From e85275f8cb6f60b7eed232f77731dd7891f9068c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 05 Feb 2019 07:55:08 +0000
Subject: [PATCH] import rh-haproxy18-haproxy-1.8.4-4.el7

---
 SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++++
 SPECS/haproxy.spec                                                       |    9 +++++++--
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch b/SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch
new file mode 100644
index 0000000..c36c7d8
--- /dev/null
+++ b/SOURCES/0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch
@@ -0,0 +1,46 @@
+From 9c2cb57513ac8cc826e9b849fb506587309e12b1 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 31 Dec 2018 07:41:24 +0100
+Subject: [PATCH] BUG/CRITICAL: mux-h2: re-check the frame length when PRIORITY
+ is used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Tim Düsterhus reported a possible crash in the H2 HEADERS frame decoder
+when the PRIORITY flag is present. A check is missing to ensure the 5
+extra bytes needed with this flag are actually part of the frame. As per
+RFC7540#4.2, let's return a connection error with code FRAME_SIZE_ERROR.
+
+Many thanks to Tim for responsibly reporting this issue with a working
+config and reproducer. This issue was assigned CVE-2018-20615.
+
+This fix must be backported to 1.9 and 1.8.
+
+(cherry picked from commit a01f45e3ced23c799f6e78b5efdbd32198a75354)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+(cherry picked from commit ce376ea771ad5484cf0c7559c59e7ea807733df6)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/mux_h2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/mux_h2.c b/src/mux_h2.c
+index 7bb51ea4..8fe56233 100644
+--- a/src/mux_h2.c
++++ b/src/mux_h2.c
+@@ -2643,6 +2643,11 @@ static int h2_frt_decode_headers(struct h2s *h2s, struct buffer *buf, int count)
+ 			return 0;//goto fail_stream;
+ 		}
+ 
++		if (flen < 5) {
++			h2c_error(h2c, H2_ERR_FRAME_SIZE_ERROR);
++			goto fail;
++		}
++
+ 		hdrs += 5; // stream dep = 4, weight = 1
+ 		flen -= 5;
+ 	}
+-- 
+2.19.1
+
diff --git a/SPECS/haproxy.spec b/SPECS/haproxy.spec
index 5adda2c..8811348 100644
--- a/SPECS/haproxy.spec
+++ b/SPECS/haproxy.spec
@@ -17,7 +17,7 @@
 
 Name:           %{?scl_prefix}haproxy
 Version:        1.8.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        TCP/HTTP proxy and load balancer for high availability environments
 
 Group:          System Environment/Daemons
@@ -33,6 +33,7 @@
 
 Patch1: 0001-BUG-CRITICAL-h2-fix-incorrect-frame-length-check.patch
 Patch2: 0002-BUG-CRITICAL-hpack-fix-improper-sign-check-header-index.patch
+Patch3: 0003-BUG-CRITICAL-fix-handling-priority-flag-HTTP2-decoder.patch
 
 BuildRequires:  pcre-devel
 BuildRequires:  zlib-devel
@@ -72,6 +73,7 @@
 %setup -q -n %{pkg_name}-%{version}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 regparm_opts=
@@ -203,8 +205,11 @@
 %endif
 
 %changelog
+* Mon Jan 14 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.4-4
+- Fix handling of priority flag in HTTP2 decoder (#1663083)
+
 * Wed Sep 19 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-3
-- Fix improper sign check on the header index value (#1630502)
+- Fix improper sign check on the header index value (#1630503)
 
 * Tue May 01 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-2
 - Fix incorrect HTTP/2 frame length check (#1569808)

--
Gitblit v1.8.0