[arch-security] [ASA-201507-3] haproxy: information leakage

Remi Gacogne rgacogne at archlinux.org
Sat Jul 4 13:00:17 UTC 2015 

Arch Linux Security Advisory ASA-201507-3
=========================================

Severity: High
Date    : 2015-07-04
CVE-ID  : CVE-2015-3281
Package : haproxy
Type    : information leakage
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package haproxy before version 1.5.14-1 is vulnerable to information
leakage.

Resolution
==========

Upgrade to 1.5.14-1.

# pacman -Syu "haproxy>=1.5.14-1"

The problem has been fixed upstream in version 1.5.14.

Workaround
==========

None.

Description
===========

A vulnerability was found in the handling of HTTP pipelining. In some
cases, a client might be able to cause a buffer alignment issue and
retrieve uninitialized memory contents that exhibit data from a past
request or session.

With the proper timing and by requesting files of specific sizes from
the backend servers in HTTP pipelining mode, one can trigger a call to a
buffer alignment function which was not designed to work with pending
output data. The effect is that the output data pointer points to the
wrong location in the buffer, causing corruption on the client. It's
more visible with chunked encoding and compressed bodies because the
client cannot parse the response, but with a regular content-length
body, the client will simply retrieve corrupted contents. That's not the
worst problem in fact since pipelining is disabled in most clients.
The real problem is that it allows the client to sometimes retrieve data
from a previous session that remains in the buffer at the location where
the output pointer lies. Thus it's an information leak vulnerability.

Impact
======

A remote unauthenticated attacker can retrieve sensitive informations
from a previous session by sending crafted HTTP requests.

References
==========

http://marc.info/?l=haproxy&m=143593901506748&w=2
http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=7ec765568883b2d4e5a2796adbeb492a22ec9bd4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3281

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150704/edc47b3f/attachment.asc>

More information about the arch-security mailing list