Version in base suite: 2.2.9-2+deb11u2 Base version: haproxy_2.2.9-2+deb11u2 Target version: haproxy_2.2.9-2+deb11u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/haproxy/haproxy_2.2.9-2+deb11u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/haproxy/haproxy_2.2.9-2+deb11u3.dsc changelog | 8 + patches/0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch | 53 ++++++++++ patches/series | 2 3 files changed, 63 insertions(+) diff -Nru haproxy-2.2.9/debian/changelog haproxy-2.2.9/debian/changelog --- haproxy-2.2.9/debian/changelog 2021-09-05 08:48:54.000000000 +0000 +++ haproxy-2.2.9/debian/changelog 2022-03-10 20:01:08.000000000 +0000 @@ -1,3 +1,11 @@ +haproxy (2.2.9-2+deb11u3) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * BUG/MAJOR: http/htx: prevent unbounded loop in + http_manage_server_side_cookies (CVE-2022-0711) + + -- Salvatore Bonaccorso Thu, 10 Mar 2022 21:01:08 +0100 + haproxy (2.2.9-2+deb11u2) bullseye-security; urgency=high * d/patches: fix missing header name length check in HTX (CVE-2021-40346). diff -Nru haproxy-2.2.9/debian/patches/0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch haproxy-2.2.9/debian/patches/0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch --- haproxy-2.2.9/debian/patches/0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch 1970-01-01 00:00:00.000000000 +0000 +++ haproxy-2.2.9/debian/patches/0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch 2022-03-10 19:58:36.000000000 +0000 @@ -0,0 +1,53 @@ +From: Andrew McDermott +Date: Fri, 11 Feb 2022 18:26:49 +0000 +Subject: BUG/MAJOR: http/htx: prevent unbounded loop in + http_manage_server_side_cookies +Origin: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=eb1bdcb7cf6e7bd1690f7dcc6d97de3d79b54cdc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-0711 + +Ensure calls to http_find_header() terminate. If a "Set-Cookie2" +header is found then the while(1) loop in +http_manage_server_side_cookies() will never terminate, resulting in +the watchdog firing and the process terminating via SIGABRT. + +The while(1) loop becomes unbounded because an unmatched call to +http_find_header("Set-Cookie") will leave ctx->blk=NULL. Subsequent +calls to check for "Set-Cookie2" will now enumerate from the beginning +of all the blocks and will once again match on subsequent +passes (assuming a match first time around), hence the loop becoming +unbounded. + +This issue was introduced with HTX and this fix should be backported +to all versions supporting HTX. + +Many thanks to Grant Spence (gspence@redhat.com) for working through +this issue with me. + +(cherry picked from commit bfb15ab34ead85f64cd6da0e9fb418c9cd14cee8) +Signed-off-by: Willy Tarreau +(cherry picked from commit d8ce72f63e115fa0952e6a58e81c3d15dfc0a509) +Signed-off-by: Willy Tarreau +(cherry picked from commit 86032c309b1f42177826deaa39f7c26903a074ca) +Signed-off-by: Christopher Faulet +(cherry picked from commit 3cd203d61609fd427234fdb4f793193980860348) +Signed-off-by: Christopher Faulet +--- + src/http_ana.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/http_ana.c b/src/http_ana.c +index be8665d0a7ab..21b583c91103 100644 +--- a/src/http_ana.c ++++ b/src/http_ana.c +@@ -3546,7 +3546,7 @@ static void http_manage_server_side_cookies(struct stream *s, struct channel *re + while (1) { + int is_first = 1; + +- if (!http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { ++ if (is_cookie2 || !http_find_header(htx, ist("Set-Cookie"), &ctx, 1)) { + if (!http_find_header(htx, ist("Set-Cookie2"), &ctx, 1)) + break; + is_cookie2 = 1; +-- +2.35.1 + diff -Nru haproxy-2.2.9/debian/patches/series haproxy-2.2.9/debian/patches/series --- haproxy-2.2.9/debian/patches/series 2021-09-05 08:48:54.000000000 +0000 +++ haproxy-2.2.9/debian/patches/series 2022-03-10 19:59:11.000000000 +0000 @@ -11,5 +11,7 @@ 0001-BUG-MEDIUM-h2-match-absolute-path-not-path-absolute-.patch 0001-2.0-2.3-BUG-MAJOR-htx-fix-missing-header-name-length-check-i.patch +0001-BUG-MAJOR-http-htx-prevent-unbounded-loop-in-http_ma.patch + # applied during the build process: # debianize-dconv.patch