Bug#1003058: bullseye-pu: package openvswitch/2.15.0+ds1-2

Mon, 03 Jan 2022 05:27:16 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

I'd like to update openvswitch.

[ Reason ]
Indeed, the updated version I would like to push contains a fix for
CVE-2021-36980 (Debian bug #991308), and a fix for having libofproto
properly installed if activating dpdk (which fixes #992406 and
#989585). This update-alternatives fix has been in Unstable for a long
time already.

[ Impact ]
- CVE-2021-36980.
- Non-working DPDK setup when using LLDP.

[ Tests ]
The OVS package has a test suite that's run at build time.
We also set it in real production and it worked for us.

[ Risks ]
IMO, code is rather trivial.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Cheers,

Thomas Goirand (zigo)

diff -Nru openvswitch-2.15.0+ds1/debian/changelog 
openvswitch-2.15.0+ds1/debian/changelog
--- openvswitch-2.15.0+ds1/debian/changelog     2021-02-20 21:58:03.000000000 
+0100
+++ openvswitch-2.15.0+ds1/debian/changelog     2022-01-03 13:53:38.000000000 
+0100
@@ -1,3 +1,14 @@
+openvswitch (2.15.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream
+    patch (Closes: #991308).
+
+  [ Felix Moessbauer ]
+  * fix ABI incompatibility that crashes OVS when enabling LLDP
+    (Closes: #992406).
+
+ -- Thomas Goirand <z...@debian.org>  Mon, 03 Jan 2022 13:53:38 +0100
+
 openvswitch (2.15.0+ds1-2) unstable; urgency=medium
 
   * Mipsel64 and mipsel: blacklist more tests, as they are failing on these
diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in 
openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in
--- openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in        
2021-02-20 21:58:03.000000000 +0100
+++ openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in        
2022-01-03 13:53:38.000000000 +0100
@@ -4,7 +4,8 @@
 
 if [ "${1}" = "configure" ] ; then
        update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd 
/usr/lib/openvswitch-common/ovs-vswitchd 100 \
-        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 
libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0
+        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 
libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0 \
+        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0 
libofproto.so /usr/lib/openvswitch-common/libofproto-2.15.so.0.0.0
 fi
 
 #DEBHELPER#
diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in 
openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in
--- openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in   
2021-02-20 21:58:03.000000000 +0100
+++ openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in   
2022-01-03 13:53:38.000000000 +0100
@@ -4,7 +4,8 @@
 
 if [ "${1}" = "configure" ] ; then
        update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd 
/usr/lib/openvswitch-switch-dpdk/ovs-vswitchd-dpdk 200 \
-        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 
libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0
+        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 
libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0 
\
+        --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0 
libofproto.so /usr/lib/openvswitch-switch-dpdk/libofproto-2.15.so.0.0.0
 fi
 
 #DEBHELPER#
diff -Nru 
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
 
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
--- 
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
      2022-01-03 13:53:38.000000000 +0100
@@ -0,0 +1,87 @@
+Description: CVE-2021-36980: ofp-actions: Fix use-after-free while decoding 
RAW_ENCAP.
+ While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
+ ofpbuf if there is no enough space left.  However, function
+ 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
+ structure leading to write-after-free and incorrect decoding.
+ .
+   ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
+   0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
+   WRITE of size 2 at 0x60600000011a thread T0
+     #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
+     #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
+     #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
+     #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
+     #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
+     #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
+     #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
+     #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
+     #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
+     #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
+     #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
+     #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
+     #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
+     #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
+     #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
+     #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
+ .
+ Fix that by getting a new pointer before using.
+ .
+ Credit to OSS-Fuzz.
+ .
+ Fuzzer regression test will fail only with AddressSanitizer enabled.
+Author: Ilya Maximets <i.maxim...@ovn.org>
+Date: Tue, 16 Feb 2021 23:27:30 +0100
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
+Fixes: f839892a206a ("OF support and translation of generic encap and decap")
+Acked-by: William Tu <u9012...@gmail.com>
+Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
+Bug-Debian: https://bugs.debian.org/991308
+Origin: upstream, 
https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f.patch
+Last-Update: 2021-07-21
+
+diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
+index e2e829772a5..0342a228b70 100644
+--- a/lib/ofp-actions.c
++++ b/lib/ofp-actions.c
+@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+ {
+     struct ofpact_encap *encap;
+     const struct ofp_ed_prop_header *ofp_prop;
++    const size_t encap_ofs = out->size;
+     size_t props_len;
+     uint16_t n_props = 0;
+     int err;
+@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+         }
+         n_props++;
+     }
++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
+     encap->n_props = n_props;
+     out->header = &encap->ofpact;
+     ofpact_finish_ENCAP(out, &encap);
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 677b99a6b48..fc80e027dfc 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
+       tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
+       tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
+       tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
+-      tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
++      tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
++      tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+ $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
+       $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
+             basename=`echo $$name | sed 's,^.*/,,'`; \
+diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
+index e3173fb88f0..2347c690eff 100644
+--- a/tests/fuzz-regression-list.at
++++ b/tests/fuzz-regression-list.at
+@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
+diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 
b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+new file mode 100644
+index 00000000000..e69de29bb2d
diff -Nru openvswitch-2.15.0+ds1/debian/patches/series 
openvswitch-2.15.0+ds1/debian/patches/series
--- openvswitch-2.15.0+ds1/debian/patches/series        2021-02-20 
21:58:03.000000000 +0100
+++ openvswitch-2.15.0+ds1/debian/patches/series        2022-01-03 
13:53:38.000000000 +0100
@@ -1,2 +1,3 @@
 remove-include-debian-automake.mk.patch
 py3-compat.patch
+CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
diff -Nru openvswitch-2.15.0+ds1/debian/rules 
openvswitch-2.15.0+ds1/debian/rules
--- openvswitch-2.15.0+ds1/debian/rules 2021-02-20 21:58:03.000000000 +0100
+++ openvswitch-2.15.0+ds1/debian/rules 2022-01-03 13:53:38.000000000 +0100
@@ -181,6 +181,7 @@
 endif # nocheck
 
 override_dh_auto_build:
+       touch tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
        set -e ; set -x ; for MYMAINTSCRIPT in openvswitch-common.postinst 
openvswitch-switch-dpdk.postinst ; do \
                sed s/%%MULTIARCH_TRIPLETT%%/$$(dpkg-architecture 
-qDEB_HOST_MULTIARCH)/ debian/$$MYMAINTSCRIPT.in >debian/$$MYMAINTSCRIPT ; \
        done
@@ -207,6 +208,9 @@
                
$(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/ovs-vswitchd
        mv $(CURDIR)/debian/tmp/usr/lib/*/libopenvswitch-2.15.so.0.0.0 \
                
$(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0
+       mv $(CURDIR)/debian/tmp/usr/lib/*/libofproto-2.15.so.0.0.0 \
+               
$(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/libofproto-2.15.so.0.0.0
+
 
 override_dh_auto_install-indep:
        $(MAKE) -C _debian DESTDIR=$(CURDIR)/debian/tmp install
@@ -218,7 +222,10 @@
 
 override_dh_install:
        install -D -m 0644 utilities/ovs-vsctl-bashcomp.bash 
$(CURDIR)/debian/openvswitch-switch/usr/share/bash-completion/completions/ovs-vsctl
-       dh_install --exclude=usr/sbin/ovs-vswitchd 
--exclude=usr/lib/`dpkg-architecture 
-qDEB_HOST_MULTIARCH`/libopenvswitch-2.15.so.0.0.0
+       dh_install --exclude=usr/sbin/ovs-vswitchd \
+                  --exclude=usr/lib/`dpkg-architecture 
-qDEB_HOST_MULTIARCH`/libopenvswitch-2.15.so.0.0.0 \
+                  --exclude=usr/lib/`dpkg-architecture 
-qDEB_HOST_MULTIARCH`/libofproto-2.15.so.0.0.0
+
 
        rm -f $(CURDIR)/debian/tmp/usr/lib/*/*.la
        dh_installman --language=C
@@ -227,6 +234,7 @@
        # remove the files managed via update-alternatives
        rm -f $(CURDIR)/debian/tmp/usr/sbin/ovs-vswitchd
        rm -f $(CURDIR)/debian/tmp/usr/lib/*/libopenvswitch-2.15.so.0.0.0
+       rm -f $(CURDIR)/debian/tmp/usr/lib/*/libofproto-2.15.so.0.0.0
 
        dh_missing --fail-missing
        # openvswitch-switch
@@ -238,6 +246,8 @@
                
$(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/ovs-vswitchd-dpdk
        install -v -D _dpdk/lib/.libs/libopenvswitch-2.15.so.0.0.0 \
                
$(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0
+       install -v -D _dpdk/ofproto/.libs/libofproto-2.15.so.0.0.0 \
+               
$(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/libofproto-2.15.so.0.0.0
 endif
 
 override_dh_installinit:
@@ -254,7 +264,7 @@
        dh_strip --dbg-package=openvswitch-dbg
 
 override_dh_shlibdeps:
-       dh_shlibdeps -l$(CURDIR)/_debian/lib/.libs
+       dh_shlibdeps 
-l$(CURDIR)/_debian/lib/.libs:$(CURDIR)/_debian/ofproto/.libs
 
 override_dh_installman:
        echo "Do nothing..."

Reply via email to