Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715944 (CVE-2020-11100)

Summary: <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows possible remote code execution (CVE-2020-11100)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, bertrand, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mail-archive.com/haproxy@formilux.org/msg36876.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=701842
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 668002    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 19:12:15 UTC 
Description:
"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution."

Patch: https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88

Announcement: https://www.mail-archive.com/haproxy@formilux.org/msg36876.html
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2020-04-03 07:15:08 UTC 
2.0.13 and 2.1.4 have been added already and can be stabilized IMO
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-05 22:17:11 UTC 
@maintainer: thanks!

@arches, please stabilise.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-05 22:23:37 UTC 
(ppc blocked on bug 668002).
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-07 10:32:57 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-08 09:49:05 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-14 12:33:03 UTC 
x86 stable
Comment 7 Matt Turner gentoo-dev 2020-05-23 19:19:51 UTC 
ppc stable. All arches stable.
Comment 8 NATTkA bot gentoo-dev Security 2020-05-23 19:20:48 UTC Comment hidden (obsolete)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-23 22:37:22 UTC 
@maintainer(s), please cleanup
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-07-30 06:00:20 UTC 
Ping. Please cleanup
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-30 02:16:36 UTC 
Maintainer, looks like the last vulnerable version in tree is 1.8.26, if that is affected it needs to be dropped. If not please let us know.
Comment 12 NATTkA bot gentoo-dev Security 2020-12-10 19:57:08 UTC Comment hidden (obsolete)
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-12-24 14:17:06 UTC 
This issue was resolved and addressed in
 GLSA 202012-22 at https://security.gentoo.org/glsa/202012-22
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-24 14:19:39 UTC 
Re-opening for cleanup.
Comment 15 NATTkA bot gentoo-dev Security 2021-04-01 20:13:13 UTC 
Unable to check for sanity:

> no match for package: =net-proxy/haproxy-2.0.14
Comment 16 Christian Ruppert (idl0r) gentoo-dev 2021-04-03 09:53:32 UTC 
There should be no version left that's affected by this bug.
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-05 00:06:56 UTC 
Cleanup done, all done.