Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package frr for openSUSE:Factory checked in
at 2022-09-07 11:05:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/frr (Old)
and /work/SRC/openSUSE:Factory/.frr.new.2083 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr"
Wed Sep 7 11:05:55 2022 rev:20 rq:1001516 version:8.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-03-21 20:11:54.296433027
+0100
+++ /work/SRC/openSUSE:Factory/.frr.new.2083/frr.changes 2022-09-07
11:06:04.976413589 +0200
@@ -1,0 +2,11 @@
+Mon Sep 5 11:48:25 UTC 2022 - Marius Tomaschewski <m...@suse.com>
+
+- Apply upstream fix for out-of-bounds read in the BGP daemon
+ that may lead to information disclosure or denial of service
+ (bsc#1202023,CVE-2022-37032)
+ [+ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch]
+- Apply upstream fix for a memory leak in the IS-IS daemon that
+ may lead to server memory exhaustion (bsc#1202022,CVE-2019-25074)
+ [+ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
+
+-------------------------------------------------------------------
New:
----
0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ frr.spec ++++++
--- /var/tmp/diff_new_pack.EAxiuY/_old 2022-09-07 11:06:05.552415053 +0200
+++ /var/tmp/diff_new_pack.EAxiuY/_new 2022-09-07 11:06:05.556415062 +0200
@@ -45,6 +45,8 @@
Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch
Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch
+Patch7: 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
+Patch8: 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison >= 2.7
@@ -191,6 +193,8 @@
%patch5 -p1
gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
# GCC LTO objects must be "fat" to avoid assembly errors
++++++ 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch ++++++
>From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
From: Donald Sharp <sha...@nvidia.com>
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
References: bsc#1202023,CVE-2022-37032
Upstream: yes
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp <sha...@nvidia.com>
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index dbf6c0b2e9..45752a8ab6 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer,
uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length
%u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%pBP Capability structure is not properly
filled out, expected at least %zu bytes but header length specified is %d",
+ peer, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);
--
2.35.3
++++++ 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch ++++++
>From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sha...@nvidia.com>
Date: Wed, 20 Jul 2022 16:49:09 -0400
Subject: [PATCH] isisd: Ensure rcap is freed in error case
References: bsc#1202022
Upstream: yes
unpack_tlv_router_cap allocates memory that in the error
case is not being freed.
Signed-off-by: Donald Sharp <sha...@nvidia.com>
diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
index 11be3c3a71..b3c3fd4b0b 100644
--- a/isisd/isis_tlvs.c
+++ b/isisd/isis_tlvs.c
@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct
isis_router_cap *router_cap,
}
static int unpack_tlv_router_cap(enum isis_tlv_context context,
- uint8_t tlv_type, uint8_t tlv_len,
- struct stream *s, struct sbuf *log,
- void *dest, int indent)
+ uint8_t tlv_type, uint8_t tlv_len,
+ struct stream *s, struct sbuf *log, void *dest,
+ int indent)
{
struct isis_tlvs *tlvs = dest;
struct isis_router_cap *rcap;
@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context
context,
log, indent,
"WARNING: Router Capability subTLV length too
large compared to expected size\n");
stream_forward_getp(s, STREAM_READABLE(s));
-
+ XFREE(MTYPE_ISIS_TLV, rcap);
return 0;
}
--
2.35.3
