Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I'd like to update openvswitch. [ Reason ] Indeed, the updated version I would like to push contains a fix for CVE-2021-36980 (Debian bug #991308), and a fix for having libofproto properly installed if activating dpdk (which fixes #992406 and #989585). This update-alternatives fix has been in Unstable for a long time already. [ Impact ] - CVE-2021-36980. - Non-working DPDK setup when using LLDP. [ Tests ] The OVS package has a test suite that's run at build time. We also set it in real production and it worked for us. [ Risks ] IMO, code is rather trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Cheers, Thomas Goirand (zigo)
diff -Nru openvswitch-2.15.0+ds1/debian/changelog openvswitch-2.15.0+ds1/debian/changelog --- openvswitch-2.15.0+ds1/debian/changelog 2021-02-20 21:58:03.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/changelog 2022-01-03 13:53:38.000000000 +0100 @@ -1,3 +1,14 @@ +openvswitch (2.15.0+ds1-2+deb11u1) bullseye; urgency=medium + + * CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream + patch (Closes: #991308). + + [ Felix Moessbauer ] + * fix ABI incompatibility that crashes OVS when enabling LLDP + (Closes: #992406). + + -- Thomas Goirand <z...@debian.org> Mon, 03 Jan 2022 13:53:38 +0100 + openvswitch (2.15.0+ds1-2) unstable; urgency=medium * Mipsel64 and mipsel: blacklist more tests, as they are failing on these diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in --- openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in 2021-02-20 21:58:03.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in 2022-01-03 13:53:38.000000000 +0100 @@ -4,7 +4,8 @@ if [ "${1}" = "configure" ] ; then update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd /usr/lib/openvswitch-common/ovs-vswitchd 100 \ - --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0 + --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0 \ + --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0 libofproto.so /usr/lib/openvswitch-common/libofproto-2.15.so.0.0.0 fi #DEBHELPER# diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in --- openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in 2021-02-20 21:58:03.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in 2022-01-03 13:53:38.000000000 +0100 @@ -4,7 +4,8 @@ if [ "${1}" = "configure" ] ; then update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd /usr/lib/openvswitch-switch-dpdk/ovs-vswitchd-dpdk 200 \ - --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0 + --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0 libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0 \ + --slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0 libofproto.so /usr/lib/openvswitch-switch-dpdk/libofproto-2.15.so.0.0.0 fi #DEBHELPER# diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch 2022-01-03 13:53:38.000000000 +0100 @@ -0,0 +1,87 @@ +Description: CVE-2021-36980: ofp-actions: Fix use-after-free while decoding RAW_ENCAP. + While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate + ofpbuf if there is no enough space left. However, function + 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap' + structure leading to write-after-free and incorrect decoding. + . + ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address + 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408 + WRITE of size 2 at 0x60600000011a thread T0 + #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20 + #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16 + #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21 + #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13 + #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12 + #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17 + #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13 + #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16 + #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21 + #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28 + #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9 + #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17 + #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5 + #13 0x5391ae in main utilities/ovs-ofctl.c:179:9 + #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081) + #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed) + . + Fix that by getting a new pointer before using. + . + Credit to OSS-Fuzz. + . + Fuzzer regression test will fail only with AddressSanitizer enabled. +Author: Ilya Maximets <i.maxim...@ovn.org> +Date: Tue, 16 Feb 2021 23:27:30 +0100 +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 +Fixes: f839892a206a ("OF support and translation of generic encap and decap") +Acked-by: William Tu <u9012...@gmail.com> +Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> +Bug-Debian: https://bugs.debian.org/991308 +Origin: upstream, https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f.patch +Last-Update: 2021-07-21 + +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c +index e2e829772a5..0342a228b70 100644 +--- a/lib/ofp-actions.c ++++ b/lib/ofp-actions.c +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, + { + struct ofpact_encap *encap; + const struct ofp_ed_prop_header *ofp_prop; ++ const size_t encap_ofs = out->size; + size_t props_len; + uint16_t n_props = 0; + int err; +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, + } + n_props++; + } ++ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap); + encap->n_props = n_props; + out->header = &encap->ofpact; + ofpact_finish_ENCAP(out, &encap); +diff --git a/tests/automake.mk b/tests/automake.mk +index 677b99a6b48..fc80e027dfc 100644 +--- a/tests/automake.mk ++++ b/tests/automake.mk +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \ + tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \ + tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \ + tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \ +- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 ++ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \ ++ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk + $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \ + basename=`echo $$name | sed 's,^.*/,,'`; \ +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at +index e3173fb88f0..2347c690eff 100644 +--- a/tests/fuzz-regression-list.at ++++ b/tests/fuzz-regression-list.at +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296]) + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128]) + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312]) + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448]) ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832]) +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 +new file mode 100644 +index 00000000000..e69de29bb2d diff -Nru openvswitch-2.15.0+ds1/debian/patches/series openvswitch-2.15.0+ds1/debian/patches/series --- openvswitch-2.15.0+ds1/debian/patches/series 2021-02-20 21:58:03.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/patches/series 2022-01-03 13:53:38.000000000 +0100 @@ -1,2 +1,3 @@ remove-include-debian-automake.mk.patch py3-compat.patch +CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch diff -Nru openvswitch-2.15.0+ds1/debian/rules openvswitch-2.15.0+ds1/debian/rules --- openvswitch-2.15.0+ds1/debian/rules 2021-02-20 21:58:03.000000000 +0100 +++ openvswitch-2.15.0+ds1/debian/rules 2022-01-03 13:53:38.000000000 +0100 @@ -181,6 +181,7 @@ endif # nocheck override_dh_auto_build: + touch tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 set -e ; set -x ; for MYMAINTSCRIPT in openvswitch-common.postinst openvswitch-switch-dpdk.postinst ; do \ sed s/%%MULTIARCH_TRIPLETT%%/$$(dpkg-architecture -qDEB_HOST_MULTIARCH)/ debian/$$MYMAINTSCRIPT.in >debian/$$MYMAINTSCRIPT ; \ done @@ -207,6 +208,9 @@ $(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/ovs-vswitchd mv $(CURDIR)/debian/tmp/usr/lib/*/libopenvswitch-2.15.so.0.0.0 \ $(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0 + mv $(CURDIR)/debian/tmp/usr/lib/*/libofproto-2.15.so.0.0.0 \ + $(CURDIR)/debian/openvswitch-common/usr/lib/openvswitch-common/libofproto-2.15.so.0.0.0 + override_dh_auto_install-indep: $(MAKE) -C _debian DESTDIR=$(CURDIR)/debian/tmp install @@ -218,7 +222,10 @@ override_dh_install: install -D -m 0644 utilities/ovs-vsctl-bashcomp.bash $(CURDIR)/debian/openvswitch-switch/usr/share/bash-completion/completions/ovs-vsctl - dh_install --exclude=usr/sbin/ovs-vswitchd --exclude=usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH`/libopenvswitch-2.15.so.0.0.0 + dh_install --exclude=usr/sbin/ovs-vswitchd \ + --exclude=usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH`/libopenvswitch-2.15.so.0.0.0 \ + --exclude=usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH`/libofproto-2.15.so.0.0.0 + rm -f $(CURDIR)/debian/tmp/usr/lib/*/*.la dh_installman --language=C @@ -227,6 +234,7 @@ # remove the files managed via update-alternatives rm -f $(CURDIR)/debian/tmp/usr/sbin/ovs-vswitchd rm -f $(CURDIR)/debian/tmp/usr/lib/*/libopenvswitch-2.15.so.0.0.0 + rm -f $(CURDIR)/debian/tmp/usr/lib/*/libofproto-2.15.so.0.0.0 dh_missing --fail-missing # openvswitch-switch @@ -238,6 +246,8 @@ $(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/ovs-vswitchd-dpdk install -v -D _dpdk/lib/.libs/libopenvswitch-2.15.so.0.0.0 \ $(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0 + install -v -D _dpdk/ofproto/.libs/libofproto-2.15.so.0.0.0 \ + $(CURDIR)/debian/openvswitch-switch-dpdk/usr/lib/openvswitch-switch-dpdk/libofproto-2.15.so.0.0.0 endif override_dh_installinit: @@ -254,7 +264,7 @@ dh_strip --dbg-package=openvswitch-dbg override_dh_shlibdeps: - dh_shlibdeps -l$(CURDIR)/_debian/lib/.libs + dh_shlibdeps -l$(CURDIR)/_debian/lib/.libs:$(CURDIR)/_debian/ofproto/.libs override_dh_installman: echo "Do nothing..."