!152 Fix CVE-2024-53008

From: @wk333 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

CVE-2024-53008-1.patch

@@ -0,0 +1,77 @@
+From 87fefebfbe3df218103502046a0871b235a48087 Mon Sep 17 00:00:00 2001
+From: Amaury Denoyelle <adenoyelle@haproxy.com>
+Date: Fri, 28 Jun 2024 10:43:19 +0200
+Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally
+ valid
+Origin: https://github.com/haproxy/haproxy/commit/87fefebfbe3df218103502046a0871b235a48087
+
+Ensure pseudo-header method is only constitued of valid characters
+according to RFC 9110. If an invalid value is found, the request is
+rejected and stream is resetted.
+
+Previously only characters forbidden in headers were rejected (NUL/CR/LF),
+but this is insufficient for :method, where some other forbidden chars
+might be used to trick a non-compliant backend server into seeing a
+different path from the one seen by haproxy. Note that header injection
+is not possible though.
+
+This must be backported up to 2.6.
+
+Many thanks to Yuki Mogi of FFRI Security Inc for the detailed report
+that allowed to quicky spot, confirm and fix the problem.
+
+(cherry picked from commit 789d4abd7328f0a745d67698e89bbb888d4d9b2c)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 47d13c68cf198467a94e85a1caa44484a1e2e75c)
+[cf: adapted]
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+---
+ include/haproxy/http.h | 15 +++++++++++++++
+ src/h3.c               |  8 ++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/include/haproxy/http.h b/include/haproxy/http.h
+index 299264051d28e..a297fa59b444a 100644
+--- a/include/haproxy/http.h
++++ b/include/haproxy/http.h
+@@ -192,6 +192,21 @@ static inline int http_header_has_forbidden_char(const struct ist ist, const cha
+ 	return 0;
+ }
+ 
++/* Check that method only contains token as required.
++ * See RFC 9110 9. Methods
++ */
++static inline int http_method_has_forbidden_char(const struct ist ist)
++{
++	const char *start = istptr(ist);
++
++	do {
++		if (!HTTP_IS_TOKEN(*start))
++			return 1;
++		start++;
++	} while (start < istend(ist));
++	return 0;
++}
++
+ /* Looks into <ist> for forbidden characters for :path values (0x00..0x1F,
+  * 0x20, 0x23), starting at pointer <start> which must be within <ist>.
+  * Returns non-zero if such a character is found, 0 otherwise. When run on
+diff --git a/src/h3.c b/src/h3.c
+index 9e415b3b56303..4e21f6b92f535 100644
+--- a/src/h3.c
++++ b/src/h3.c
+@@ -625,6 +625,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 				len = -1;
+ 				goto out;
+ 			}
++
++			if (!istlen(list[hdr_idx].v) || http_method_has_forbidden_char(list[hdr_idx].v)) {
++				TRACE_ERROR("invalid method pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
++				h3s->err = H3_MESSAGE_ERROR;
++				len = -1;
++				goto out;
++			}
++
+ 			meth = list[hdr_idx].v;
+ 		}
+ 		else if (isteq(list[hdr_idx].n, ist(":path"))) {

CVE-2024-53008-2.patch

@@ -0,0 +1,45 @@
+From 6748a47819c263d4631187b6f121b5344ab50d57 Mon Sep 17 00:00:00 2001
+From: Amaury Denoyelle <adenoyelle@haproxy.com>
+Date: Fri, 28 Jun 2024 10:50:19 +0200
+Subject: [PATCH] BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally
+ valid
+Origin: https://github.com/haproxy/haproxy/commit/6748a47819c263d4631187b6f121b5344ab50d57
+
+Ensure pseudo-header scheme is only constitued of valid characters
+according to RFC 9110. If an invalid value is found, the request is
+rejected and stream is resetted.
+
+It's the same as for previous commit "BUG/MEDIUM: h3: ensure the
+":method" pseudo header is totally valid" except that this time it
+applies to the ":scheme" pseudo header.
+
+This must be backported up to 2.6.
+
+(cherry picked from commit a3bed52d1f84ba36af66be4317a5f746d498bdf4)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 5ddc4004cb0c3c4ea4f4596577c85f004678e9c0)
+[cf: adapted]
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+---
+ src/h3.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/h3.c b/src/h3.c
+index 4e21f6b92f535..1984f984f7daf 100644
+--- a/src/h3.c
++++ b/src/h3.c
+@@ -666,6 +666,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 				len = -1;
+ 				goto out;
+ 			}
++
++			if (!http_validate_scheme(list[hdr_idx].v)) {
++				TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
++				h3s->err = H3_MESSAGE_ERROR;
++				len = -1;
++				goto out;
++			}
++
+ 			scheme = list[hdr_idx].v;
+ 		}
+ 		else if (isteq(list[hdr_idx].n, ist(":authority"))) {

haproxy.spec

@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.9.5
-Release:          6
+Release:          7
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -20,6 +20,8 @@ Patch1:           backport-BUG-MINOR-server-source-interface-ignored-from-defau.
 Patch2:           Backport-CVE-2024-45506-BUG-MAJOR-mux-h2-always.patch
 Patch3:           CVE-2024-49214.patch
 Patch4:           backport-BUG-MEDIUM-stream-Prevent-mux-upgrades-if-client-con.patch
+Patch5:           CVE-2024-53008-1.patch
+Patch6:           CVE-2024-53008-2.patch
 
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 Requires(pre):    shadow-utils
@@ -124,6 +126,9 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Tue Dec 10 2024 wangkai <13474090681@163.com> - 2.9.5-7
+- Fix CVE-2024-53008
+
 * Thu Nov 21 2024 xinghe <xinghe2@h-partners.com> - 2.9.5-6
 - Type:bugfix
 - CVE:NA