packages/haproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!175 [sync] PR-169: fix CVE-2025-32464

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2025-04-29 08:32:40 +00:00 committed by Gitee
commit aa4e0e763a
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 73 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
backport-CVE-2025-32464.patch Normal file
View File

@ -0,0 +1,65 @@
From ed90ec01d0b2f26a07ff24cdb47b5cf9ed89b84e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 7 Apr 2025 15:30:43 +0200
Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing
multiple regex back-refs
Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
reported a bug in sample_conv_regsub(), which can cause replacements
of multiple back-references to overflow the temporary trash buffer.
The problem happens when doing "regsub(match,replacement,g)": we're
replacing every occurrence of "match" with "replacement" in the input
sample, which requires a length check. For this, a max is applied, so
that a replacement may not use more than the remaining length in the
buffer. However, the length check is made on the replaced pattern and
not on the temporary buffer used to carry the new string. This results
in the remaining size to be usable for each input match, which can go
beyond the temporary buffer size if more than one occurrence has to be
replaced with something that's larger than the remaining room.
The fix proposed by Aleandro and Edoardo is the correct one (check on
"trash" not "output"), and is the one implemented in this patch.
While it is very unlikely that a config will replace multiple short
patterns each with a larger one in a request, this possibility cannot
be entirely ruled out (e.g. mask a known, short IP address using
"XXX.XXX.XXX.XXX"). However when this happens, the replacement pattern
will be static, and not be user-controlled, which is why this patch is
marked as medium.
The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
regsub now supports backreferences"), so it must be backported to all
versions.
Special thanks go to Aleandro and Edoardo for reporting this bug with
a simple reproducer and a fix.
(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit ee1a64c2a04cc2cb38efb7e44f7ea7386d627bf6)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit 82c5355ce3a83344074e12f5e878dafae27efb96)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
Conflict: NA
Reference: https://github.com/haproxy/haproxy/commit/ed90ec01d0b2f26a07ff24cdb47b5cf9ed89b84e
---
src/sample.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sample.c b/src/sample.c
index 11c17528a9f0e..ff436f90a1747 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -2690,7 +2690,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void
output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
/* replace the matching part */
- max = output->size - output->data;
+ max = trash->size - trash->data;
if (max) {
if (max > output->data)
max = output->data;

9
haproxy.spec
View File

@ -5,7 +5,7 @@
Name: haproxy Name: haproxy
Version: 2.6.6 Version: 2.6.6
Release: 15 Release: 16
Summary: The Reliable, High Performance TCP/HTTP Load Balancer Summary: The Reliable, High Performance TCP/HTTP Load Balancer
License: GPLv2+ License: GPLv2+
@ -44,6 +44,7 @@ Patch23: CVE-2024-53008.patch
Patch24: backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch Patch24: backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch
Patch25: backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch Patch25: backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch
Patch26: backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch Patch26: backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch
Patch27: backport-CVE-2025-32464.patch
BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic BuildRequires: gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
%ifarch sw_64 %ifarch sw_64
@ -148,6 +149,12 @@ exit 0
%{_mandir}/man1/* %{_mandir}/man1/*
%changelog %changelog
* Tue Apr 29 2025 xinghe <xinghe2@h-partners.com> - 2.6.6-16
- Type:cves
- CVE:CVE-2025-32464
- SUG:NA
- DESC:fix CVE-2025-32464
* Mon Mar 17 2025 yanglu <yanglu72@h-partners.com> - 2.6.6-15 * Mon Mar 17 2025 yanglu <yanglu72@h-partners.com> - 2.6.6-15
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA