fix CVE-2025-32464

(cherry picked from commit 3d1a3148ca0fefcb200fb69900adeb69460deca2)

backport-CVE-2025-32464.patch

@@ -0,0 +1,56 @@
+From 3e3b9eebf871510aee36c3a3336faac2f38c9559 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 7 Apr 2025 15:30:43 +0200
+Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing
+ multiple regex back-refs
+
+Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
+reported a bug in sample_conv_regsub(), which can cause replacements
+of multiple back-references to overflow the temporary trash buffer.
+
+The problem happens when doing "regsub(match,replacement,g)": we're
+replacing every occurrence of "match" with "replacement" in the input
+sample, which requires a length check. For this, a max is applied, so
+that a replacement may not use more than the remaining length in the
+buffer. However, the length check is made on the replaced pattern and
+not on the temporary buffer used to carry the new string. This results
+in the remaining size to be usable for each input match, which can go
+beyond the temporary buffer size if more than one occurrence has to be
+replaced with something that's larger than the remaining room.
+
+The fix proposed by Aleandro and Edoardo is the correct one (check on
+"trash" not "output"), and is the one implemented in this patch.
+
+While it is very unlikely that a config will replace multiple short
+patterns each with a larger one in a request, this possibility cannot
+be entirely ruled out (e.g. mask a known, short IP address using
+"XXX.XXX.XXX.XXX").  However when this happens, the replacement pattern
+will be static, and not be user-controlled, which is why this patch is
+marked as medium.
+
+The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
+regsub now supports backreferences"), so it must be backported to all
+versions.
+
+Special thanks go to Aleandro and Edoardo for reporting this bug with
+a simple reproducer and a fix.
+
+Conflict: NA
+Reference: https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559
+---
+ src/sample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sample.c b/src/sample.c
+index 1e2ff7d2ee8e8..980c27cb6a507 100644
+--- a/src/sample.c
++++ b/src/sample.c
+@@ -3168,7 +3168,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void
+ 		output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
+ 
+ 		/* replace the matching part */
+-		max = output->size - output->data;
++		max = trash->size - trash->data;
+ 		if (max) {
+ 			if (max > output->data)
+ 				max = output->data;

haproxy.spec

@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.9.5
-Release:          8
+Release:          9
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -25,6 +25,7 @@ Patch6:           CVE-2024-53008-2.patch
 Patch7:           backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch
 Patch8:           backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch
 Patch9:           backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch
+Patch10:          backport-CVE-2025-32464.patch
 
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 Requires(pre):    shadow-utils
@@ -129,6 +130,12 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Tue Apr 29 2025 xinghe <xinghe2@h-partners.com> - 2.9.5-9
+- Type:cves
+- CVE:CVE-2025-32464
+- SUG:NA
+- DESC:fix CVE-2025-32464
+
 * Mon Mar 17 2025 yanglu <yanglu72@h-partners.com> - 2.9.5-8
 - Type:bugfix
 - CVE:NA