Bug#949826: buster-pu: package haproxy/1.8.19-1

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 949826@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>
Subject: Bug#949826: buster-pu: package haproxy/1.8.19-1
From: Vincent Bernat <bernat@debian.org>
Date: Sat, 08 Feb 2020 10:51:42 +0100
Message-id: <[🔎] 87eev5cspd.fsf@debian.org>
Reply-to: Vincent Bernat <bernat@debian.org>, 949826@bugs.debian.org
In-reply-to: <[🔎] 20200208074322.GA1841118@eldamar.local> (Salvatore Bonaccorso's message of "Sat, 8 Feb 2020 08:43:22 +0100")
References: <157995954497.304636.1653483675690470170.reportbug@neo.luffy.cx> <20200126045010.GA5107@pisco.westfalen.local> <157995954497.304636.1653483675690470170.reportbug@neo.luffy.cx> <m3blqqh1gg.fsf@debian.org> <[🔎] 20200208074322.GA1841118@eldamar.local> <157995954497.304636.1653483675690470170.reportbug@neo.luffy.cx>

 ❦  8 février 2020 08:43 +01, Salvatore Bonaccorso <carnil@debian.org>:

> This needs to be rebased to the 1.8.19-1+deb10u1 which was released as
> DSA 4577-1 AFAICT.

Oh, sorry. Here is the updated patch.

diff --git a/debian/changelog b/debian/changelog
index a3182ea0fdb9..6719f450553f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+haproxy (1.8.19-1+deb10u2) buster; urgency=medium
+
+  * d/logrotate.conf: use rsyslog helper instead of SysV init script.
+    Closes: #946973.
+  * d/patches: reject messages where "chunked" is missing from
+    transfer-encoding. CVE-2019-18277.
+
+ -- Vincent Bernat <bernat@debian.org>  Sun, 26 Jan 2020 12:54:30 +0100
+
 haproxy (1.8.19-1+deb10u1) buster-security; urgency=high
 
   * Apply two patches around HTTP/2 header validation allowing an attacker
diff --git a/debian/logrotate.conf b/debian/logrotate.conf
index 442dc4e01e79..ad2031f198e6 100644
--- a/debian/logrotate.conf
+++ b/debian/logrotate.conf
@@ -6,6 +6,6 @@
     compress
     delaycompress
     postrotate
-        invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
+        /usr/lib/rsyslog/rsyslog-rotate
     endscript
 }
diff --git a/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
new file mode 100644
index 000000000000..a623dc9f373a
--- /dev/null
+++ b/debian/patches/0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
@@ -0,0 +1,66 @@
+From 3bd4bbdb9f54c18856aeb66b4b9f4a698973d3d3 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Thu, 12 Sep 2019 14:01:40 +0200
+Subject: [PATCH] BUG/MEDIUM: http: also reject messages where "chunked" is
+ missing from transfer-enoding
+
+Nathan Davison (@ndavison) reported that in legacy mode we don't
+correctly reject requests or responses featuring a transfer-encoding
+header missing the "chunked" value. As mandated in the protocol spec,
+the test verifies that "chunked" is the last one, but only does so when
+it is present. As such, "transfer-encoding: foobar" is not rejected,
+only "transfer-encoding: chunked, foobar" will be.
+
+The impact is limited, but if combined with "http-reuse always", it
+could be used as a help to construct a content smuggling attack against
+a vulnerable component employing a lenient parser which would ignore
+the content-length header as soon as it sees a transfer-encoding one,
+without even parsing it. In this case haproxy would fail to protect it.
+
+The fix consists in completing the existing checks to verify that
+"chunked" was present if any "transfer-encoding" header was met,
+otherwise either reject the request message or make the response
+end on a close.
+
+This fix is only for 2.0 and older versions as legacy mode was
+removed from 2.1. It should be backported to all maintained versions.
+
+(cherry picked from commit 196a7df44d8129d1adc795da020b722614d6a581)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 5513fcaa601dd344be548430fc1760dbedebf4f2)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/proto_http.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/proto_http.c b/src/proto_http.c
+index 411eb69899df..3c65606325e2 100644
+--- a/src/proto_http.c
++++ b/src/proto_http.c
+@@ -2110,6 +2110,10 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK))
++		goto return_bad_req;
++
+ 	/* Chunked requests must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (msg->flags & HTTP_MSGF_TE_CHNK) {
+@@ -5568,6 +5572,12 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
+ 		}
+ 	}
+ 
++	/* "chunked" mandatory if transfer-encoding is used */
++	if (ctx.idx && !(msg->flags & HTTP_MSGF_TE_CHNK)) {
++		use_close_only = 1;
++		msg->flags &= ~(HTTP_MSGF_TE_CHNK | HTTP_MSGF_XFER_LEN);
++	}
++
+ 	/* Chunked responses must have their content-length removed */
+ 	ctx.idx = 0;
+ 	if (use_close_only || (msg->flags & HTTP_MSGF_TE_CHNK)) {
+-- 
+2.25.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 4b5471161f57..504fb00c3dab 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+0001-BUG-MEDIUM-http-also-reject-messages-where-chunked-i.patch
 0002-Use-dpkg-buildflags-to-build-halog.patch
 haproxy.service-start-after-syslog.patch
 haproxy.service-add-documentation.patch

-- 
Always do right.  This will gratify some people and astonish the rest.
		-- Mark Twain

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#949826: buster-pu: package haproxy/1.8.19-1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#950692: marked as done (RM: radare2-cutter -- RoST; depends on to-be-removed radare2)
Next by Date: Bug#950918: buster-pu: package libreoffice/1:6.1.5-3+deb10u6
Previous by thread: Bug#949826: buster-pu: package haproxy/1.8.19-1
Next by thread: Bug#950913: transition: glibc
Index(es):
- Date
- Thread