First Last Prev Next    This bug is not in your last search results.
Bug 1119419 - (CVE-2018-20103) VUL-0: CVE-2018-20103: haproxy: Infinite recursion via crafted packet allows stack exhaustion and denial of service
(CVE-2018-20103)
VUL-0: CVE-2018-20103: haproxy: Infinite recursion via crafted packet allows ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Kristoffer Gronlund
Security Team bot
https://smash.suse.de/issue/220677/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-13 14:57 UTC by Alexandros Toptsoglou
Modified: 2021-04-19 09:25 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2018-12-13 14:57:35 UTC 
rh#1658876

An issue was discovered in dns.c in HAProxy through 1.8.14. In the case of a compressed pointer, a crafted packet can trigger infinite recursion by making the pointer point to itself, or create a long chain of valid pointers resulting in stack exhaustion.

Upstream Patch:
http://git.haproxy.org/?p=haproxy.git;a=commit;h=58df5aea

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1658876
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20103
http://www.cvedetails.com/cve/CVE-2018-20103/
Comment 1 Alexandros Toptsoglou 2018-12-13 15:08:23 UTC 
After an investigation it was found that: 

The file dns.c firstly introduced in version 1.6.0 (commit 325137d60) 

The vulnerable function dns_read_name introduced in version 1.7.0 with commit c1ce5f358

Thus SLE 15 is affected!

In 1.6.0 the logic of the code was different; various checks were performed without the use of the vulnerable function. But inside the dns_validate_dns_response function many checks were taking place which may trigger the same bug. 

Thus, regarding SLE12SP2 further analysis will take place. I have already contacted both the maintainer and the person who reported the issue asking for further information or a reproducer. 

The issue is fixed from version 1.8.15 and on.
Comment 2 Alexandros Toptsoglou 2018-12-13 15:32:06 UTC 
It was communicated by upstream that 1.6.0 is not affected. 

Thus SLE12SP2 is not affected!
Comment 4 Kristoffer Gronlund 2018-12-18 09:33:46 UTC 
Fixes have been submitted for all affected releases.
Comment 6 Swamp Workflow Management 2019-01-10 20:17:05 UTC 
SUSE-SU-2019:0061-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1119368,1119419
CVE References: CVE-2018-20102,CVE-2018-20103
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    haproxy-1.8.15~git0.6b6a350a-3.6.2
Comment 7 Swamp Workflow Management 2019-01-12 02:14:44 UTC 
openSUSE-SU-2019:0044-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1119368,1119419
CVE References: CVE-2018-20102,CVE-2018-20103
Sources used:
openSUSE Leap 15.0 (src):    haproxy-1.8.15~git0.6b6a350a-lp150.2.6.1
First Last Prev Next    This bug is not in your last search results.