A flaw was reported [1] in HAProxy where, due to a boundary error when copying data into the trash buffer, an external attacker could cause a buffer overflow. Exploiting this flaw could lead to the execution of arbitrary code, however it requires non-default settings for the global.tune.bufsize configuration option (must be set to a value greater than the default), and also that header rewriting is enabled (via, for example, the regrep or rsprep directives). This flaw is reported against 1.4.20, prior versions may also be affected. This has been fixed upstream in version 1.4.21 [2] and in git [3]. [1] https://secunia.com/advisories/49261/ [2] http://haproxy.1wt.eu/download/1.4/src/CHANGELOG [3] http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b
Created haproxy tracking bugs for this issue Affects: fedora-all [bug 824544] Affects: epel-all [bug 824545]
Added CVE as per http://www.openwall.com/lists/oss-security/2012/05/23/15
A duplicate CVE identifier of CVE-2012-2942 has been also assigned to this issue: [4] http://www.openwall.com/lists/oss-security/2012/05/28/1
* Name: CVE-2012-2942 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2942 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20120527 Category: Reference: CONFIRM:http://haproxy.1wt.eu/#news Reference: CONFIRM:http://haproxy.1wt.eu/download/1.4/src/CHANGELOG Reference: CONFIRM:http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b Reference: BID:53647 Reference: URL:http://www.securityfocus.com/bid/53647 Reference: SECUNIA:49261 Reference: URL:http://secunia.com/advisories/49261 Reference: XF:haproxy-trash-bo(75777) Reference: URL:http://xforce.iss.net/xforce/xfdb/75777 Buffer overflow in the trash buffer in the header capture functionality in HAProxy before 1.4.21, when global.tune.bufsize is set to a value greater than the default and header rewriting is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors.
The CVE-2012-2391 identifier has been rejected in favour of CVE-2012-2942: -------------------------------------------------------------------------- Name: CVE-2012-2391 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2391 [Open URL] Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20120419 Category: Reference: MLIST:[oss-security] 20120523 CVE request: haproxy trash buffer overflow flaw Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/12 Reference: MLIST:[oss-security] 20120523 Re: CVE request: haproxy trash buffer overflow flaw Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/23/15 Reference: MLIST:[oss-security] 20120528 Duplicate CVE identifiers (CVE-2012-2391 and CVE-2012-2942) assigned to HAProxy issue Reference: URL:http://www.openwall.com/lists/oss-security/2012/05/28/1 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2942. Reason: This candidate is a duplicate of CVE-2012-2942. Notes: All CVE users should reference CVE-2012-2942 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ---------------------------------------------------------------------------- So the original haproxy flaw should reference CVE-2012-2942 (instead of CVE-2012-2391).
haproxy-1.4.22-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
haproxy-1.4.22-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
haproxy-1.4.22-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
haproxy-1.4.22-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.