1. photon
  2. Commit 59beed0b8cae888aee3c79250eaff7772b50b5fa
Browse code

haproxy patch for CVE-2018-20102 and CVE-2018-20103

Change-Id: Ic106f0dd92c9aaa873072e228719cf8e360f1082
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/6900
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>

Priyesh Padmavilasom authored on 2019/03/19 08:51:20
Showing 3 changed files
SPECS/haproxy/haproxy.spec
History View file @ 59beed0
... ... 
@@ -1,7 +1,7 @@
1 1 
 Summary:        A fast, reliable HA, load balancing, and proxy solution.
2 2 
 Name:           haproxy
3 3 
 Version:        1.8.14
4 
-Release:        2%{?dist}
4 
+Release:        3%{?dist}
5 5 
 License:        GPL
6 6 
 URL:            http://www.haproxy.org
7 7 
 Group:          Applications/System
... ... 
@@ -9,6 +9,8 @@ Vendor:         VMware, Inc.
9 9 
 Distribution:   Photon
10 10 
 Source0:        http://www.haproxy.org/download/1.8/src/%{name}-%{version}.tar.gz
11 11 
 %define sha1 haproxy=589c6f933d73e8d6ba5307c8304cafb80e968481
12 
+Patch0:         haproxy_CVE_2018_20102.patch
13 
+Patch1:         haproxy_CVE_2018_20103.patch
12 14 
 BuildRequires:  openssl-devel
13 15 
 BuildRequires:  pcre-devel
14 16 
 BuildRequires:  lua-devel
... ... 
@@ -31,6 +33,8 @@ Requires:       %{name} = %{version}-%{release}
31 31
32 32 
 %prep
33 33 
 %setup -q
34 
+%patch0 -p1
35 
+%patch1 -p1
34 36
35 37 
 %build
36 38 
 make %{?_smp_mflags} TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 \
... ... 
@@ -59,6 +63,9 @@ install -vDm644 examples/transparent_proxy.cfg  %{buildroot}/%{_sysconfdir}/hapr
59 59 
 %{_mandir}/*
60 60
61 61 
 %changelog
62 
+*   Thu Feb 28 2019 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.8.14-3
63 
+-   Patch for CVE_2018_20102
64 
+-   Patch for CVE_2018_20103
62 65 
 *   Tue Jan 29 2019 Ajay Kaher <akaher@vmware.com> 1.8.14-2
63 66 
 -   Build with USE_SYSTEMD=1 to fix service startup.
64 67 
 *   Tue Dec 04 2018 Ajay Kaher <akaher@vmware.com> 1.8.14-1
SPECS/haproxy/haproxy_CVE_2018_20102.patch
History View file @ 59beed0
65 68 
new file mode 100644
... ... 
@@ -0,0 +1,35 @@
0 
+From efbbdf72992cd20458259962346044cafd9331c0 Mon Sep 17 00:00:00 2001
1 
+From: Remi Gacogne <remi.gacogne@powerdns.com>
2 
+Date: Wed, 5 Dec 2018 17:56:29 +0100
3 
+Subject: [PATCH] BUG: dns: Prevent out-of-bounds read in
4 
+ dns_validate_dns_response()
5 
+
6 
+We need to make sure that the record length is not making us read
7 
+past the end of the data we received.
8 
+Before this patch we could for example read the 16 bytes
9 
+corresponding to an AAAA record from the non-initialized part of
10 
+the buffer, possibly accessing anything that was left on the stack,
11 
+or even past the end of the 8193-byte buffer, depending on the
12 
+value of accepted_payload_size.
13 
+
14 
+To be backported to 1.8, probably also 1.7.
15 
+---
16 
+ src/dns.c |    5 +++++
17 
+ 1 file changed, 5 insertions(+)
18 
+
19 
+diff --git a/src/dns.c b/src/dns.c
20 
+index fead261..c1396f5 100644
21 
+--- a/src/dns.c
22 
+@@ -810,6 +810,11 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
23 
+ 		/* Move forward 2 bytes for data len */
24 
+ 		reader += 2;
25 
+
26 
++		if (reader + dns_answer_record->data_len >= bufend) {
27 
++			pool_free(dns_answer_item_pool, dns_answer_record);
28 
++			return DNS_RESP_INVALID;
29 
++		}
30 
++
31 
+ 		/* Analyzing record content */
32 
+ 		switch (dns_answer_record->type) {
33 
+ 			case DNS_RTYPE_A:
SPECS/haproxy/haproxy_CVE_2018_20103.patch
History View file @ 59beed0
0 34 
new file mode 100644
... ... 
@@ -0,0 +1,84 @@
0 
+From 58df5aea0a0c926b2238f65908f5e9f83d1cca25 Mon Sep 17 00:00:00 2001
1 
+From: Remi Gacogne <remi.gacogne@powerdns.com>
2 
+Date: Wed, 5 Dec 2018 17:52:54 +0100
3 
+Subject: [PATCH] BUG: dns: Prevent stack-exhaustion via recursion loop in
4 
+ dns_read_name
5 
+
6 
+When a compressed pointer is encountered, dns_read_name() will call
7 
+itself with the pointed-to offset in the packet.
8 
+With a specially crafted packet, it was possible to trigger an
9 
+infinite-loop recursion by making the pointer points to itself.
10 
+While it would be possible to handle that particular case differently
11 
+by making sure that the target is different from the current offset,
12 
+it would still be possible to craft a packet with a very long chain
13 
+of valid pointers, always pointing backwards. To prevent a stack
14 
+exhaustion in that case, this patch restricts the number of recursive
15 
+calls to 100, which should be more than enough.
16 
+
17 
+To be backported to 1.8, probably also 1.7.
18 
+---
19 
+ src/dns.c |   15 +++++++++------
20 
+ 1 file changed, 9 insertions(+), 6 deletions(-)
21 
+
22 
+diff --git a/src/dns.c b/src/dns.c
23 
+index 2a53c03..50fc16e 100644
24 
+--- a/src/dns.c
25 
+@@ -394,7 +394,7 @@ static inline unsigned short dns_response_get_query_id(unsigned char *resp)
26 
+  */
27 
+ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
28 
+ 		  unsigned char *name, char *destination, int dest_len,
29 
+-		  int *offset)
30 
++		  int *offset, unsigned int depth)
31 
+ {
32 
+ 	int nb_bytes = 0, n = 0;
33 
+ 	int label_len;
34 
+@@ -408,8 +408,11 @@ int dns_read_name(unsigned char *buffer, unsigned char *bufend,
35 
+ 			if ((buffer + reader[1]) > reader)
36 
+ 				goto err;
37 
+
38 
++			if (depth++ > 100)
39 
++				goto err;
40 
++
41 
+ 			n = dns_read_name(buffer, bufend, buffer + reader[1],
42 
+-					  dest, dest_len - nb_bytes, offset);
43 
++					  dest, dest_len - nb_bytes, offset, depth);
44 
+ 			if (n == 0)
45 
+ 				goto err;
46 
+
47 
+@@ -695,7 +698,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
48 
+ 		 * one query per response and the first one can't be compressed
49 
+ 		 * (using the 0x0c format) */
50 
+ 		offset = 0;
51 
+-		len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset);
52 
++		len = dns_read_name(resp, bufend, reader, dns_query->name, DNS_MAX_NAME_SIZE, &offset, 0);
53 
+
54 
+ 		if (len == 0)
55 
+ 			return DNS_RESP_INVALID;
56 
+@@ -732,7 +735,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
57 
+ 			return (DNS_RESP_INVALID);
58 
+
59 
+ 		offset = 0;
60 
+-		len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
61 
++		len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
62 
+
63 
+ 		if (len == 0) {
64 
+ 			pool_free(dns_answer_item_pool, dns_answer_record);
65 
+@@ -829,7 +832,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
66 
+ 				}
67 
+
68 
+ 				offset = 0;
69 
+-				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
70 
++				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
71 
+ 				if (len == 0) {
72 
+ 					pool_free(dns_answer_item_pool, dns_answer_record);
73 
+ 					return DNS_RESP_INVALID;
74 
+@@ -859,7 +862,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend,
75 
+ 				dns_answer_record->port = read_n16(reader);
76 
+ 				reader += sizeof(uint16_t);
77 
+ 				offset = 0;
78 
+-				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset);
79 
++				len = dns_read_name(resp, bufend, reader, tmpname, DNS_MAX_NAME_SIZE, &offset, 0);
80 
+ 				if (len == 0) {
81 
+ 					pool_free(dns_answer_item_pool, dns_answer_record);
82 
+ 					return DNS_RESP_INVALID;