Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2
From: Vincent Bernat <bernat@debian.org>
Date: Tue, 14 Jul 2015 10:50:44 +0200
Message-id: <[🔎] 20150714085044.3245.35116.reportbug@zoro.exoscale.ch>
Reply-to: Vincent Bernat <bernat@debian.org>, 792369@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey!

We would like to propose a stable upload for HAProxy. There is already
a security upload (1.5.8-3+deb8u1) which should hit the next stable
release. On top of that, we would like to fix an important regression
when upgrading from 1.4.

When a proxy is marked as disabled, the config parser will
segfault. This was not the case with the same configuration with
1.4. This is bug #792116. Upstream marked the severity to medium
because there was a workaround (commenting the proxy instead of
disabling it). However, the workaround may be impractical (disabled
proxies are kept in the configuration to be able to enable them at
runtime) and people may just not know about it.

The fix is quite small. I have appended another fix which is just
needed for the patch to apply cleanly. If needed, I can just modify
the patch to not need the additional fix.

Debdiff against 1.5.8-3+deb8u1 is attached.

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVpM1gAAoJEJWkL+g1NSX58mcP/R8uOyJ1QMrUfoEUaXIDT+vm
6zaSlHF0RrEaxtyN86kmWbN8xMF9r0w3wLZmOq3WohatGP9BtJ25GfnS42RFyEmT
St3PWD7r60FCT6cJL3B4lQuhQZUoXrEXD5OX7DunHUrtPhuTe1HB5j25LjGl50AA
W4nbggq0IsbwU/eikpSAAQeFaleMXkiPESEet9H/ZZ0jXTRkTVqrtwGuOeg5zoCA
BvxGwxO1P1tHgzRNqIZ9E9luB4lwh4N7OTbn81LjHIQfL0+5zhDOz2Y2axv81nn5
eLlLrAIcUkNzhpePdh9ku6GnGfKI0dkK9IjsnW2jnCOYsPtx/Z/EZ+gK53bmsq1M
YOvBZ3k/0FyxMMDcI95A2NaejQ6iVPM3ERB+zsQPMEgp4dzlifVzKEOUEHqAYLzy
FnP1c64DIBhgaU1hKHtqe4I2S2SudeOXFGslpXcXNIpnA5Ob5dCJoelrOY+iNJTB
JvqfmJ3eFX/ECTM/M2lB7s2ycSwGGl9I4ujdy7XlsQEYFsbNbvhn7NN4oiWiyPSx
Bu1FFeBKEgWrFYVnY6SCH2Hr1s+TIOgsDJ55l/c78xcl64qNxnSOy285SAQ07Xe0
l0CGFxSYJ39HH5E25H7McWEaWsHcXp8DJV0sgXLRuXvPd4b2AiTrdjBjRVFyyLiU
V1qcrXRo6dZR75HmeZyY
=w4OU
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 74a07ea3c9ac..5b61f80f2146 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+haproxy (1.5.8-3+deb8u2) jessie; urgency=medium
+
+  * Fix a segfault when parsing a configuration file containing disabled
+    proxy sections. Closes: #792116.
+      - BUG/MINOR: config: fix typo in condition when propagating
+                   process binding
+      - BUG/MEDIUM: config: do not propagate processes between
+                    stopped processes
+
+ -- Vincent Bernat <bernat@debian.org>  Tue, 14 Jul 2015 10:32:26 +0200
+
 haproxy (1.5.8-3+deb8u1) jessie-security; urgency=high
 
   * Fix an information leak. CVE-2015-3281.
diff --git a/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
new file mode 100644
index 000000000000..da4c2e1982a4
--- /dev/null
+++ b/debian/patches/from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch
@@ -0,0 +1,34 @@
+From ed061c0590109dde6cd77cd963bebc46ba0cd0cc Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 18 Dec 2014 14:00:43 +0100
+Subject: [PATCH] BUG/MEDIUM: config: do not propagate processes between
+ stopped processes
+
+Immo Goltz reported a case of segfault while parsing the config where
+we try to propagate processes across stopped frontends (those with a
+"disabled" statement). The fix is trivial. The workaround consists in
+commenting out these frontends, although not always easy.
+
+This fix must be backported to 1.5.
+(cherry picked from commit f6b70013389cf9378c6a4d55d3d570de4f95c33c)
+---
+ src/cfgparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index f5eed03cce91..2a27d8b0a0f9 100644
+--- a/src/cfgparse.c
++++ b/src/cfgparse.c
+@@ -6009,6 +6009,9 @@ void propagate_processes(struct proxy *from, struct proxy *to)
+ 	if (!(from->cap & PR_CAP_FE))
+ 		return;
+ 
++	if (from->state == PR_STSTOPPED)
++		return;
++
+ 	/* default_backend */
+ 	if (from->defbe.be)
+ 		propagate_processes(from, from->defbe.be);
+-- 
+2.1.4
+
diff --git a/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
new file mode 100644
index 000000000000..3636696d0278
--- /dev/null
+++ b/debian/patches/from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
@@ -0,0 +1,38 @@
+From 8a95d8cd61c8ec61b9e1c9c9e571405878a40624 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 18 Dec 2014 13:56:26 +0100
+Subject: [PATCH] BUG/MINOR: config: fix typo in condition when propagating
+ process binding
+
+propagate_processes() has a typo in a condition :
+
+	if (!from->cap & PR_CAP_FE)
+		return;
+
+The return is never taken because each proxy has at least one capability
+so !from->cap always evaluates to zero. Most of the time the caller already
+checks that <from> is a frontend. In the cases where it's not tested
+(use_backend, reqsetbe), the rules have been checked for the context to
+be a frontend as well, so in the end it had no nasty side effect.
+
+This should be backported to 1.5.
+---
+ src/cfgparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index 3e345e48c0e0..d91d010f83f1 100644
+--- a/src/cfgparse.c
++++ b/src/cfgparse.c
+@@ -6102,7 +6102,7 @@ void propagate_processes(struct proxy *from, struct proxy *to)
+ 		from = to;
+ 	}
+ 
+-	if (!from->cap & PR_CAP_FE)
++	if (!(from->cap & PR_CAP_FE))
+ 		return;
+ 
+ 	/* default_backend */
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 32218471e68b..620a21d401ac 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,5 @@ from-upstream/0007-BUG-MAJOR-sessions-unlink-session-from-list-on-out-o.patch
 from-upstream/0008-BUG-MEDIUM-patterns-previous-fix-was-incomplete.patch
 from-upstream/0009-BUG-MEDIUM-payload-ensure-that-a-request-channel-is-.patch
 from-upstream/0001-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch
+from-upstream/0001-BUG-MINOR-config-fix-typo-in-condition-when-propagat.patch
+from-upstream/0001-BUG-MEDIUM-config-do-not-propagate-processes-between.patch

Reply to:

Follow-Ups:
- Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#792329: nmu: itksnap_3.2.0-1
Next by Date: Bug#792329: marked as done (nmu: itksnap_3.2.0-1)
Previous by thread: Bug#792329: marked as done (nmu: itksnap_3.2.0-1)
Next by thread: Bug#792369: jessie-pu: package haproxy/1.5.8-3+deb8u2
Index(es):
- Date
- Thread