Bug 824542 (CVE-2012-2942)

Summary: CVE-2012-2942 haproxy: trash buffer overflow flaw can lead to arbitrary code execution
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ccoleman, jeremy, jlieskov, kseifried, robinlee.sysu, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120519,reported=20120523,source=gentoo,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/haproxy=affected,epel-all/haproxy=affected,openshift-1/haproxy=affected,openshift-1/cartridge-haproxy=affected
Fixed In Version: haproxy 1.4.21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-11 04:17:48 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 824544, 824545, 849288    
Bug Blocks: 767033, 824547    

Description Vincent Danen 2012-05-23 13:34:19 EDT 
A flaw was reported [1] in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow.  Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the global.tune.bufsize configuration option (must be set to a value greater than the default), and also that header rewriting is enabled (via, for example, the regrep or rsprep directives).

This flaw is reported against 1.4.20, prior versions may also be affected.  This has been fixed upstream in version 1.4.21 [2] and in git [3].

[1] https://secunia.com/advisories/49261/
[2] http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
[3] http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b
Comment 1 Vincent Danen 2012-05-23 13:35:22 EDT 
Created haproxy tracking bugs for this issue

Affects: fedora-all [bug 824544]
Affects: epel-all [bug 824545]
Comment 2 Kurt Seifried 2012-05-23 14:09:00 EDT 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/15
Comment 3 Jan Lieskovsky 2012-05-28 04:44:50 EDT 
A duplicate CVE identifier of CVE-2012-2942 has been also assigned to this issue:
[4] http://www.openwall.com/lists/oss-security/2012/05/28/1
Comment 4 Jan Lieskovsky 2012-05-28 04:46:38 EDT 
* Name: CVE-2012-2942
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2942 
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20120527
Category:
Reference: CONFIRM:http://haproxy.1wt.eu/#news 
Reference: CONFIRM:http://haproxy.1wt.eu/download/1.4/src/CHANGELOG 
Reference: CONFIRM:http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b 
Reference: BID:53647
Reference: URL:http://www.securityfocus.com/bid/53647 
Reference: SECUNIA:49261
Reference: URL:http://secunia.com/advisories/49261 
Reference: XF:haproxy-trash-bo(75777)
Reference: URL:http://xforce.iss.net/xforce/xfdb/75777 

Buffer overflow in the trash buffer in the header capture
functionality in HAProxy before 1.4.21, when global.tune.bufsize is
set to a value greater than the default and header rewriting is
enabled, allows remote attackers to cause a denial of service and
possibly execute arbitrary code via unspecified vectors.
Comment 5 Jan Lieskovsky 2012-08-17 06:55:52 EDT 
The CVE-2012-2391 identifier has been rejected in favour of CVE-2012-2942:
--------------------------------------------------------------------------

Name: CVE-2012-2391
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2391 [Open URL]
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20120419
Category:
Reference: MLIST:[oss-security] 20120523 CVE request: haproxy trash buffer overflow flaw
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/12 
Reference: MLIST:[oss-security] 20120523 Re: CVE request: haproxy trash buffer overflow flaw
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/15 
Reference: MLIST:[oss-security] 20120528 Duplicate CVE identifiers (CVE-2012-2391 and CVE-2012-2942) assigned to HAProxy issue
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/28/1 

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2942. Reason:
This candidate is a duplicate of CVE-2012-2942. Notes: All CVE users
should reference CVE-2012-2942 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.

----------------------------------------------------------------------------

So the original haproxy flaw should reference CVE-2012-2942 (instead of CVE-2012-2391).
Comment 7 Fedora Update System 2012-10-15 23:44:21 EDT 
haproxy-1.4.22-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-10-22 21:51:00 EDT 
haproxy-1.4.22-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-10-22 21:56:33 EDT 
haproxy-1.4.22-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-10-29 14:39:42 EDT 
haproxy-1.4.22-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.