Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2022-11-16 15:43:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Wed Nov 16 15:43:09 2022 rev:21 rq:1035865 version:8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2022-09-07 11:06:04.976413589 +0200 +++ /work/SRC/openSUSE:Factory/.frr.new.1597/frr.changes 2022-11-16 15:43:15.951810530 +0100 @@ -1,0 +2,59 @@ +Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <m...@suse.com> + +- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr + file to vendor specific directory /usr/etc/logrotate.d and added + saving of user changed configuration files in /etc and restoring + them while an RPM update. +- Declare root as sufficient also in the pam account verification; + without vtysh use causes to log a pam frr:account warnings + (https://github.com/FRRouting/frr/pull/12308) + [+ 0005-root-ok-in-account-frr.pam.patch] +- Applied fix removing a not needed backslash causing to log a warning + (https://github.com/FRRouting/frr/pull/12307) + [+ 0004-tools-remove-backslash-from-declare-check-regex.patch] +- Applied upstream fixes for frrinit.sh to avoid a privilege escalation + from frr to root in frr config creation (bsc#1204124,CVE-2022-42917, + https://github.com/FRRouting/frr/pull/12157). + [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch] +- Removed obsolete patches provided in the 8.4 source archive: + [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch, + - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch, + - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch, + - 0006-isisd-fix-10505-using-base64-encoding.patch, + - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch, + - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch] +- Update to version 8.4, see https://frrouting.org/release/8.4/ + * New BGP command (neighbor PEER soo) to configure SoO to prevent + routing loops and suboptimal routing on dual-homed sites. + * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop + because previously we allowed using martian next-hops when debug is + turned on. + * Implement BGP Prefix Origin Validation State Extended Community rfc8097 + * Implement Route Leak Prevention and Detection Using Roles in UPDATE + and OPEN Messages rfc9234 + * BMP L3VPN support + * PIMv6 support + * MLD support + * New command to enable using reserved IPv4 ranges as normal addresses + for BGP next-hops, interface addresses, etc. + * As usual, lots of bugs and memory leaks were fixed \m/ + such as a fix for a possible use-after-free due to a race + condition related to bgp_notify_send_with_data() and + bgp_process_packet() in bgp_packet.c. This could lead to + Remote Code Execution or Information Disclosure by sending + crafted BGP packets (CVE-2022-37035,bsc#1202085). +- Update to version 8.3, see https://frrouting.org/release/8.3/ + * Notification Message support for BGP Graceful Restart + * BGP Cease Notification Subcode For BFD + * Send Hold Timer for BGP + * RFC5424 syslog support + * PIM passive command +- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/ + * BGP Long-lived graceful restart capability + * BGP Extended Optional Parameters Length for BGP OPEN Message + * BGP Extended BGP Administrative Shutdown Communication + * IS-IS Link State Traffic Engineering support + * OSPFv3 Support for NSSA Type-7 address ranges + * PBR VLAN actions support + +------------------------------------------------------------------- Old: ---- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch 0005-isisd-fix-router-capability-TLV-parsing-issues.patch 0006-isisd-fix-10505-using-base64-encoding.patch 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch frr-8.1.tar.gz New: ---- 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch 0004-tools-remove-backslash-from-declare-check-regex.patch 0005-root-ok-in-account-frr.pam.patch frr-8.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.kbq9ap/_old 2022-11-16 15:43:17.403815794 +0100 +++ /var/tmp/diff_new_pack.kbq9ap/_new 2022-11-16 15:43:17.407815808 +0100 @@ -30,23 +30,20 @@ %define frr_daemondir %{_prefix}/lib/frr Name: frr -Version: 8.1 +Version: 8.4 Release: 0 Summary: FRRouting Routing daemon License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/System URL: https://www.frrouting.org #Git-Clone: https://github.com/FRRouting/frr.git -Source: https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz +Source: https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.d Patch1: 0001-disable-zmq-test.patch Patch2: harden_frr.service.patch -Patch3: 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch -Patch4: 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch -Patch5: 0005-isisd-fix-router-capability-TLV-parsing-issues.patch -Patch6: 0006-isisd-fix-10505-using-base64-encoding.patch -Patch7: 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch -Patch8: 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch +Patch3: 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch +Patch4: 0004-tools-remove-backslash-from-declare-check-regex.patch +Patch5: 0005-root-ok-in-account-frr.pam.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -189,12 +186,7 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 -gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz %patch5 -p1 -gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors @@ -284,7 +276,11 @@ sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr +%if 0%{?suse_version} > 1500 +install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr +%else install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr +%endif install -d -m 0750 %{buildroot}%{rundir} install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr @@ -317,6 +313,20 @@ getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user} %service_add_pre %{name}.service +%if 0%{?suse_version} > 1500 +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in logrotate.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||: +done +%endif + +%posttrans +%if 0%{?suse_version} > 1500 +# Migration to /usr/etc, restore just created .rpmsave +for i in logrotate.d/frr ; do + test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||: +done +%endif %post %service_add_post %{name}.service @@ -366,7 +376,11 @@ %config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf %config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons %config(noreplace) %{_sysconfdir}/pam.d/frr +%if 0%{?suse_version} > 1500 +%{_distconfdir}/logrotate.d/frr +%else %config(noreplace) %{_sysconfdir}/logrotate.d/frr +%endif %{_infodir}/frr.info%{?ext_info} %{_mandir}/man?/* %{_docdir}/%{name}/html @@ -389,11 +403,13 @@ %{frr_daemondir}/frr %{frr_daemondir}/frr-reload %{frr_daemondir}/frr-reload.py +%{frr_daemondir}/frr_babeltrace.py %{frr_daemondir}/frrcommon.sh %{frr_daemondir}/frrinit.sh %{frr_daemondir}/isisd %{frr_daemondir}/ldpd %{frr_daemondir}/nhrpd +%{frr_daemondir}/ospfclient.py %{frr_daemondir}/ospf6d %{frr_daemondir}/ospfd %{frr_daemondir}/pathd ++++++ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch ++++++ >From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <dona...@opensourcerouting.org> Date: Thu, 20 Oct 2022 09:10:22 +0300 References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157 Upstream: submitted Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race conditions This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124 install/chown is in most cases (as I tested) is enough, but still, can be racy. Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this. For Linux `runuser` can be used, but *BSD do not have this command. Proof of concept: ``` % sudo su - frr [sudo] password for donatas: su: warning: cannot change directory to /nonexistent: No such file or directory frr@donatas-laptop:/home/donatas$ cd /etc/frr/ frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf Setting up watches. Watches established. ./ CREATE zebra.conf frr@donatas-laptop:/etc/frr$ ls -la zebra.conf lrwxrwxrwx 1 frr frr 11 spal. 20 09:25 zebra.conf -> /etc/shadow frr@donatas-laptop:/etc/frr$ cat zebra.conf cat: zebra.conf: Permission denied frr@donatas-laptop:/etc/frr$ ``` On the other terminal do: ``` /usr/lib/frr/frrinit.sh restart ``` Signed-off-by: Donatas Abraitis <dona...@opensourcerouting.org> diff --git a/tools/frr.in b/tools/frr.in index e9f1122834..5f3f425a1e 100755 --- a/tools/frr.in +++ b/tools/frr.in @@ -96,10 +96,10 @@ check_daemon() # check for config file if [ -n "$2" ]; then if [ ! -r "$C_PATH/$1-$2.conf" ]; then - install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf" + su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\"" fi elif [ ! -r "$C_PATH/$1.conf" ]; then - install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf" + su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\"" fi fi return 0 @@ -524,7 +524,7 @@ convert_daemon_prios if [ ! -d $V_PATH ]; then echo "Creating $V_PATH" - install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" + su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" chmod gu+x "${V_PATH}" fi diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in index 61f1abb378..4d5d688d57 100755 --- a/tools/frrcommon.sh.in +++ b/tools/frrcommon.sh.in @@ -143,7 +143,7 @@ daemon_prep() { cfg="$C_PATH/$daemon${inst:+-$inst}.conf" if [ ! -r "$cfg" ]; then - install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg" + su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\"" fi return 0 } @@ -161,7 +161,7 @@ daemon_start() { [ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null daemon_prep "$daemon" "$inst" || return 1 if test ! -d "$V_PATH"; then - install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH" + su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\"" chmod gu+x "${V_PATH}" fi -- 2.35.3 ++++++ 0004-tools-remove-backslash-from-declare-check-regex.patch ++++++ >From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <m...@suse.com> Date: Fri, 11 Nov 2022 12:26:04 +0100 References: https://github.com/FRRouting/frr/pull/12307 Upstream: submitted Subject: [PATCH] tools: remove backslash from declare check regex The backslash in `grep -q '^declare \-a'` is not needed and causes `grep: warning: stray \ before -` warning in grep-3.8. --- tools/frrcommon.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in index 61f1abb378..3c16c27c6d 100755 --- a/tools/frrcommon.sh.in +++ b/tools/frrcommon.sh.in @@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then load_old_config "/etc/sysconfig/frr" fi -if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then +if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then log_warning_msg "watchfrr_options contains a bash array value." \ "The configured value is intentionally ignored since it is likely wrong." \ "Please remove or fix the setting." -- 2.35.3 ++++++ 0005-root-ok-in-account-frr.pam.patch ++++++ >From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski <m...@suse.com> Date: Fri, 11 Nov 2022 14:50:12 +0100 References: https://github.com/FRRouting/frr/pull/12308 Upstream: submitted Subject: [PATCH] pam: declare root as sufficient frr pam account https://github.com/FRRouting/frr/pull/11465 enabled account verification, but the pam config declares rootok as sufficient in authentication only and not in account verification, what causes warning in the log: vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] flags=0 service=[frr] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>] --- redhat/frr.pam | 1 + 1 file changed, 1 insertion(+) diff --git a/redhat/frr.pam b/redhat/frr.pam index 5cef5d9d74..17a62f1999 100644 --- a/redhat/frr.pam +++ b/redhat/frr.pam @@ -5,6 +5,7 @@ # Only allow root (and possibly wheel) to use this because enable access # is unrestricted. auth sufficient pam_rootok.so +account sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid -- 2.35.3 ++++++ frr-8.1.tar.gz -> frr-8.4.tar.gz ++++++ /work/SRC/openSUSE:Factory/frr/frr-8.1.tar.gz /work/SRC/openSUSE:Factory/.frr.new.1597/frr-8.4.tar.gz differ: char 13, line 1