CVE request: haproxy trash buffer overflow flaw

[Vincent Danen <vdanen () redhat com>]

Could a CVE be assigned to this flaw please?

A flaw was reported in HAProxy where, due to a boundary error when
copying data into the trash buffer, an external attacker could cause a
buffer overflow.  Exploiting this flaw could lead to the execution of
arbitrary code, however it requires non-default settings for the
global.tune.bufsize configuration option (must be set to a value greater
than the default), and also that header rewriting is enabled (via, for
example, the regrep or rsprep directives).

This flaw is reported against 1.4.20, prior versions may also be
affected.  This has been fixed upstream in version 1.4.21 and in git.

References:

https://secunia.com/advisories/49261/
http://haproxy.1wt.eu/download/1.4/src/CHANGELOG
http://haproxy.1wt.eu/git?p=haproxy-1.4.git;a=commit;h=30297cb17147a8d339eb160226bcc08c91d9530b
https://bugzilla.redhat.com/show_bug.cgi?id=824542

--
Vincent Danen / Red Hat Security Response Team