fix CVE-2025-32464

(cherry picked from commit 3d1a3148ca0fefcb200fb69900adeb69460deca2)
2025-04-29 14:59:21 +08:00 · 2025-04-29 14:59:21 +08:00 · b52daadc9b
commit b52daadc9b
parent cb45ac33af
2 changed files with 64 additions and 1 deletions
--- a/backport-CVE-2025-32464.patch
+++ b/backport-CVE-2025-32464.patch
@ -0,0 +1,56 @@
 From 3e3b9eebf871510aee36c3a3336faac2f38c9559 Mon Sep 17 00:00:00 2001
 From: Willy Tarreau <w@1wt.eu>
 Date: Mon, 7 Apr 2025 15:30:43 +0200
 Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing
 multiple regex back-refs
 Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
 reported a bug in sample_conv_regsub(), which can cause replacements
 of multiple back-references to overflow the temporary trash buffer.
 The problem happens when doing "regsub(match,replacement,g)": we're
 replacing every occurrence of "match" with "replacement" in the input
 sample, which requires a length check. For this, a max is applied, so
 that a replacement may not use more than the remaining length in the
 buffer. However, the length check is made on the replaced pattern and
 not on the temporary buffer used to carry the new string. This results
 in the remaining size to be usable for each input match, which can go
 beyond the temporary buffer size if more than one occurrence has to be
 replaced with something that's larger than the remaining room.
 The fix proposed by Aleandro and Edoardo is the correct one (check on
 "trash" not "output"), and is the one implemented in this patch.
 While it is very unlikely that a config will replace multiple short
 patterns each with a larger one in a request, this possibility cannot
 be entirely ruled out (e.g. mask a known, short IP address using
 "XXX.XXX.XXX.XXX").  However when this happens, the replacement pattern
 will be static, and not be user-controlled, which is why this patch is
 marked as medium.
 The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
 regsub now supports backreferences"), so it must be backported to all
 versions.
 Special thanks go to Aleandro and Edoardo for reporting this bug with
 a simple reproducer and a fix.
 Conflict: NA
 Reference: https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559
 ---
 src/sample.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/sample.c b/src/sample.c
 index 1e2ff7d2ee8e8..980c27cb6a507 100644
 --- a/src/sample.c
 +++ b/src/sample.c
@@ -3168,7 +3168,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void
 		output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
 		/* replace the matching part */
 -		max = output->size - output->data;
 +		max = trash->size - trash->data;
 		if (max) {
 			if (max > output->data)
 				max = output->data;
--- a/haproxy.spec
+++ b/haproxy.spec
@ -5,7 +5,7 @@
 Name:             haproxy
 Version:          2.9.5
-Release:          8
+Release:          9
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 License:          GPLv2+
@ -25,6 +25,7 @@ Patch6:           CVE-2024-53008-2.patch
 Patch7:           backport-BUG-MEDIUM-queues-Do-not-use-pendconn_grab_from_px.patch
 Patch8:           backport-BUG-MEDIUM-queues-Make-sure-we-call-process_srv_queu.patch
 Patch9:           backport-BUG-MEDIUM-queue-Make-process_srv_queue-return-the-n.patch
 Patch10:          backport-CVE-2025-32464.patch
 BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
 Requires(pre):    shadow-utils
@ -129,6 +130,12 @@ exit 0
 %{_mandir}/man1/*
 %changelog
 * Tue Apr 29 2025 xinghe <xinghe2@h-partners.com> - 2.9.5-9
 - Type:cves
 - CVE:CVE-2025-32464
 - SUG:NA
 - DESC:fix CVE-2025-32464
 * Mon Mar 17 2025 yanglu <yanglu72@h-partners.com> - 2.9.5-8
 - Type:bugfix
 - CVE:NA