715944 – (CVE-2020-11100) <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows possible remote code execution (CVE-2020-11100)

Bug 715944 (CVE-2020-11100) - <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows possible remote code execution (CVE-2020-11100)

Summary: <net-proxy/haproxy-{2.0.13,2.1.4}: hpack_dht_insert (hpack-tbl.c) allows poss...

Status:	RESOLVED FIXED

Alias:	CVE-2020-11100

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.mail-archive.com/haproxy@...
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:	668002
Blocks:
	Show dependency tree

Reported:	2020-04-02 19:12 UTC by Sam James
Modified:	2021-04-05 00:07 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2019-19330
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-02 19:12:15 UTC

Description:
"In hpack_dht_insert in hpack-tbl.c in the HPACK decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution."

Patch: https://git.haproxy.org/?p=haproxy.git;a=commit;h=5dfc5d5cd0d2128d77253ead3acf03a421ab5b88

Announcement: https://www.mail-archive.com/haproxy@formilux.org/msg36876.html

Comment 1 Christian Ruppert (idl0r) gentoo-dev

2020-04-03 07:15:08 UTC

2.0.13 and 2.1.4 have been added already and can be stabilized IMO

Comment 2 Sam James archtester

2020-04-05 22:17:11 UTC

@maintainer: thanks!

@arches, please stabilise.

Comment 3 Sam James archtester

2020-04-05 22:23:37 UTC

(ppc blocked on bug 668002).

Comment 4 Agostino Sarubbo gentoo-dev

2020-04-07 10:32:57 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-04-08 09:49:05 UTC

arm stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-04-14 12:33:03 UTC

x86 stable

Comment 7 Matt Turner gentoo-dev

2020-05-23 19:19:51 UTC

ppc stable. All arches stable.

Comment 8 NATTkA bot gentoo-dev

2020-05-23 19:20:48 UTC Comment hidden (obsolete)

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 9 Sam James archtester

2020-05-23 22:37:22 UTC

@maintainer(s), please cleanup

Comment 10 John Helmert III archtester

2020-07-30 06:00:20 UTC

Ping. Please cleanup

Comment 11 John Helmert III archtester

2020-10-30 02:16:36 UTC

Maintainer, looks like the last vulnerable version in tree is 1.8.26, if that is affected it needs to be dropped. If not please let us know.

Comment 12 NATTkA bot gentoo-dev

2020-12-10 19:57:08 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: =net-proxy/haproxy-2.0.14

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2020-12-24 14:17:06 UTC

This issue was resolved and addressed in
 GLSA 202012-22 at https://security.gentoo.org/glsa/202012-22
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-24 14:19:39 UTC

Re-opening for cleanup.

Comment 15 NATTkA bot gentoo-dev

2021-04-01 20:13:13 UTC

Unable to check for sanity:

> no match for package: =net-proxy/haproxy-2.0.14

Comment 16 Christian Ruppert (idl0r) gentoo-dev

2021-04-03 09:53:32 UTC

There should be no version left that's affected by this bug.

Comment 17 John Helmert III archtester

2021-04-05 00:06:56 UTC

Cleanup done, all done.