue was introduced with HTX and this fix should be backported
|
||||
to all versions supporting HTX.
|
||||
|
||||
Many thanks to Grant Spence (gspence@redhat.com) for working through
|
||||
this issue with me.
|
||||
---
|
||||
src/http_ana.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/http_ana.c b/src/http_ana.c
|
||||
index 715dd3a5c5..c2d9d9b439 100644
|
||||
--- a/src/http_ana.c
|
||||
+++ b/src/http_ana.c
|
||||
@@ -3418,7 +3418,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re
|
||||
while (1) {
|
||||
int is_first = 1;
|
||||
|
||||
- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
+ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) {
|
||||
if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1))
|
||||
break;
|
||||
is_cookie2 = 1;
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
Name: haproxy
|
||||
Version: 2.4.8
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
|
||||
|
||||
License: GPLv2+
|
||||
@ -16,6 +16,8 @@ Source2: %{name}.cfg
|
||||
Source3: %{name}.logrotate
|
||||
Source4: %{name}.sysconfig
|
||||
|
||||
Patch0: CVE-2022-0711.patch
|
||||
|
||||
BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
|
||||
Requires(pre): shadow-utils
|
||||
%{?systemd_requires}
|
||||
@ -118,6 +120,9 @@ exit 0
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.4.8-2
|
||||
- Fix CVE-2022-0711
|
||||
|
||||
* Tue Dec 07 2021 yanglu <yanglu72@huawei.com> - 2.4.8-1
|
||||
- update haproxy to 2.4.8
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user