On 2/10/21 8:59 PM, Salvatore Bonaccorso wrote: > Source: openvswitch > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 2.10.6+ds1-0+deb10u1 > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2 > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12 > > Hi, > > The following vulnerability was published for openvswitch. > > CVE-2020-35498[0]: > | Packet parsing vulnerability > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-35498 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35498 > [1] https://www.openwall.com/lists/oss-security/2021/02/10/4 > > Regards, > Salvatore
Hi Salvatore, Please find the attached debdiff for the upload to security-master. Please approve this upload. Note that Sid is already fixed (with a cherry-picked patch). Cheers, Thomas Goirand (zigo)
diff -Nru openvswitch-2.10.6+ds1/build-aux/dist-docs openvswitch-2.10.7+ds1/build-aux/dist-docs --- openvswitch-2.10.6+ds1/build-aux/dist-docs 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/build-aux/dist-docs 2021-02-12 15:48:11.000000000 +0100 @@ -43,7 +43,7 @@ mkdir $distdir # Install manpages. -${MAKE-make} install-man mandir="$abs_distdir"/man +${MAKE-make} install-man install-man-rst mandir="$abs_distdir"/man (cd $distdir && mv `find man -type f` . && rm -rf man) manpages=`cd $distdir && echo *` diff -Nru openvswitch-2.10.6+ds1/configure.ac openvswitch-2.10.7+ds1/configure.ac --- openvswitch-2.10.6+ds1/configure.ac 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/configure.ac 2021-02-12 15:48:11.000000000 +0100 @@ -13,7 +13,7 @@ # limitations under the License. AC_PREREQ(2.63) -AC_INIT(openvswitch, 2.10.6, b...@openvswitch.org) +AC_INIT(openvswitch, 2.10.7, b...@openvswitch.org) AC_CONFIG_SRCDIR([datapath/datapath.c]) AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_AUX_DIR([build-aux]) diff -Nru openvswitch-2.10.6+ds1/debian/changelog openvswitch-2.10.7+ds1/debian/changelog --- openvswitch-2.10.6+ds1/debian/changelog 2021-01-18 13:18:47.000000000 +0100 +++ openvswitch-2.10.7+ds1/debian/changelog 2021-02-12 15:48:38.000000000 +0100 @@ -1,3 +1,15 @@ +openvswitch (2.10.7+ds1-0+deb10u1) buster-security; urgency=medium + + * New upstream point release: + - Addresses CVE-2020-35498: denial of service attacks, in which crafted + network packets could cause the packet lookup to ignore network header + fields from layers 3 and 4. The crafted network packet is an ordinary + IPv4 or IPv6 packet with Ethernet padding length above 255 bytes. This + causes the packet sanity check to abort parsing header fields after + layer 2 (Closes: #982493). + + -- Thomas Goirand <z...@debian.org> Fri, 12 Feb 2021 15:48:38 +0100 + openvswitch (2.10.6+ds1-0+deb10u1) buster-security; urgency=high * New upstream point release: diff -Nru openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml --- openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml 2021-02-12 15:48:11.000000000 +0100 @@ -83,6 +83,8 @@ - name: checkout uses: actions/checkout@v2 + - name: update APT cache + run: sudo apt update || true - name: install common dependencies run: sudo apt install -y ${{ env.dependencies }} - name: install libunbound diff -Nru openvswitch-2.10.6+ds1/lib/conntrack.c openvswitch-2.10.7+ds1/lib/conntrack.c --- openvswitch-2.10.6+ds1/lib/conntrack.c 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/lib/conntrack.c 2021-02-12 15:48:11.000000000 +0100 @@ -640,7 +640,7 @@ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) { char *tail = dp_packet_tail(pkt); - uint8_t pad = dp_packet_l2_pad_size(pkt); + uint16_t pad = dp_packet_l2_pad_size(pkt); struct conn_key inner_key; const char *inner_l4 = NULL; uint16_t orig_l3_ofs = pkt->l3_ofs; diff -Nru openvswitch-2.10.6+ds1/lib/dp-packet.h openvswitch-2.10.7+ds1/lib/dp-packet.h --- openvswitch-2.10.6+ds1/lib/dp-packet.h 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/lib/dp-packet.h 2021-02-12 15:48:11.000000000 +0100 @@ -65,7 +65,7 @@ /* All the following elements of this struct are copied in a single call * of memcpy in dp_packet_clone_with_headroom. */ - uint8_t l2_pad_size; /* Detected l2 padding size. + uint16_t l2_pad_size; /* Detected l2 padding size. * Padding is non-pullable. */ uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */ uint16_t l3_ofs; /* Network-level header offset, @@ -95,8 +95,8 @@ void *dp_packet_resize_l2_5(struct dp_packet *, int increment); static inline void *dp_packet_eth(const struct dp_packet *); static inline void dp_packet_reset_offsets(struct dp_packet *); -static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *); -static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t); +static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *); +static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t); static inline void *dp_packet_l2_5(const struct dp_packet *); static inline void dp_packet_set_l2_5(struct dp_packet *, void *); static inline void *dp_packet_l3(const struct dp_packet *); @@ -295,14 +295,14 @@ b->l4_ofs = UINT16_MAX; } -static inline uint8_t +static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *b) { return b->l2_pad_size; } static inline void -dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size) +dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size) { ovs_assert(pad_size <= dp_packet_size(b)); b->l2_pad_size = pad_size; diff -Nru openvswitch-2.10.6+ds1/lib/flow.c openvswitch-2.10.7+ds1/lib/flow.c --- openvswitch-2.10.6+ds1/lib/flow.c 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/lib/flow.c 2021-02-12 15:48:11.000000000 +0100 @@ -642,7 +642,7 @@ tot_len = ntohs(nh->ip_tot_len); if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len || - size - tot_len > UINT8_MAX)) { + size - tot_len > UINT16_MAX)) { return false; } @@ -680,8 +680,8 @@ if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { return false; } - /* Jumbo Payload option not supported yet. */ - if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT8_MAX)) { + + if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) { return false; } diff -Nru openvswitch-2.10.6+ds1/lib/odp-util.c openvswitch-2.10.7+ds1/lib/odp-util.c --- openvswitch-2.10.6+ds1/lib/odp-util.c 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/lib/odp-util.c 2021-02-12 15:48:11.000000000 +0100 @@ -371,7 +371,8 @@ break; } default: - OVS_NOT_REACHED(); + ds_put_cstr(ds, ",<error: unknown mdtype>"); + break; } ds_put_format(ds, ")"); } diff -Nru openvswitch-2.10.6+ds1/NEWS openvswitch-2.10.7+ds1/NEWS --- openvswitch-2.10.6+ds1/NEWS 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/NEWS 2021-02-12 15:48:11.000000000 +0100 @@ -1,3 +1,9 @@ +v2.10.7 - 10 Feb 2021 +--------------------- + - Bug fixes + - Security: + * Fixed packet parsing vulnerability CVE-2020-35498. + v2.10.6 - 13 Jan 2021 --------------------- - Bug fixes diff -Nru openvswitch-2.10.6+ds1/python/setup.py openvswitch-2.10.7+ds1/python/setup.py --- openvswitch-2.10.6+ds1/python/setup.py 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/python/setup.py 2021-02-12 15:48:11.000000000 +0100 @@ -82,7 +82,7 @@ ext_modules=[setuptools.Extension("ovs._json", sources=["ovs/_json.c"], libraries=['openvswitch'])], cmdclass={'build_ext': try_build_ext}, - install_requires=['sortedcontainers'], + install_requires=['six', 'sortedcontainers'], ) try: diff -Nru openvswitch-2.10.6+ds1/tests/classifier.at openvswitch-2.10.7+ds1/tests/classifier.at --- openvswitch-2.10.6+ds1/tests/classifier.at 2021-01-18 13:17:23.000000000 +0100 +++ openvswitch-2.10.7+ds1/tests/classifier.at 2021-02-12 15:48:11.000000000 +0100 @@ -306,3 +306,39 @@ ]) OVS_VSWITCHD_STOP AT_CLEANUP + +# Flow classifier a packet with excess of padding. +AT_SETUP([flow classifier - packet with extra padding]) +OVS_VSWITCHD_START +add_of_ports br0 1 2 +AT_DATA([flows.txt], [dnl +priority=5,ip,ip_dst=1.1.1.1,actions=1 +priority=5,ip,ip_dst=1.1.1.2,actions=2 +priority=0,actions=drop +]) +AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) +packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a +AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout]) +AT_CHECK([tail -2 stdout], [0], + [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no +Datapath actions: 2 +]) +# normal packet plus 255 bytes of padding (8bit padding). +# 255 * 2 = 510 +padding=$(printf '%*s' 510 | tr ' ' '0') +AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout]) +AT_CHECK([tail -2 stdout], [0], + [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no +Datapath actions: 2 +]) +# normal packet plus padding up to 65535 bytes of length (16bit limit). +# 65535 - 43 = 65492 +# 65492 * 2 = 130984 +padding=$(printf '%*s' 130984 | tr ' ' '0') +AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout]) +AT_CHECK([tail -2 stdout], [0], + [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no +Datapath actions: 2 +]) +OVS_VSWITCHD_STOP +AT_CLEANUP