initial import

haproxy/CVE-2025-32464.patch

@@ -0,0 +1,53 @@
+From 3e3b9eebf871510aee36c3a3336faac2f38c9559 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Mon, 7 Apr 2025 15:30:43 +0200
+Subject: [PATCH] BUG/MEDIUM: sample: fix risk of overflow when replacing
+ multiple regex back-refs
+
+Aleandro Prudenzano of Doyensec and Edoardo Geraci of Codean Labs
+reported a bug in sample_conv_regsub(), which can cause replacements
+of multiple back-references to overflow the temporary trash buffer.
+
+The problem happens when doing "regsub(match,replacement,g)": we're
+replacing every occurrence of "match" with "replacement" in the input
+sample, which requires a length check. For this, a max is applied, so
+that a replacement may not use more than the remaining length in the
+buffer. However, the length check is made on the replaced pattern and
+not on the temporary buffer used to carry the new string. This results
+in the remaining size to be usable for each input match, which can go
+beyond the temporary buffer size if more than one occurrence has to be
+replaced with something that's larger than the remaining room.
+
+The fix proposed by Aleandro and Edoardo is the correct one (check on
+"trash" not "output"), and is the one implemented in this patch.
+
+While it is very unlikely that a config will replace multiple short
+patterns each with a larger one in a request, this possibility cannot
+be entirely ruled out (e.g. mask a known, short IP address using
+"XXX.XXX.XXX.XXX").  However when this happens, the replacement pattern
+will be static, and not be user-controlled, which is why this patch is
+marked as medium.
+
+The bug was introduced in 2.2 with commit 07e1e3c93e ("MINOR: sample:
+regsub now supports backreferences"), so it must be backported to all
+versions.
+
+Special thanks go to Aleandro and Edoardo for reporting this bug with
+a simple reproducer and a fix.
+---
+ src/sample.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sample.c b/src/sample.c
+index 1e2ff7d2ee8e..980c27cb6a50 100644
+--- a/src/sample.c
++++ b/src/sample.c
+@@ -3168,7 +3168,7 @@ static int sample_conv_regsub(const struct arg *arg_p, struct sample *smp, void
+ 		output->data = exp_replace(output->area, output->size, start, arg_p[1].data.str.area, pmatch);
+ 
+ 		/* replace the matching part */
+-		max = output->size - output->data;
++		max = trash->size - trash->data;
+ 		if (max) {
+ 			if (max > output->data)
+ 				max = output->data;

haproxy/PKGBUILD

@@ -0,0 +1,67 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+pkgname=haproxy
+pkgver=2.4.18
+pkgrel=2
+pkgdesc="Reliable, high performance TCP/HTTP load balancer"
+url='https://www.haproxy.org/'
+arch=('i686' 'x86_64')
+license=('custom:GPL-2+OpenSSL-Linking-Exception')
+depends=('libressl' 'pcre' 'zlib' 'libxcrypt' 'lua')
+backup=('etc/haproxy/haproxy.cfg')
+install=$pkgname.install
+source=(https://www.haproxy.org/download/${pkgver%.*}/src/haproxy-$pkgver.tar.gz
+        use-CFLAGS-and-LDFLAGS-when-building-admin.patch
+        CVE-2025-32464.patch
+        $pkgname.cfg
+        $pkgname.initd
+        $pkgname.run)
+sha512sums=('4362ebf5eef6560adf558a4db596c2a0349dca05ee51e69c60f5e995d364e4f68d3422391fc5286dd8e2e65ce41a459dbbcba01e6f7b5918870b214683922488'
+            'e93315ce4b16c73c44703ea64681629c92adacefb3ac4f7c1bef31bd8e513053489f8790e383e53709d19381856b00134cdcf1e207ec78a7f948c3cf4e03fe9a'
+            '7a9c07d8da8345bc9bca5ede801d5b22dbe264cd94e417ae8dffb06181a50e6ce49bd2a3253cd7cc276d89f98dbb5538fc66e8904a4315bacdc9fe31c677a378'
+            '26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f'
+            '4aa8fc812079baf1d17cf9484a9b44568c3dd94f35243a57a4a7868e7f88146a4e94c80ea8ab86f1b08a524567e269a3ec119b67fc679f6bd0d9f1c70ce4f080'
+            '7cd604d1eb46778eccec8909e5e77484f4fde2fe1a6aac978c756c7095dc3e4d9c255be7632b8b1f75a0b1da0140bc3a4cbf38c6b2ee1414097cbbd3e58c3c74')
+
+prepare() {
+  cd $pkgname-$pkgver
+  patch -p1 <"$srcdir"/use-CFLAGS-and-LDFLAGS-when-building-admin.patch
+  patch -p1 <"$srcdir"/CVE-2025-32464.patch
+}
+
+build() {
+  cd $pkgname-$pkgver
+
+  export CFLAGS="$CFLAGS -fwrapv"
+  make \
+    CFLAGS="$CFLAGS" \
+    LDFLAGS="$LDFLAGS" \
+    CPU=generic \
+    TARGET=linux-glibc \
+    USE_GETADDRINFO=1 \
+    USE_LUA=1 \
+    USE_OPENSSL=1 \
+    USE_PCRE=1 \
+    USE_PCRE_JIT=1 \
+    USE_NS=1 \
+    USE_PROMEX=1 \
+    USE_ZLIB=1
+}
+
+package() {
+  cd $pkgname-$pkgver
+  make \
+    PREFIX="$pkgdir"/usr \
+    DOCDIR="$pkgdir"/usr/share/doc/$pkgname \
+    install
+
+  install -d "$pkgdir"/usr/share/$pkgname
+  cp -r examples "$pkgdir"/usr/share/$pkgname
+
+  install -d "$pkgdir"/var/lib/$pkgname
+  install -Dm755 "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
+  install -Dm755 "$srcdir"/$pkgname.run "$pkgdir"/etc/sv/$pkgname/run
+  install -Dm644 "$srcdir"/$pkgname.cfg "$pkgdir"/etc/$pkgname/$pkgname.cfg
+
+  install -Dm644 LICENSE -t "$pkgdir"/usr/share/licenses/$pkgname
+}

haproxy/haproxy.cfg

@@ -0,0 +1,87 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   http://haproxy.1wt.eu/download/1.5/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# main frontend which proxys to the backends
+#---------------------------------------------------------------------
+frontend main
+    bind *:5000
+    acl url_static       path_beg       -i /static /images /javascript /stylesheets
+    acl url_static       path_end       -i .jpg .gif .png .css .js
+
+    use_backend static          if url_static
+    default_backend             app
+
+#---------------------------------------------------------------------
+# static backend for serving up images, stylesheets and such
+#---------------------------------------------------------------------
+backend static
+    balance     roundrobin
+    server      static 127.0.0.1:4331 check
+
+#---------------------------------------------------------------------
+# round robin balancing between the various backends
+#---------------------------------------------------------------------
+backend app
+    balance     roundrobin
+    server  app1 127.0.0.1:5001 check
+    server  app2 127.0.0.1:5002 check
+    server  app3 127.0.0.1:5003 check
+    server  app4 127.0.0.1:5004 check
+

haproxy/haproxy.initd

@@ -0,0 +1,54 @@
+#!/sbin/openrc-run
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/haproxy/files/haproxy.initd-r1,v 1.2 2011/12/04 10:32:32 swegener Exp $
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+command=/usr/sbin/haproxy
+
+CONF=${HAPROXY_CONF:-/etc/haproxy/${SVCNAME}.cfg}
+PIDFILE=/var/run/${SVCNAME}.pid
+
+depend() {
+	need net
+	after firewall
+	use dns logger
+}
+
+checkconfig() {
+	if [ ! -f "${CONF}" ] && [ ! -d "${CONF}" ]; then
+		eerror "${CONF} does not exist!"
+		return 1
+	fi
+
+	ebegin "Checking ${CONF}"
+	$command -q -c -f "${CONF}"
+	eend $?
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --pidfile "${PIDFILE}" --exec $command \
+		--start -- -D -p "${PIDFILE}" -f "${CONF}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+
+	if [ "${RC_CMD}" = "restart" ]; then
+		checkconfig || return 1
+	fi
+
+	start-stop-daemon --stop --pidfile "${PIDFILE}"
+	eend $?
+}
+
+reload() {
+	ebegin "Reloading ${SVCNAME}"
+	checkconfig || { eerror "Reloading failed, please fix your ${CONF} first"; return 1; }
+	$command -D -p "${PIDFILE}" -f "${CONF}" -sf $(cat "${PIDFILE}")
+	eend $?
+}
+

haproxy/haproxy.install

@@ -0,0 +1,23 @@
+post_install() {
+	if ! getent group haproxy &>/dev/null; then
+		groupadd -r haproxy >& /dev/null
+	fi
+ 	if ! getent passwd haproxy &>/dev/null; then
+		useradd -r -d /var/lib/haproxy -g haproxy -s /bin/false haproxy
+	fi
+
+	chown gerbera:gerbera /var/lib/haproxy
+}
+
+post_upgrade() {
+	post_install $1
+}
+
+post_remove() {
+	if getent passwd haproxy &>/dev/null; then
+		userdel haproxy >/dev/null
+	fi
+	if getent group haproxy &>/dev/null; then
+		groupdel haproxy >/dev/null
+	fi
+}

haproxy/haproxy.run

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+haproxy -W -f /etc/haproxy/haproxy.cfg
+exec pause 2>&1

haproxy/use-CFLAGS-and-LDFLAGS-when-building-admin.patch

@@ -0,0 +1,39 @@
+diff --git a/admin/iprange/Makefile b/admin/iprange/Makefile
+index 13598d8..eb89fb9 100644
+--- a/admin/iprange/Makefile
++++ b/admin/iprange/Makefile
+@@ -7,7 +7,7 @@ OBJS     = iprange ip6range
+ all: $(OBJS)
+ 
+ %: %.c
+-	$(CC) $(LDFLAGS) $(OPTIMIZE) -o $@ $^
++	$(CC) $(OPTIMIZE) $(CFLAGS) $(LDFLAGS) -o $@ $^
+ 
+ clean:
+ 	rm -f $(OBJS) *.o *.a *~
+diff --git a/dev/poll/Makefile b/dev/poll/Makefile
+index fdee514..9be926c 100644
+--- a/dev/poll/Makefile
++++ b/dev/poll/Makefile
+@@ -5,7 +5,7 @@ INCLUDE  =
+ OBJS     = poll
+ 
+ poll: poll.c
+-	$(CC) $(OPTIMIZE) $(DEFINE) $(INCLUDE) -o $@ $^
++	$(CC) $(OPTIMIZE) $(CFLAGS) $(LDFLAGS) $(DEFINE) $(INCLUDE) -o $@ $^
+ 
+ clean:
+ 	rm -f $(OBJS) *.[oas] *~
+diff --git a/dev/tcploop/Makefile b/dev/tcploop/Makefile
+index 42a6259..e8a6ff7 100644
+--- a/dev/tcploop/Makefile
++++ b/dev/tcploop/Makefile
+@@ -5,7 +5,7 @@ INCLUDE  =
+ OBJS     = tcploop
+ 
+ tcploop: tcploop.c
+-	$(CC) $(OPTIMIZE) $(DEFINE) $(INCLUDE) -o $@ $^
++	$(CC) $(OPTIMIZE) $(CFLAGS) $(LDFLAGS) $(DEFINE) $(INCLUDE) -o $@ $^
+ 
+ clean:
+ 	rm -f $(OBJS) *.[oas] *~