Bug 824542 (CVE-2012-2942) - CVE-2012-2942 haproxy: trash buffer overflow flaw can lead to arbitrary code execution
Summary: CVE-2012-2942 haproxy: trash buffer overflow flaw can lead to arbitrary code ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-2942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 824544 824545 849288
Blocks: 767033 824547
TreeView+ depends on / blocked
 
Reported: 2012-05-23 17:34 UTC by Vincent Danen
Modified: 2019-09-29 12:53 UTC (History)
6 users (show)

Fixed In Version: haproxy 1.4.21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-11 09:17:48 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-05-23 17:34:19 UTC
A flaw was reported [1] in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow.  Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the global.tune.bufsize configuration option (must be set to a value greater than the default), and also that header rewriting is enabled (via, for example, the regrep or rsprep directives).

This flaw is reported against 1.4.20, prior versions may also be affected.  This has been fixed upstream in version 1.4.21 [2] and in git [3].

[1] https://secunia.com/advisories/49261/
[2] http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
[3] http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b

Comment 1 Vincent Danen 2012-05-23 17:35:22 UTC
Created haproxy tracking bugs for this issue

Affects: fedora-all [bug 824544]
Affects: epel-all [bug 824545]

Comment 2 Kurt Seifried 2012-05-23 18:09:00 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/15

Comment 3 Jan Lieskovsky 2012-05-28 08:44:50 UTC
A duplicate CVE identifier of CVE-2012-2942 has been also assigned to this issue:
[4] http://www.openwall.com/lists/oss-security/2012/05/28/1

Comment 4 Jan Lieskovsky 2012-05-28 08:46:38 UTC
* Name: CVE-2012-2942
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2942 
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20120527
Category:
Reference: CONFIRM:http://haproxy.1wt.eu/#news 
Reference: CONFIRM:http://haproxy.1wt.eu/download/1.4/src/CHANGELOG 
Reference: CONFIRM:http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b 
Reference: BID:53647
Reference: URL:http://www.securityfocus.com/bid/53647 
Reference: SECUNIA:49261
Reference: URL:http://secunia.com/advisories/49261 
Reference: XF:haproxy-trash-bo(75777)
Reference: URL:http://xforce.iss.net/xforce/xfdb/75777 

Buffer overflow in the trash buffer in the header capture
functionality in HAProxy before 1.4.21, when global.tune.bufsize is
set to a value greater than the default and header rewriting is
enabled, allows remote attackers to cause a denial of service and
possibly execute arbitrary code via unspecified vectors.

Comment 5 Jan Lieskovsky 2012-08-17 10:55:52 UTC
The CVE-2012-2391 identifier has been rejected in favour of CVE-2012-2942:
--------------------------------------------------------------------------

Name: CVE-2012-2391
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2391 [Open URL]
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20120419
Category:
Reference: MLIST:[oss-security] 20120523 CVE request: haproxy trash buffer overflow flaw
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/12 
Reference: MLIST:[oss-security] 20120523 Re: CVE request: haproxy trash buffer overflow flaw
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/15 
Reference: MLIST:[oss-security] 20120528 Duplicate CVE identifiers (CVE-2012-2391 and CVE-2012-2942) assigned to HAProxy issue
Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/28/1 

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2942. Reason:
This candidate is a duplicate of CVE-2012-2942. Notes: All CVE users
should reference CVE-2012-2942 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.

----------------------------------------------------------------------------

So the original haproxy flaw should reference CVE-2012-2942 (instead of CVE-2012-2391).

Comment 7 Fedora Update System 2012-10-16 03:44:21 UTC
haproxy-1.4.22-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2012-10-23 01:51:00 UTC
haproxy-1.4.22-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2012-10-23 01:56:33 UTC
haproxy-1.4.22-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2012-10-29 18:39:42 UTC
haproxy-1.4.22-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.