!168 fix CVE-2025-32464

From: @xinghe_1 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

CVE-2023-0836.patch

@@ -0,0 +1,41 @@
+From 2e6bf0a2722866ae0128a4392fa2375bd1f03ff8 Mon Sep 17 00:00:00 2001
+From: Youfu Zhang <zhangyoufu@gmail.com>
+Date: Fri, 9 Dec 2022 19:15:48 +0800
+Subject: [PATCH] BUG/MAJOR: fcgi: Fix uninitialized reserved bytes
+
+The output buffer is not zero-initialized. If we don't clear reserved
+bytes, fcgi requests sent to backend will leak sensitive data.
+
+This patch must be backported as far as 2.2.
+---
+ src/fcgi.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/fcgi.c b/src/fcgi.c
+index dcf2db2..1d1a82b 100644
+--- a/src/fcgi.c
++++ b/src/fcgi.c
+@@ -47,7 +47,7 @@ int fcgi_encode_record_hdr(struct buffer *out, const struct fcgi_header *h)
+ 	out->area[len++] = ((h->len >> 8) & 0xff);
+ 	out->area[len++] = (h->len & 0xff);
+ 	out->area[len++] = h->padding;
+-	len++; /* rsv */
++	out->area[len++] = 0; /* rsv */
+ 
+ 	out->data = len;
+ 	return 1;
+@@ -94,7 +94,11 @@ int fcgi_encode_begin_request(struct buffer *out, const struct fcgi_begin_reques
+ 	out->area[len++] = ((r->role >> 8) & 0xff);
+ 	out->area[len++] = (r->role & 0xff);
+ 	out->area[len++] = r->flags;
+-	len += 5; /* rsv */
++	out->area[len++] = 0; /* rsv */
++	out->area[len++] = 0;
++	out->area[len++] = 0;
++	out->area[len++] = 0;
++	out->area[len++] = 0;
+ 
+ 	out->data = len;
+ 	return 1;
+-- 
+1.7.10.4

CVE-2023-45539.patch

@@ -0,0 +1,107 @@
+From 2eab6d354322932cfec2ed54de261e4347eca9a6 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 16:17:22 +0200
+Subject: [PATCH] BUG/MINOR: h1: do not accept '#' as part of the URI component
+
+Seth Manesse and Paul Plasil reported that the "path" sample fetch
+function incorrectly accepts '#' as part of the path component. This
+can in some cases lead to misrouted requests for rules that would apply
+on the suffix:
+
+    use_backend static if { path_end .png .jpg .gif .css .js }
+
+Note that this behavior can be selectively configured using
+"normalize-uri fragment-encode" and "normalize-uri fragment-strip".
+
+The problem is that while the RFC says that this '#' must never be
+emitted, as often it doesn't suggest how servers should handle it. A
+diminishing number of servers still do accept it and trim it silently,
+while others are rejecting it, as indicated in the conversation below
+with other implementers:
+
+   https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html
+
+Looking at logs from publicly exposed servers, such requests appear at
+a rate of roughly 1 per million and only come from attacks or poorly
+written web crawlers incorrectly following links found on various pages.
+
+Thus it looks like the best solution to this problem is to simply reject
+such ambiguous requests by default, and include this in the list of
+controls that can be disabled using "option accept-invalid-http-request".
+
+We're already rejecting URIs containing any control char anyway, so we
+should also reject '#'.
+
+In the H1 parser for the H1_MSG_RQURI state, there is an accelerated
+parser for bytes 0x21..0x7e that has been tightened to 0x24..0x7e (it
+should not impact perf since 0x21..0x23 are not supposed to appear in
+a URI anyway). This way '#' falls through the fine-grained filter and
+we can add the special case for it also conditionned by a check on the
+proxy's option "accept-invalid-http-request", with no overhead for the
+vast majority of valid URIs. Here this information is available through
+h1m->err_pos that's set to -2 when the option is here (so we don't need
+to change the API to expose the proxy). Example with a trivial GET
+through netcat:
+
+  [08/Aug/2023:16:16:52.651] frontend layer1 (#2): invalid request
+    backend <NONE> (#-1), server <NONE> (#-1), event #0, src 127.0.0.1:50812
+    buffer starts at 0 (including 0 out), 16361 free,
+    len 23, wraps at 16336, error at position 7
+    H1 connection flags 0x00000000, H1 stream flags 0x00000810
+    H1 msg state MSG_RQURI(4), H1 msg flags 0x00001400
+    H1 chunk len 0 bytes, H1 body len 0 bytes :
+
+    00000  GET /aa#bb HTTP/1.0\r\n
+    00021  \r\n
+
+This should be progressively backported to all stable versions along with
+the following patch:
+
+    REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
+
+Similar fixes for h2 and h3 will come in followup patches.
+
+Thanks to Seth Manesse and Paul Plasil for reporting this problem with
+detailed explanations.
+---
+ src/h1.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/h1.c b/src/h1.c
+index 88a54c4a593d..4e224f895422 100644
+--- a/src/h1.c
++++ b/src/h1.c
+@@ -551,13 +551,13 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
+ 	case H1_MSG_RQURI:
+ 	http_msg_rquri:
+ #ifdef HA_UNALIGNED_LE
+-		/* speedup: skip bytes not between 0x21 and 0x7e inclusive */
++		/* speedup: skip bytes not between 0x24 and 0x7e inclusive */
+ 		while (ptr <= end - sizeof(int)) {
+-			int x = *(int *)ptr - 0x21212121;
++			int x = *(int *)ptr - 0x24242424;
+ 			if (x & 0x80808080)
+ 				break;
+ 
+-			x -= 0x5e5e5e5e;
++			x -= 0x5b5b5b5b;
+ 			if (!(x & 0x80808080))
+ 				break;
+ 
+@@ -569,8 +569,15 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
+ 			goto http_msg_ood;
+ 		}
+ 	http_msg_rquri2:
+-		if (likely((unsigned char)(*ptr - 33) <= 93)) /* 33 to 126 included */
++		if (likely((unsigned char)(*ptr - 33) <= 93)) { /* 33 to 126 included */
++			if (*ptr == '#') {
++				if (h1m->err_pos < -1) /* PR_O2_REQBUG_OK not set */
++					goto invalid_char;
++				if (h1m->err_pos == -1) /* PR_O2_REQBUG_OK set: just log */
++					h1m->err_pos = ptr - start + skip;
++			}
+ 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rquri2, http_msg_ood, state, H1_MSG_RQURI);
++		}
+ 
+ 		if (likely(HTTP_IS_SPHT(*ptr))) {
+ 			sl.rq.u.len = ptr - sl.rq.u.ptr;

backport-BUG-MINOR-server-source-interface-ignored-from-defau.patch

@@ -0,0 +1,55 @@
+From 0013757152ef499539377943e556a7f96acf605c Mon Sep 17 00:00:00 2001
+From: Aurelien DARRAGON <adarragon@haproxy.com>
+Date: Tue, 26 Mar 2024 10:42:48 +0100
+Subject: [PATCH] BUG/MINOR: server: 'source' interface ignored from
+ 'default-server' directive
+
+Sebastien Gross reported that 'interface' keyword ('source' subargument)
+is silently ignored when used from 'default-server' directive despite the
+documentation implicitly stating that the keyword should be supported
+there.
+
+When support for 'source' keyword was added to 'default-server' directive
+in dba97077 ("MINOR: server: Make 'default-server' support 'source'
+keyword."), we properly duplicated the conn iface_name from the default-
+server but we forgot to copy the conn iface_len which must be set as well
+since it is used as setsockopt()'s 'optlen' argument in
+tcp_connect_server().
+
+It should be backported to all stable versions.
+
+(cherry picked from commit bd98db50785b6cef946d38715b48f72e7ca73a59)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit ada8c0e37df568c58e3a328c171d6f27bcfbe652)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 92b935e99aef7573e658ff53858619bca737aeaf)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit 8acf8e51f8a0cbeea778f2c392dad7a7e068a075)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit b7ff822695e72695dfd753be23ff11fc97696fb3)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+(cherry picked from commit e34253add4973de6082795706cd105f2f5d8247e)
+Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+
+Conflict: NA
+Reference: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=0013757152ef499539377943e556a7f96acf605c
+---
+ src/server.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/server.c b/src/server.c
+index 2b9340734cff0..d011d397aecff 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -1539,8 +1539,10 @@ static void srv_conn_src_cpy(struct server *srv, const struct server *src)
+ 	srv->conn_src.bind_hdr_occ = src->conn_src.bind_hdr_occ;
+ 	srv->conn_src.tproxy_addr  = src->conn_src.tproxy_addr;
+ #endif
+-	if (src->conn_src.iface_name != NULL)
++	if (src->conn_src.iface_name != NULL) {
+ 		srv->conn_src.iface_name = strdup(src->conn_src.iface_name);
++		srv->conn_src.iface_len = src->conn_src.iface_len;
++	}
+ }
+ 
+ /*

backport-CVE-2025-32464.patch

@@ -0,0 +1,69 @@
+From f4eae4362dc02a017e5cf0a32328b8d103a89884 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 7 Apr 2025 15:30:43 +0200
+Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing
+ multiple regex back-refs
+
+Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
+reported a bug in sample_conv_regsub(), which can cause replacements
+of multiple back-references to overflow the temporary trash buffer.
+
+The problem happens when doing "regsub(match,replacement,g)": we're
+replacing every occurrence of "match" with "replacement" in the input
+sample, which requires a length check. For this, a max is applied, so
+that a replacement may not use more than the remaining length in the
+buffer. However, the length check is made on the replaced pattern and
+not on the temporary buffer used to carry the new string. This results
+in the remaining size to be usable for each input match, which can go
+beyond the temporary buffer size if more than one occurrence has to be
+replaced with something that's larger than the remaining room.
+
+The fix proposed by Aleandro and Edoardo is the correct one (check on
+"trash" not "output"), and is the one implemented in this patch.
+
+While it is very unlikely that a config will replace multiple short
+patterns each with a larger one in a request, this possibility cannot
+be entirely ruled out (e.g. mask a known, short IP address using
+"XXX.XXX.XXX.XXX").  However when this happens, the replacement pattern
+will be static, and not be user-controlled, which is why this patch is
+marked as medium.
+
+The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
+regsub now supports backreferences"), so it must be backported to all
+versions.
+
+Special thanks go to Aleandro and Edoardo for reporting this bug with
+a simple reproducer and a fix.
+
+(cherry picked from commit 3e3b9eebf871510aee36c3a3336faac2f38c9559)
+Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
+(cherry picked from commit db87c8d9fe621539531f6f915ba9e1755a2a26cb)
+Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
+(cherry picked from commit ee1a64c2a04cc2cb38efb7e44f7ea7386d627bf6)
+Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
+(cherry picked from commit 82c5355ce3a83344074e12f5e878dafae27efb96)
+Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
+(cherry picked from commit ed90ec01d0b2f26a07ff24cdb47b5cf9ed89b84e)
+Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
+(cherry picked from commit ca2123ad538e49b67042dc183a9d9ea9beb8fc8c)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+Conflict: NA
+Reference: https://github.com/haproxy/haproxy/commit/f4eae4362dc02a017e5cf0a32328b8d103a89884
+---
+ src/sample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sample.c b/src/sample.c
+index 06f14a46e5aa..d8f125c88857 100644
+--- a/src/sample.c
++++ b/src/sample.c
+@@ -2733,7 +2733,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void
+ 		output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
+ 
+ 		/* replace the matching part */
+-		max = output->size - output->data;
++		max = trash->size - trash->data;
+ 		if (max) {
+ 			if (max > output->data)
+ 				max = output->data;

haproxy.spec

@@ -5,7 +5,7 @@
 
 Name:             haproxy
 Version:          2.2.16
-Release:          5
+Release:          9
 Summary:          The Reliable, High Performance TCP/HTTP Load Balancer
 
 License:          GPLv2+
@@ -21,6 +21,11 @@ Patch0002:        CVE-2022-0711.patch
 Patch0003:        CVE-2023-25725.patch
 Patch0004:        CVE-2023-0056.patch
 Patch0005:        CVE-2023-40225.patch
+Patch0006:        CVE-2023-0836.patch
+# https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6
+Patch0007:        CVE-2023-45539.patch
+Patch0008:        backport-BUG-MINOR-server-source-interface-ignored-from-defau.patch
+Patch0009:        backport-CVE-2025-32464.patch
 
 BuildRequires:    gcc lua-devel pcre-devel zlib-devel openssl-devel systemd-devel systemd-units libatomic
 Requires:         %{name}-help = %{version}-%{release}
@@ -128,6 +133,24 @@ exit 0
 %{_mandir}/man1/*
 
 %changelog
+* Tue Apr 29 2025 xinghe <xinghe2@h-partners.com> - 2.2.16-9
+- Type:cves
+- CVE:CVE-2025-32464
+- SUG:NA
+- DESC:fix CVE-2025-32464
+
+* Mon Jun 24 2024 xinghe <xinghe2@h-partners.com> - 2.2.16-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:server: 'source' interface ignored from 'default-server' directive
+
+* Wed Dec 06 2023 yaoxin <yao_xin001@hoperun.com> - 2.2.16-7
+- Fix CVE-2023-45539
+
+* Fri Dec 1 2023 liningjie <liningjie@xfusion.com> - 2.2.16-6
+- Fix CVE-2023-0836
+
 * Mon Aug 21 2023 wangkai <wang_kai001@hoperun.com> - 2.2.16-5
 - Fix CVE-2023-40225
 
@@ -143,7 +166,7 @@ exit 0
 * Wed Sep 1 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
 - Upgrade 2.2.16 to fix CVE-2021-39240-to-CVE-2021-39242
 
-* Thu Fri 13 2021 xu_ping <xuping33@huawei.com> - 2.2.1-1
+* Thu May 13 2021 xu_ping <xuping33@huawei.com> - 2.2.1-1
 - update to 2.2.1
 
 * Thu Nov 05 2020 leiju <leiju4@huawei.com> - 2.0.14-2