Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2023-09-04 22:52:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Mon Sep 4 22:52:42 2023 rev:25 rq:1108711 version:8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-06-01 17:20:51.582636735 +0200 +++ /work/SRC/openSUSE:Factory/.frr.new.1766/frr.changes 2023-09-04 22:53:00.298543244 +0200 @@ -1,0 +2,21 @@ +Wed Aug 30 17:15:35 UTC 2023 - Marius Tomaschewski <m...@suse.com> + +- Removed protobuf-c BuildRequires (source package name) breaking + build-system setup with libprotobuf-c-devel 1.3.2 updates. +- Apply upstream fix for bgpd: Don't read initial byte of the ORF + header in an ahead-of-stream situation (CVE-2023-41360, + bsc#1214739,https://github.com/FRRouting/frr/pull/14245) + [+ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch] +- Apply upstream fix for bgpd: Do not process NLRIs if the attribute + length is zero (CVE-2023-41358,bsc#1214735, + https://github.com/FRRouting/frr/pull/14260) + [+ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch] +- Apply upstream fix bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute instead of session reset (CVE-2023-38802,bsc#1213284, + https://github.com/FRRouting/frr/pull/14290) + [+ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch] +- Apply upstream fix babeld: avoid infinite loops (CVE-2023-3748,bsc#1213434, + gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952) + [+ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch] + +------------------------------------------------------------------- New: ---- 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch 0011-babeld-fix-11808-to-avoid-infinite-loops.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.ovxwuj/_old 2023-09-04 22:53:01.934601076 +0200 +++ /var/tmp/diff_new_pack.ovxwuj/_new 2023-09-04 22:53:01.942601359 +0200 @@ -46,6 +46,10 @@ Patch5: 0005-root-ok-in-account-frr.pam.patch Patch6: 0006-bgpd-Check-7-bytes-for-Long-lived-Graceful-Restart-c.patch Patch7: 0007-bgpd-Ensure-stream-received-has-enough-data.patch +Patch8: 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch +Patch9: 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch +Patch10: 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch +Patch11: 0011-babeld-fix-11808-to-avoid-infinite-loops.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -61,7 +65,6 @@ BuildRequires: net-snmp-devel BuildRequires: pam-devel BuildRequires: pkgconfig -BuildRequires: protobuf-c BuildRequires: python-rpm-macros BuildRequires: readline-devel BuildRequires: systemd-rpm-macros @@ -191,6 +194,10 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors ++++++ 0008-bgpd-Don-t-read-the-first-byte-of-ORF-header-if-we-a.patch ++++++ >From a6c5ef48cb086b94a5b911af4ee9f675213fb14b Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <dona...@opensourcerouting.org> Date: Sun, 20 Aug 2023 22:15:27 +0300 Upstream: yes References: CVE-2023-41360,bsc#1214739,https://github.com/FRRouting/frr/pull/14245 Subject: [PATCH] bgpd: Don't read the first byte of ORF header if we are ahead of stream Reported-by: Iggy Frankovic iggyf...@amazon.com Signed-off-by: Donatas Abraitis <dona...@opensourcerouting.org> Signed-off-by: Marius Tomaschewski <m...@suse.com> diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index 72d6a92317..4947dbc21d 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -2375,7 +2375,8 @@ static int bgp_route_refresh_receive(struct peer *peer, bgp_size_t size) * and 7 bytes of ORF Address-filter entry from * the stream */ - if (*p_pnt & ORF_COMMON_PART_REMOVE_ALL) { + if (p_pnt < p_end && + *p_pnt & ORF_COMMON_PART_REMOVE_ALL) { if (bgp_debug_neighbor_events(peer)) zlog_debug( "%pBP rcvd Remove-All pfxlist ORF request", -- 2.35.3 ++++++ 0009-bgpd-Do-not-process-NLRIs-if-the-attribute-length-is.patch ++++++ >From e51ca641b4a96e575be069aeea922e31f7b8dfa4 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <dona...@opensourcerouting.org> Date: Tue, 22 Aug 2023 22:52:04 +0300 Upstream: yes References: CVE-2023-41358,bsc#1214735,https://github.com/FRRouting/frr/pull/14260 Subject: [PATCH] bgpd: Do not process NLRIs if the attribute length is zero ``` 3 0x00007f423aa42476 in __GI_raise (sig=sig@entry=11) at ../sysdeps/posix/raise.c:26 4 0x00007f423aef9740 in core_handler (signo=11, siginfo=0x7fffc414deb0, context=<optimized out>) at lib/sigevent.c:246 5 <signal handler called> 6 0x0000564dea2fc71e in route_set_aspath_prepend (rule=0x564debd66d50, prefix=0x7fffc414ea30, object=0x7fffc414e400) at bgpd/bgp_routemap.c:2258 7 0x00007f423aeec7e0 in route_map_apply_ext (map=<optimized out>, prefix=prefix@entry=0x7fffc414ea30, match_object=match_object@entry=0x7fffc414e400, set_object=set_object@entry=0x7fffc414e400, pref=pref@entry=0x0) at lib/routemap.c:2690 8 0x0000564dea2d277e in bgp_input_modifier (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, attr=attr@entry=0x7fffc414e770, afi=afi@entry=AFI_IP, safi=safi@entry=SAFI_UNICAST, rmap_name=rmap_name@entry=0x0, label=0x0, num_labels=0, dest=0x564debdd5130) at bgpd/bgp_route.c:1772 9 0x0000564dea2df762 in bgp_update (peer=peer@entry=0x7f4238f59010, p=p@entry=0x7fffc414ea30, addpath_id=addpath_id@entry=0, attr=0x7fffc414eb50, afi=afi@entry=AFI_IP, safi=<optimized out>, safi@entry=SAFI_UNICAST, type=9, sub_type=0, prd=0x0, label=0x0, num_labels=0, soft_reconfig=0, evpn=0x0) at bgpd/bgp_route.c:4374 10 0x0000564dea2e2047 in bgp_nlri_parse_ip (peer=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=0x7fffc414eaf0) at bgpd/bgp_route.c:6249 11 0x0000564dea2c5a58 in bgp_nlri_parse (peer=peer@entry=0x7f4238f59010, attr=attr@entry=0x7fffc414eb50, packet=packet@entry=0x7fffc414eaf0, mp_withdraw=mp_withdraw@entry=false) at bgpd/bgp_packet.c:339 12 0x0000564dea2c5d66 in bgp_update_receive (peer=peer@entry=0x7f4238f59010, size=size@entry=109) at bgpd/bgp_packet.c:2024 13 0x0000564dea2c901d in bgp_process_packet (thread=<optimized out>) at bgpd/bgp_packet.c:2933 14 0x00007f423af0bf71 in event_call (thread=thread@entry=0x7fffc414ee40) at lib/event.c:1995 15 0x00007f423aebb198 in frr_run (master=0x564deb73c670) at lib/libfrr.c:1213 16 0x0000564dea261b83 in main (argc=<optimized out>, argv=<optimized out>) at bgpd/bgp_main.c:505 ``` With the configuration: ``` frr version 9.1-dev-MyOwnFRRVersion frr defaults traditional hostname ip-172-31-13-140 log file /tmp/debug.log log syslog service integrated-vtysh-config ! debug bgp keepalives debug bgp neighbor-events debug bgp updates in debug bgp updates out ! router bgp 100 bgp router-id 9.9.9.9 no bgp ebgp-requires-policy bgp bestpath aigp neighbor 172.31.2.47 remote-as 200 ! address-family ipv4 unicast neighbor 172.31.2.47 default-originate neighbor 172.31.2.47 route-map RM_IN in exit-address-family exit ! route-map RM_IN permit 10 set as-path prepend 200 exit ! ``` The issue is that we try to process NLRIs even if the attribute length is 0. Later bgp_update() will handle route-maps and a crash occurs because all the attributes are NULL, including aspath, where we dereference. According to the RFC 4271: A value of 0 indicates that neither the Network Layer Reachability Information field nor the Path Attribute field is present in this UPDATE message. But with a fuzzed UPDATE message this can be faked. I think it's reasonable to skip processing NLRIs if both update_len and attribute_len are 0. Reported-by: Iggy Frankovic <iggyf...@amazon.com> Signed-off-by: Donatas Abraitis <dona...@opensourcerouting.org> Signed-off-by: Marius Tomaschewski <m...@suse.com> diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index 4947dbc21d..1ef421028f 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -1951,7 +1951,7 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) /* Network Layer Reachability Information. */ update_len = end - stream_pnt(s); - if (update_len) { + if (update_len && attribute_len) { /* Set NLRI portion to structure. */ nlris[NLRI_UPDATE].afi = AFI_IP; nlris[NLRI_UPDATE].safi = SAFI_UNICAST; -- 2.35.3 ++++++ 0010-bgpd-Use-treat-as-withdraw-for-tunnel-encapsulation-.patch ++++++ >From 129adde0aef424778d6c4791b5be10e302db9320 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <dona...@opensourcerouting.org> Date: Thu, 13 Jul 2023 22:32:03 +0300 Upstream: yes References: CVE-2023-38802,bsc#1213284,https://github.com/FRRouting/frr/pull/14290 Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation attribute Before this path we used session reset method, which is discouraged by rfc7606. Handle this as rfc requires. Signed-off-by: Donatas Abraitis <dona...@opensourcerouting.org> Signed-off-by: Marius Tomaschewski <m...@suse.com> diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index c6177a1b93..188393b752 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, case BGP_ATTR_LARGE_COMMUNITIES: case BGP_ATTR_ORIGINATOR_ID: case BGP_ATTR_CLUSTER_LIST: + case BGP_ATTR_ENCAP: case BGP_ATTR_OTC: return BGP_ATTR_PARSE_WITHDRAW; case BGP_ATTR_MP_REACH_NLRI: @@ -2426,26 +2427,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) } /* Parse Tunnel Encap attribute in an UPDATE */ -static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - bgp_size_t length, /* IN: attr's length field */ - struct attr *attr, /* IN: caller already allocated */ - uint8_t flag, /* IN: attr's flags field */ - uint8_t *startp) +static int bgp_attr_encap(struct bgp_attr_parser_args *args) { - bgp_size_t total; uint16_t tunneltype = 0; - - total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); + struct peer *const peer = args->peer; + struct attr *const attr = args->attr; + bgp_size_t length = args->length; + uint8_t type = args->type; + uint8_t flag = args->flags; if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { - zlog_info( - "Tunnel Encap attribute flag isn't optional and transitive %d", - flag); - bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, - startp, total); - return -1; + zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", + flag); + return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, + args->total); } if (BGP_ATTR_ENCAP == type) { @@ -2453,12 +2449,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ uint16_t tlv_length; if (length < 4) { - zlog_info( + zlog_err( "Tunnel Encap attribute not long enough to contain outer T,L"); - bgp_notify_send_with_data( - peer, BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); - return -1; + return bgp_attr_malformed(args, + BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, + args->total); } tunneltype = stream_getw(BGP_INPUT(peer)); tlv_length = stream_getw(BGP_INPUT(peer)); @@ -2488,13 +2483,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ } if (sublength > length) { - zlog_info( - "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", - sublength, length); - bgp_notify_send_with_data( - peer, BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); - return -1; + zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", + sublength, length); + return bgp_attr_malformed(args, + BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, + args->total); } /* alloc and copy sub-tlv */ @@ -2542,13 +2535,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ if (length) { /* spurious leftover data */ - zlog_info( - "Tunnel Encap attribute length is bad: %d leftover octets", - length); - bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, - startp, total); - return -1; + zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", + length); + return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, + args->total); } return 0; @@ -3387,8 +3377,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, case BGP_ATTR_VNC: #endif case BGP_ATTR_ENCAP: - ret = bgp_attr_encap(type, peer, length, attr, flag, - startp); + ret = bgp_attr_encap(&attr_args); break; case BGP_ATTR_PREFIX_SID: ret = bgp_attr_prefix_sid(&attr_args); -- 2.35.3 ++++++ 0011-babeld-fix-11808-to-avoid-infinite-loops.patch ++++++ >From 8a8f20d89585aa490e3cae5ad705ce23107fc1fe Mon Sep 17 00:00:00 2001 From: harryreps <harryr...@gmail.com> Date: Fri, 3 Mar 2023 23:17:14 +0000 Upsteam: yes References: CVE-2023-3748,bsc#1213434,gh#FRRouting/frr#11808,https://github.com/FRRouting/frr/pull/12952 Subject: [PATCH] babeld: fix #11808 to avoid infinite loops Replacing continue in loops to goto done so that index of packet buffer increases. Signed-off-by: harryreps <harryr...@gmail.com> (cherry picked from commit ae1e0e1fed77716bc06f181ad68c4433fb5523d0) Signed-off-by: Marius Tomaschewski <m...@suse.com> diff --git a/babeld/message.c b/babeld/message.c index 7d45d91bf7..2bf2337965 100644 --- a/babeld/message.c +++ b/babeld/message.c @@ -439,7 +439,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, debugf(BABEL_DEBUG_COMMON, "Received Hello from %s on %s that does not have all 0's in the unused section of flags, ignoring", format_address(from), ifp->name); - continue; + goto done; } /* @@ -451,7 +451,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, debugf(BABEL_DEBUG_COMMON, "Received Unicast Hello from %s on %s that FRR is not prepared to understand yet", format_address(from), ifp->name); - continue; + goto done; } DO_NTOHS(seqno, message + 4); @@ -469,7 +469,7 @@ parse_packet(const unsigned char *from, struct interface *ifp, debugf(BABEL_DEBUG_COMMON, "Received hello from %s on %s should be ignored as that this version of FRR does not know how to properly handle interval == 0", format_address(from), ifp->name); - continue; + goto done; } changed = update_neighbour(neigh, seqno, interval); -- 2.35.3