On Tue, Apr 29, 2025 at 05:23:21PM +0300, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm moreinfo
> User: release.debian....@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: secur...@debian.org, Debian HAProxy Maintainers
> <team+hapr...@tracker.debian.org>
>
> * CVE-2025-32464: heap buffer overflow in sample_conv_regsub()
> (Closes: #1102673)
>
> Tagged moreinfo, as question to the security team whether they want
> this in pu or as DSA.
Attached is the debdiff I forgot.
cu
Adrian
diffstat for haproxy-2.6.12 haproxy-2.6.12
changelog | 8
+
patches/0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch | 61
++++++++++
patches/series | 1
3 files changed, 70 insertions(+)
diff -Nru haproxy-2.6.12/debian/changelog haproxy-2.6.12/debian/changelog
--- haproxy-2.6.12/debian/changelog 2023-12-16 18:41:30.000000000 +0200
+++ haproxy-2.6.12/debian/changelog 2025-04-29 16:56:20.000000000 +0300
@@ -1,3 +1,11 @@
+haproxy (2.6.12-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2025-32464: heap buffer overflow in sample_conv_regsub()
+ (Closes: #1102673)
+
+ -- Adrian Bunk <b...@debian.org> Tue, 29 Apr 2025 16:56:20 +0300
+
haproxy (2.6.12-1+deb12u1) bookworm-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru
haproxy-2.6.12/debian/patches/0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch
haproxy-2.6.12/debian/patches/0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch
---
haproxy-2.6.12/debian/patches/0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch
1970-01-01 02:00:00.000000000 +0200
+++
haproxy-2.6.12/debian/patches/0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch
2025-04-29 16:55:53.000000000 +0300
@@ -0,0 +1,61 @@
+From 175902c6bce0f5109166dee7b5551e36aae7186a Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w...@1wt.eu>
+Date: Mon, 7 Apr 2025 15:30:43 +0200
+Subject: BUG/MEDIUM: sample: fix risk of overflow when replacing multiple
+ regex back-refs
+
+Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
+reported a bug in sample_conv_regsub(), which can cause replacements
+of multiple back-references to overflow the temporary trash buffer.
+
+The problem happens when doing "regsub(match,replacement,g)": we're
+replacing every occurrence of "match" with "replacement" in the input
+sample, which requires a length check. For this, a max is applied, so
+that a replacement may not use more than the remaining length in the
+buffer. However, the length check is made on the replaced pattern and
+not on the temporary buffer used to carry the new string. This results
+in the remaining size to be usable for each input match, which can go
+beyond the temporary buffer size if more than one occurrence has to be
+replaced with something that's larger than the remaining room.
+
+The fix proposed by Aleandro and Edoardo is the correct one (check on
+"trash" not "output"), and is the one implemented in this patch.
+
+While it is very unlikely that a config will replace multiple short
+patterns each with a larger one in a request, this possibility cannot
+be entirely ruled out (e.g. mask a known, short IP address using
+"XXX.XXX.XXX.XXX"). However when this happens, the replacement pattern
+will be static, and not be user-controlled, which is why this patch is
+marked as medium.
+
+The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
+regsub now supports backreferences"), so it must be backported to all
+versions.
+
+Special thanks go to Aleandro and Edoardo for reporting this bug with
+a simple reproducer and a fix.
+
+(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559)
+Signed-off-by: Aurelien DARRAGON <adarra...@haproxy.com>
+(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb)
+Signed-off-by: Aurelien DARRAGON <adarra...@haproxy.com>
+---
+ src/sample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sample.c b/src/sample.c
+index 852cd0418..84d542dbf 100644
+--- a/src/sample.c
++++ b/src/sample.c
+@@ -2690,7 +2690,7 @@ static int sample_conv_regsub(const struct arg *arg_p,
struct sample *smp, void
+ output->data = exp_replace(output->area, output->size, start,
arg_p[1].data.str.area, pmatch);
+
+ /* replace the matching part */
+- max = output->size - output->data;
++ max = trash->size - trash->data;
+ if (max) {
+ if (max > output->data)
+ max = output->data;
+--
+2.30.2
+
diff -Nru haproxy-2.6.12/debian/patches/series
haproxy-2.6.12/debian/patches/series
--- haproxy-2.6.12/debian/patches/series 2023-12-16 18:40:58.000000000
+0200
+++ haproxy-2.6.12/debian/patches/series 2025-04-29 16:56:20.000000000
+0300
@@ -14,6 +14,7 @@
BUG-MINOR-h3-reject-more-chars-from-the-path-pseudo-.patch
REGTESTS-http-rules-verify-that-we-block-by-default-.patch
DOC-clarify-the-handling-of-URL-fragments-in-request.patch
+0001-BUG-MEDIUM-sample-fix-risk-of-overflow-when-replacin.patch
# applied during the build process:
# debianize-dconv.patch
