upgrade 2.2.16 to fix CVE-2021-39240

(cherry picked from commit 9f52a65b134699dc7a2351ee0cc064ab85216ce4)
2021-08-30 20:59:40 +08:00 · 2021-08-30 20:59:40 +08:00 · f45c8a290d
commit f45c8a290d
parent a6c9427f4c
6 changed files with 6 additions and 207 deletions
--- a/CVE-2021-39241-pre.patch
+++ b/CVE-2021-39241-pre.patch
@ -1,25 +0,0 @@
 From 038af20a857ab1f656d5f949c2c5e00d55005c73 Mon Sep 17 00:00:00 2001
 From: Amaury Denoyelle <adenoyelle@haproxy.com>
 Date: Fri, 11 Dec 2020 17:53:09 +0100
 Subject: [PATCH 1/1] MEDIUM:h2: parse Extended CONNECT request to htx
 ---
 src/h2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/h2.c b/src/h2.c
 index 656fed4..3f739e7 100644
 --- a/src/h2.c
 +++ b/src/h2.c
@@ -173,7 +173,7 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
  */
 static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, struct htx *htx, unsigned int *msgf)
 {
 -	struct ist uri;
 +	struct ist uri,meth_sl;
 	unsigned int flags = HTX_SL_F_NONE;
 	struct htx_sl *sl;
 	size_t i;
 -- 
 2.23.0
--- a/CVE-2021-39241.patch
+++ b/CVE-2021-39241.patch
@ -1,79 +0,0 @@
 From 89265224d314a056d77d974284802c1b8a0dc97f Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 11 Aug 2021 11:12:46 +0200
 Subject: [PATCH] BUG/MAJOR: h2: enforce stricter syntax checks on the :method
 pseudo-header
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 Before HTX was introduced, all the HTTP request elements passed in
 pseudo-headers fields were used to build an HTTP/1 request whose syntax
 was then scrutinized by the HTTP/1 parser, leaving no room to inject
 invalid characters.
 While NUL, CR and LF are properly blocked, it is possible to inject
 spaces in the method so that once translated to HTTP/1, fields are
 shifted by one spcae, and a lenient HTTP/1 server could possibly be
 fooled into using a part of the method as the URI. For example, the
 following request:
   H2 request
     :method: "GET /admin? HTTP/1.1"
     :path:   "/static/images"
 would become:
   GET /admin? HTTP/1.1 /static/images HTTP/1.1
 It's important to note that the resulting request is *not* valid, and
 that in order for this to be a problem, it requires that this request
 is delivered to an already vulnerable HTTP/1 server.
 A workaround here is to reject malformed methods by placing this rule
 in the frontend or backend, at least before leaving haproxy in H1:
   http-request reject if { method -m reg [^A-Z0-9] }
 Alternately H2 may be globally disabled by commenting out the "alpn"
 directive on "bind" lines, and by rejecting H2 streams creation by
 adding the following statement to the global section:
   tune.h2.max-concurrent-streams 0
 This patch adds a check for each character of the method to make sure
 they belong to the ones permitted in a token, as mentioned in RFC7231#4.1.
 This should be backported to versions 2.0 and above. For older versions
 not having HTX_FL_PARSING_ERROR, a "goto fail" works as well as it
 results in a protocol error at the stream level. Non-HTX versions are
 safe because the resulting invalid request will be rejected by the
 internal HTTP/1 parser.
 Thanks to Tim DÃ¼sterhus for reporting that one.
 ---
 src/h2.c |    8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/src/h2.c b/src/h2.c
 index b31ff93..280bbd7 100644
 --- a/src/h2.c
 +++ b/src/h2.c
@@ -328,6 +328,14 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
 			flags |= HTX_SL_F_HAS_AUTHORITY;
 	}
 +	/* The method is a non-empty token (RFC7231#4.1) */
 +	if (!meth_sl.len)
 +		goto fail;
 +	for (i = 0; i < meth_sl.len; i++) {
 +		if (!HTTP_IS_TOKEN(meth_sl.ptr[i]))
 +			htx->flags |= HTX_FL_PARSING_ERROR;
 +	}
 +
 	/* make sure the final URI isn't empty. Note that 7540#8.1.2.3 states
 	 * that :path must not be empty.
 	 */
 -- 
 1.7.10.4
--- a/CVE-2021-39242.patch
+++ b/CVE-2021-39242.patch
@ -1,97 +0,0 @@
 From b5d2b9e154d78e4075db163826c5e0f6d31b2ab1 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Wed, 11 Aug 2021 15:39:13 +0200
 Subject: [PATCH] BUG/MEDIUM: h2: give :authority precedence over Host
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 The wording regarding Host vs :authority in RFC7540 is ambiguous as it
 says that an intermediary must produce a host header from :authority if
 Host is missing, but, contrary to HTTP/1.1, doesn't say anything regarding
 the possibility that Host and :authority differ, which leaves Host with
 higher precedence there. In addition it mentions that clients should use
 :authority *instead* of Host, and that H1->H2 should use :authority only
 if the original request was in authority form. This leaves some gray
 area in the middle of the chain for fully valid H2 requests arboring a
 Host header that are forwarded to the other side where it's possible to
 drop the Host header and use the authority only after forwarding to a
 second H2 layer, thus possibly seeing two different values of Host at
 a different stage. There's no such issue when forwarding from H2 to H1
 as the authority is dropped only only the Host is kept.
 Note that the following request is sufficient to re-normalize such a
 request:
   http-request set-header host %[req.hdr(host)]
 The new spec in progress (draft-ietf-httpbis-http2bis-03) addresses
 this trouble by being a bit is stricter on these rules. It clarifies
 that :authority must always be used instead of Host and that Host ought
 to be ignored. This is much saner as it avoids to convey two distinct
 values along the chain. This becomes the protocol-level equivalent of:
   http-request set-uri %[url]
 So this patch does exactly this, which we were initially a bit reluctant
 to do initially by lack of visibility about other implementations'
 expectations. In addition it slightly simplifies the Host header field
 creation by always placing it first in the list of headers instead of
 last; this could also speed up the look up a little bit.
 This needs to be backported to 2.0. Non-HTX versions are safe regarding
 this because they drop the URI during the conversion to HTTP/1.1 so
 only Host is used and transmitted.
 Thanks to Tim DÃ¼sterhus for reporting that one.
 ---
 src/h2.c |   23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)
 diff --git a/src/h2.c b/src/h2.c
 index 280bbd7..bbc5853 100644
 --- a/src/h2.c
 +++ b/src/h2.c
@@ -456,10 +456,27 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 			if (!sl)
 				goto fail;
 			fields |= H2_PHDR_FND_NONE;
 +
 +			/* http2bis draft recommends to drop Host in favor of :authority when
 +			 * the latter is present. This is required to make sure there is no
 +			 * discrepancy between the authority and the host header, especially
 +			 * since routing rules usually involve Host. Here we already know if
 +			 * :authority was found so we can emit it right now and mark the host
 +			 * as filled so that it's skipped later.
 +			 */
 +			if (fields & H2_PHDR_FND_AUTH) {
 +				if (!htx_add_header(htx, ist("host"), phdr_val[H2_PHDR_IDX_AUTH]))
 +					goto fail;
 +				fields |= H2_PHDR_FND_HOST;
 +			}
 		}
 -		if (isteq(list[idx].n, ist("host")))
 +		if (isteq(list[idx].n, ist("host"))) {
 +			if (fields & H2_PHDR_FND_HOST)
 +				continue;
 +
 			fields |= H2_PHDR_FND_HOST;
 +		}
 		if (isteq(list[idx].n, ist("content-length"))) {
 			ret = h2_parse_cont_len_header(msgf, &list[idx].v, body_len);
@@ -531,7 +548,9 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
 	/* update the start line with last detected header info */
 	sl->flags |= sl_flags;
 -	/* complete with missing Host if needed */
 +	/* complete with missing Host if needed (we may validate this test if
 +	 * no regular header was found).
 +	 */
 	if ((fields & (H2_PHDR_FND_HOST|H2_PHDR_FND_AUTH)) == H2_PHDR_FND_AUTH) {
 		/* missing Host field, use :authority instead */
 		if (!htx_add_header(htx, ist("host"), phdr_val[H2_PHDR_IDX_AUTH]))
 -- 
 1.7.10.4
--- a/haproxy-2.2.1.tar.gz
+++ b/haproxy-2.2.1.tar.gz
--- a/haproxy-2.2.16.tar.gz
+++ b/haproxy-2.2.16.tar.gz
--- a/haproxy.spec
+++ b/haproxy.spec
@ -4,20 +4,17 @@
 %global _hardened_build   1
 Name:             haproxy
-Version:          2.2.1
+Version:          2.2.16
-Release:          2
+Release:          1
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 License:          GPLv2+
 URL:              https://www.haproxy.org/
-Source0:          https://www.haproxy.org/download/2.0/src/%{name}-%{version}.tar.gz
+Source0:          https://www.haproxy.org/download/2.2/src/%{name}-%{version}.tar.gz
 Source1:          %{name}.service
 Source2:          %{name}.cfg
 Source3:          %{name}.logrotate
 Source4:          %{name}.sysconfig
 Patch001:         CVE-2021-39241-pre.patch
 Patch002:         CVE-2021-39241.patch
 Patch003:         CVE-2021-39242.patch
 BuildRequires:    gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
 Requires(pre):    shadow-utils
@ -123,6 +120,9 @@ exit 0
 %{_mandir}/man1/*
 %changelog
 * Mon Aug 30 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
 - Upgrade 2.2.16 to fix CVE-2021-39240
 * Thu Aug 26 liwu <liwu13@huawei.com> - 2.2.1-2
 - fix CVE-2021-39241,CVE-2021-39242