Bug 1239072 (CVE-2015-3281) - CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
Summary: CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3281
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1241143 1241144 1241145 1241535 1241536 1241537 1241538 1283404
Blocks: 1239074
TreeView+ depends on / blocked
 
Reported: 2015-07-03 12:29 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:34 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An implementation error related to the memory management of request and responses was found within HAProxy's buffer_slow_realign() function. An unauthenticated remote attacker could possibly use this flaw to leak certain memory buffer contents from a past request or session.
Clone Of:
Environment:
Last Closed: 2015-12-17 17:19:04 UTC
Embargoed:


Attachments (Terms of Use)
0001-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch (4.76 KB, text/plain)
2015-07-03 12:30 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1741 0 normal SHIPPED_LIVE Important: haproxy security update 2015-09-08 15:30:34 UTC
Red Hat Product Errata RHSA-2015:2666 0 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update 2015-12-17 22:07:54 UTC

Description Vasyl Kaigorodov 2015-07-03 12:29:15 UTC
Information disclosure vulnerability was reported in HAproxy.
Details (quoting attached patch):

 The function buffer_slow_realign() was initially designed for requests
 only and did not consider pending outgoing data. This causes a problem
 when called on responses where data remain in the buffer, which may
 happen with pipelined requests when the client is slow to read data.
 
 The user-visible effect is that if less than <maxrewrite> bytes are
 present in the buffer from a previous response and these bytes cross
 the <maxrewrite> boundary close to the end of the buffer, then a new
 response will cause a realign and will destroy these pending data and
 move the pointer to what's believed to contain pending output data.
 Thus the client receives the crap that lies in the buffer instead of
 the original output bytes.
 
 This new implementation now properly realigns everything including the
 outgoing data which are moved to the end of the buffer while the input
 data are moved to the beginning.
 
 This implementation still uses a buffer-to-buffer copy which is not
 optimal in terms of performance and which should be replaced by a
 buffer switch later.

The proposed patch is attached to this Bugzilla.

Comment 1 Vasyl Kaigorodov 2015-07-03 12:30:11 UTC
Created attachment 1045847 [details]
0001-BUG-MAJOR-buffers-make-the-buffer_slow_realign-funct.patch

Comment 5 Martin Prpič 2015-07-08 14:44:09 UTC
Created haproxy tracking bugs for this issue:

Affects: fedora-all [bug 1241143]

Comment 8 Fedora Update System 2015-07-29 01:43:52 UTC
haproxy-1.5.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-07-29 01:46:31 UTC
haproxy-1.5.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Hany Fahim 2015-08-07 17:02:50 UTC
Hey Folks,

Just wondering what the status of this bug report is. Will this be pushed to RHEL's repos anytime soon? Seeing how this is high severity and priority, it would be good to have a timeframe of release.

Comment 12 errata-xmlrpc 2015-09-08 11:32:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:1741 https://rhn.redhat.com/errata/RHSA-2015-1741.html

Comment 13 Eswar Subramaniam 2015-09-10 20:28:56 UTC
Hello,

from https://rhn.redhat.com/errata/RHSA-2015-1741.html, the package name says "haproxy-1.5.4-2.el6_7.1.x86_64.rpm". Isn't this old package. when we check version it is saying it was build from 2014.

[root@server ~]# haproxy -v
HA-Proxy version 1.5.4 2014/09/02
Copyright 2000-2014 Willy Tarreau <w>

Comment 14 Brandon Perkins 2015-09-11 15:03:57 UTC
That is the compiled version option provided by the upstream sources.  To say it a different way, that is the base version that Red Hat used in creating this package.  What you need to look at to determine the *real* manifest of the package is to look at the package information and changelog:

# rpm -qi haproxy-1.5.4-2.el6_7.1.x86_64
Name        : haproxy                      Relocations: (not relocatable)
Version     : 1.5.4                             Vendor: Red Hat, Inc.
Release     : 2.el6_7.1                     Build Date: Tue 28 Jul 2015 05:58:13 PM CEST
Install Date: Fri 11 Sep 2015 04:54:47 PM CEST      Build Host: x86-032.build.eng.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: haproxy-1.5.4-2.el6_7.1.src.rpm
Size        : 2552550                          License: GPLv2+
Signature   : RSA/8, Thu 03 Sep 2015 09:09:56 PM CEST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.haproxy.org/
Summary     : HAProxy is a TCP/HTTP reverse proxy for high availability environments
Description :
HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
<SNIP>

# rpm -q --changelog haproxy-1.5.4-2.el6_7.1.x86_64
* Tue Jul 28 2015 Ryan O'Hara <rohara> - 1.5.4-2.1
- Fix buffer_slow_realign() function to respect output data
  Resolves: CVE-2015-3281

* Tue Mar 03 2015 Ryan O'Hara <rohara> - 1.5.4-2
- Read sysconfig file for extra options
  Resolves: rhbz#1166497

* Tue Nov 11 2014 Ryan O'Hara <rohara> - 1.5.4-1
- Rebase to upstream version 1.5.4
  Resolves: rhbz#1136550
<SNIP>

So, 1.5.4 has been, and still is, the base point the subsequent RHEL6 packages were based on, with patches applied.  Typically, a package is not rebased within a RHEL major version lifecycle, but there are exceptions.  For more information, please feel free to contact your Red Hat support representative.

Comment 16 errata-xmlrpc 2015-12-17 17:10:16 UTC
This issue has been addressed in the following products:

  RHEL 6 Version of OpenShift Enterprise 2.2

Via RHSA-2015:2666 https://rhn.redhat.com/errata/RHSA-2015-2666.html


Note You need to log in before you can comment on or make changes to this bug.