diff --git a/1-bugfix-for-CVE-2025-11230.patch b/1-bugfix-for-CVE-2025-11230.patch new file mode 100644 index 0000000000000000000000000000000000000000..bb76eb7cfef24175c7c8198d34063572cff95d10 --- /dev/null +++ b/1-bugfix-for-CVE-2025-11230.patch @@ -0,0 +1,82 @@ +From 06675db4bf234ed17e14305f1d59259d2fe78b06 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Mon, 29 Sep 2025 18:34:11 +0200 +Subject: [PATCH] BUG/CRITICAL: mjson: fix possible DoS when parsing numbers + +Mjson comes with its own strtod() implementation for portability +reasons and probably also because many generic strtod() versions as +provided by operating systems do not focus on resource preservation +and may call malloc(), which is not welcome in a parser. + +The strtod() implementation used here apparently originally comes from +https://gist.github.com/mattn/1890186 and seems to have purposely +omitted a few parts that were considered as not needed in this context +(e.g. skipping white spaces, or setting errno). But when subject to the +relevant test cases of the designated file above, the current function +provides the same results. + +The aforementioned implementation uses pow() to calculate exponents, +but mjson authors visibly preferred not to introduce a libm dependency +and replaced it with an iterative loop in O(exp) time. The problem is +that the exponent is not bounded and that this loop can take a huge +amount of time. There's even an issue already opened on mjson about +this: https://github.com/cesanta/mjson/issues/59. In the case of +haproxy, fortunately, the watchdog will quickly stop a runaway process +but this remains a possible denial of service. + +A first approach would consist in reintroducing pow() like in the +original implementation, but if haproxy is built without Lua nor +51Degrees, -lm is not used so this will not work everywhere. + +Anyway here we're dealing with integer exponents, so an easy alternate +approach consists in simply using shifts and squares, to compute the +exponent in O(log(exp)) time. Not only it doesn't introduce any new +dependency, but it turns out to be even faster than the generic pow() +(85k req/s per core vs 83.5k on the same machine). + +This must be backported as far as 2.4, where mjson was introduced. + +Many thanks to Oula Kivalo for reporting this issue. + +CVE-2025-11230 was assigned to this issue. +--- + src/mjson.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/mjson.c b/src/mjson.c +index 73b7a5797f8fb..2a4106bbd831e 100644 +--- a/src/mjson.c ++++ b/src/mjson.c +@@ -767,11 +767,13 @@ static double mystrtod(const char *str, char **end) { + + /* exponential part */ + if ((*p == 'E') || (*p == 'e')) { ++ double exp, f; + int i, e = 0, neg = 0; + p++; + if (*p == '-') p++, neg++; + if (*p == '+') p++; + while (is_digit(*p)) e = e * 10 + *p++ - '0'; ++ i = e; + if (neg) e = -e; + #if 0 + if (d == 2.2250738585072011 && e == -308) { +@@ -785,8 +787,16 @@ static double mystrtod(const char *str, char **end) { + goto done; + } + #endif +- for (i = 0; i < e; i++) d *= 10; +- for (i = 0; i < -e; i++) d /= 10; ++ /* calculate f = 10^i */ ++ exp = 10; ++ f = 1; ++ while (i > 0) { ++ if (i & 1) f *= exp; ++ exp *= exp; ++ i >>= 1; ++ } ++ if (e > 0) d *= f; ++ else if (e < 0) d /= f; + a = p; + } else if (p > str && !is_digit(*(p - 1))) { + a = str; diff --git a/haproxy.spec b/haproxy.spec index 851bd1ca814039600ded073568a3364f692cdbcb..04e10f772e8564d3ab181372b0f974597beba0e5 100644 --- a/haproxy.spec +++ b/haproxy.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 3 %define haproxy_user haproxy %define haproxy_group %{haproxy_user} %define haproxy_homedir %{_localstatedir}/lib/haproxy @@ -26,6 +26,9 @@ Source6: halog.1 # https://git.haproxy.org/?p=haproxy-3.0.git;a=patch;h=ee1a64c2a04cc2cb38efb7e44f7ea7386d627bf6 Patch0: FIX-CVE-2025-32464.patch +# https://github.com/haproxy/haproxy/commit/06675db4bf234ed17e14305f1d59259d2fe78b06.patch +Patch1: 1-bugfix-for-CVE-2025-11230.patch + BuildRequires: gcc BuildRequires: lua-devel BuildRequires: pcre2-devel @@ -149,6 +152,9 @@ done %doc README %changelog +* Wed Nov 12 2025 tomcruiseqi - 3.0.5-3 +- Fix CVE-2025-11230 + * Fri Oct 17 2025 zjl02254423 - - 3.0.5-2 - add patch to fix CVE-2025-32464