❦ 26 janvier 2020 05:50 +01, Moritz Mühlenhoff <jmm@inutil.org>: >> The logrotate configuration file for HAProxy doesn't signal rsyslog >> correctly. Therefore, logs are not really rotated and on a moderately >> busy site, this can fill up a log partition. When running with >> systemd, rsyslog doesn't write a PID file and there fore, the SysV >> init script invoked to rotate logs does not work. Instead, rsyslog >> package provides an helper for this purpose. >> >> The change has been applied to 2.0.12-1 currently in unstable and >> testing. I would like to push it for the next point release next week. > > If we're doing a Buster update anyway, could we also piggyback the fix > for https://nathandavison.com/blog/haproxy-http-request-smuggling (CVE-2019-18277), > https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581 > ? Ack! I have pulled the patch from the 1.8 branch. Here is the updated debdiff. It compiles and simple tests pass too. I'll be checking with upstream if they have an opinion around this.
diff --git a/debian/changelog b/debian/changelog
index 978702081baa..7139318a49cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+haproxy (1.8.19-1+deb10u1) buster; urgency=medium
+
+ * d/logrotate.conf: use rsyslog helper instead of SysV init script.
+ Closes: #946973.
+ * d/patches: reject messages where "chunked" is missing from
+ transfer-encoding. CVE-2019-18277.
+
+ -- Vincent Bernat <bernat@debian.org> Sun, 26 Jan 2020 12:54:30 +0100
+
haproxy (1.8.19-1) unstable; urgency=medium
* New upstream version 1.8.19
diff --git a/debian/logrotate.conf b/debian/logrotate.conf
index 442dc4e01e79..ad2031f198e6 100644
--- a/debian/logrotate.conf
+++ b/debian/logrotate.conf
@@ -6,6 +6,6 @@
compress
delaycompress
postrotate
- invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
+ /usr/lib/rsyslog/rsyslog-rotate
endscript
}
diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
new file mode 100644
index 000000000000..a623dc9f373a
--- /dev/null
+++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
@@ -0,0 +1,66 @@
+From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 12 Sep 2019 14:01:40 +0200
+Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is
+ missing from transfer-enoding
+
+Nathan Davison (@ndavison) reported that in legacy mode we don't
+correctly reject requests or responses featuring a transfer-encoding
+header missing the "chunked" value. As mandated in the protocol spec,
+the test verifies that "chunked" is the last one, but only does so when
+it is present. As such, "transfer-encoding: foobar" is not rejected,
+only "transfer-encoding: chunked, foobar" will be.
+
+The impact is limited, but if combined with "http-reuse always", it
+could be used as a help to construct a content smuggling attack against
+a vulnerable component employing a lenient parser which would ignore
+the content-length header as soon as it sees a transfer-encoding one,
+without even parsing it. In this case haproxy would fail to protect it.
+
+The fix consists in completing the existing checks to verify that
+"chunked" was present if any "transfer-encoding" header was met,
+otherwise either reject the request message or make the response
+end on a close.
+
+This fix is only for 2.0 and older versions as legacy mode was
+removed from 2.1. It should be backported to all maintained versions.
+
+(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/proto_http.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 411eb69899df..3c65606325e2 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
+ }
+ }
+
++ /* "chunked" mandatory if transfer-encoding is used */
++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK))
++ goto return_bad_req;
++
+ /* Chunked requests must have their content-length removed */
+ ctx.idx = 0;
+ if (msg->flags & HTTP_MSGF_TE_CHNK) {
+@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
+ }
+ }
+
++ /* "chunked" mandatory if transfer-encoding is used */
++ if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) {
++ use_close_only = 1;
++ msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN);
++ }
++
+ /* Chunked responses must have their content-length removed */
+ ctx.idx = 0;
+ if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) {
+--
+2.25.0
+
diff --git a/debian/patches/series b/debian/patches/series
index ac2a4c491d67..190c70349691 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
0002-Use-dpkg-buildflags-to-build-halog.patch
haproxy.service-start-after-syslog.patch
haproxy.service-add-documentation.patch
--
Use data arrays to avoid repetitive control sequences.
- The Elements of Programming Style (Kernighan & Plauger)
Attachment:
signature.asc
Description: PGP signature