packages/haproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init package

Browse Source
This commit is contained in:
daidai_is_here 2020-02-14 10:50:02 +08:00
parent faf2edf8fe
commit f012431c42
9 changed files with 369 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2018-20102.patch Normal file
View File

@ -0,0 +1,36 @@
From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 5 Dec 2018 17:56:29 +0100
Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in
dns_validate_dns_response()
We need to make sure that the record length is not making us read
past the end of the data we received.
Before this patch we could for example read the 16 bytes
corresponding to an AAAA record from the non-initialized part of
the buffer, possibly accessing anything that was left on the stack,
or even past the end of the 8193-byte buffer, depending on the
value of accepted_payload_size.
To be backported to 1.8, probably also 1.7.
---
src/dns.c | 5 +++++
1 file changed, 5 insertions(+)
Index: haproxy-1.8.13/src/dns.c
===================================================================
--- haproxy-1.8.13.orig/src/dns.c
+++ haproxy-1.8.13/src/dns.c
@@ -798,6 +798,11 @@ static int dns_validate_dns_response(uns
/* Move forward 2 bytes for data len */
reader += 2;
+ if (reader + dns_answer_record->data_len >= bufend) {
+ pool_free(dns_answer_item_pool, dns_answer_record);
+ return DNS_RESP_INVALID;
+ }
+
/* Analyzing record content */
switch (dns_answer_record->type) {
case DNS_RTYPE_A:

85
CVE-2018-20103.patch Normal file
View File

@ -0,0 +1,85 @@
From 58df5aea0a0c926b2238f65908f5e9f83d1cca25 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 5 Dec 2018 17:52:54 +0100
Subject: [PATCH] BUG: dns: Prevent stack-exhaustion via recursion loop in
dns_read_name
When a compressed pointer is encountered, dns_read_name() will call
itself with the pointed-to offset in the packet.
With a specially crafted packet, it was possible to trigger an
infinite-loop recursion by making the pointer points to itself.
While it would be possible to handle that particular case differently
by making sure that the target is different from the current offset,
it would still be possible to craft a packet with a very long chain
of valid pointers, always pointing backwards. To prevent a stack
exhaustion in that case, this patch restricts the number of recursive
calls to 100, which should be more than enough.
To be backported to 1.8, probably also 1.7.
---
src/dns.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
Index: haproxy-1.8.13/src/dns.c
===================================================================
--- haproxy-1.8.13.orig/src/dns.c
+++ haproxy-1.8.13/src/dns.c
@@ -391,7 +391,7 @@ static inline unsigned short dns_respons
*/
int dns_read_name(unsigned char *buffer, unsigned char *bufend,
unsigned char *name, char *destination, int dest_len,
- int *offset)
+ int *offset, unsigned int depth)
{
int nb_bytes = 0, n = 0;
int label_len;
@@ -405,8 +405,11 @@ int dns_read_name(unsigned char *buffer,
if ((buffer + reader[1]) > reader)
goto err;
+ if (depth++ > 100)
+ goto err;
+
n = dns_read_name(buffer, bufend, buffer + reader[1],
- dest, dest_len - nb_bytes, offset);
+ dest, dest_len - nb_bytes, offset, depth);
if (n == 0)
goto err;
@@ -692,7 +695,7 @@ static int dns_validate_dns_response(uns
* one query per response and the first one can't be compressed
* (using the 0x0c format) */
offset = 0;
- len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset);
+ len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0)
return DNS_RESP_INVALID;
@@ -729,7 +732,7 @@ static int dns_validate_dns_response(uns
return (DNS_RESP_INVALID);
offset = 0;
- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
@@ -831,7 +834,7 @@ static int dns_validate_dns_response(uns
}
offset = 0;
- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
return DNS_RESP_INVALID;
@@ -861,7 +864,7 @@ static int dns_validate_dns_response(uns
dns_answer_record->port = read_n16(reader);
reader += sizeof(uint16_t);
offset = 0;
- len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
+ len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
if (len == 0) {
pool_free(dns_answer_item_pool, dns_answer_record);
return DNS_RESP_INVALID;

44
CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch Normal file
View File

@ -0,0 +1,44 @@
From a01f45e3ced23c799f6e78b5efdbd32198a75354 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 31 Dec 2018 07:41:24 +0100
Subject: [PATCH] BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY
is used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
when the PRIORITY flag is present. A check is missing to ensure the 5
extra bytes needed with this flag are actually part of the frame. As per
RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
Many thanks to Tim for responsibly reporting this issue with a working
config and reproducer. This issue was assigned CVE-2018-20615.
This fix must be backported to 1.9 and 1.8.
Signed-off-by: gaoyi <gaoyi15@huawei.com>
---
src/mux_h2.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/mux_h2.c b/src/mux_h2.c
index dc67bc67..20ff9882 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -3316,6 +3316,11 @@ next_frame:
goto fail;
}
+ if (flen < 5) {
+ h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
+ goto fail;
+ }
+
hdrs += 5; // stream dep = 4, weight = 1
flen -= 5;
}
--
2.19.1

BIN
haproxy-1.8.14.tar.gz Normal file
View File

Binary file not shown.

42
haproxy.cfg Normal file
View File

@ -0,0 +1,42 @@
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
maxconn 4000
defaults
mode http
log global
option httplog
option dontlognull
retries 3
timeout http-request 5s
timeout queue 1m
timeout connect 5s
timeout client 1m
timeout server 1m
timeout http-keep-alive 5s
timeout check 5s
maxconn 3000
frontend main
bind *:80
default_backend http_back
backend http_back
balance roundrobin
server node1 127.0.0.1:5001 check
server node2 127.0.0.1:5002 check
server node3 127.0.0.1:5003 check
server node4 127.0.0.1:5004 check

13
haproxy.logrotate Normal file
View File

@ -0,0 +1,13 @@
/var/log/haproxy.log {
compress
daily
dateext
rotate 31
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

16
haproxy.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=HAProxy Load Balancer
After=network.target
[Service]
Environment="HAPROXY_CONF=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
ExecStartPre=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
# -W: master-worker mode
ExecStart=/usr/sbin/haproxy -Ws -f $HAPROXY_CONF -p $PIDFILE
ExecReload=/usr/sbin/haproxy -f $HAPROXY_CONF -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Type=notify
[Install]
WantedBy=multi-user.target

129
haproxy.spec Normal file
View File

@ -0,0 +1,129 @@
%define haproxy_user haproxy
%define haproxy_group haproxy
%global _hardened_build 1
Name: haproxy
Version: 1.8.14
Release: 4
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
License: GPLv2+
URL: http://www.haproxy.org/
Source0: http://www.haproxy.org/download/1.8/src/haproxy-%{version}.tar.gz
Source1: %{name}.service
Source2: %{name}.cfg
Source3: %{name}.logrotate
Source4: %{name}.sysconfig
Patch6000: CVE-2018-20615-BUG-CRITICAL-mux-h2-re-check-the-frame-length-when-P.patch
Patch6001: CVE-2018-20103.patch
Patch6002: CVE-2018-20102.patch
BuildRequires: gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units
Requires(pre): shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%package_help
%description
HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic
web sites and powers quite a number of the world's most visited ones.
%prep
%autosetup -n %{name}-%{version} -p1
%build
use_regparm_opt=
%ifarch %ix86 x86_64
use_regparm_opt="USE_REGPARM=1"
%endif
%make_build CPU="generic" TARGET="linux2628" USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1 \
USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 ${use_regparm_opt} \
ADDINC="%{optflags}" ADDLIB="%{__global_ldflags}"
pushd contrib/halog
%make_build ${halog} OPTIMIZE="%{optflags} %{build_ldflags}"
popd
pushd contrib/iprange
%make_build iprange OPTIMIZE="%{optflags} %{build_ldflags}"
popd
%install
install -d %{buildroot}%{_sbindir}
install haproxy %{buildroot}%{_sbindir}
install -d %{buildroot}%{_mandir}/man1
install -m 644 doc/haproxy.1 %{buildroot}%{_mandir}/man1
pushd %{buildroot}
install -p -D -m 0644 %{SOURCE1} .%{_unitdir}/%{name}.service
install -p -D -m 0644 %{SOURCE2} .%{_sysconfdir}/haproxy/%{name}.cfg
install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name}
install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name}
install -d -m 0755 .%{_bindir}
install -d -m 0755 .%{_localstatedir}/lib/haproxy
install -d -m 0755 .%{_datadir}/haproxy
popd
install -p -m 0755 ./contrib/halog/halog %{buildroot}%{_bindir}/halog
install -p -m 0755 ./contrib/iprange/iprange %{buildroot}%{_bindir}/iprange
install -p -m 0644 ./examples/errorfiles/* %{buildroot}%{_datadir}/haproxy
for httpfile in $(find ./examples/errorfiles/ -type f)
do
install -p -m 0644 $httpfile %{buildroot}%{_datadir}/haproxy
done
%{__rm} -rf ./examples/errorfiles/
find ./examples/* -type f ! -name "*.cfg" -exec %{__rm} -f "{}" \;
textfiles=$(find ./ -type f -name '*.txt')
for textfile in ${textfiles}
do
%{__mv} ${textfile} ${textfile}.old
iconv --from-code ISO8859-1 --to-code UTF-8 --output ${textfile} ${textfile}.old
%{__rm} -f ${textfile}.old
done
%pre
getent group %{haproxy_group} >/dev/null || groupadd -r %{haproxy_group}
getent passwd %{haproxy_user} >/dev/null || useradd -r -g %{haproxy_user} -d \
%{_localstatedir}/lib/haproxy -s /sbin/nologin -c "haproxy" %{haproxy_user}
exit 0
%post
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
%postun
%systemd_postun_with_restart %{name}.service
%files
%defattr(-,root,root)
%license LICENSE
%dir %{_sysconfdir}/haproxy
%config(noreplace) %{_sysconfdir}/haproxy/%{name}.cfg
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_bindir}/halog
%{_bindir}/iprange
%{_sbindir}/%{name}
%{_unitdir}/%{name}.service
%dir %{_localstatedir}/lib/haproxy
%dir %{_datadir}/haproxy
%{_datadir}/haproxy/*
%files help
%defattr(-,root,root)
%doc doc/* examples/* CHANGELOG README ROADMAP VERSION
%{_mandir}/man1/*
%changelog
* Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.14-4
- Package init

4
haproxy.sysconfig Normal file
View File

@ -0,0 +1,4 @@
# Add extra options to the haproxy daemon here. This can be useful for
# specifying multiple configuration files with multiple -f options.
# See haproxy(1) for a complete list of options.
OPTIONS=""