On 2/10/21 8:59 PM, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team 
> <t...@security.debian.org>
> Control: found -1 2.10.6+ds1-0+deb10u1
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
> 
> Hi,
> 
> The following vulnerability was published for openvswitch.
> 
> CVE-2020-35498[0]:
> | Packet parsing vulnerability
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2020-35498
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35498
> [1] https://www.openwall.com/lists/oss-security/2021/02/10/4
> 
> Regards,
> Salvatore

Hi Salvatore,

Please find the attached debdiff for the upload to security-master.
Please approve this upload.

Note that Sid is already fixed (with a cherry-picked patch).

Cheers,

Thomas Goirand (zigo)
diff -Nru openvswitch-2.10.6+ds1/build-aux/dist-docs 
openvswitch-2.10.7+ds1/build-aux/dist-docs
--- openvswitch-2.10.6+ds1/build-aux/dist-docs  2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/build-aux/dist-docs  2021-02-12 15:48:11.000000000 
+0100
@@ -43,7 +43,7 @@
 mkdir $distdir
 
 # Install manpages.
-${MAKE-make} install-man mandir="$abs_distdir"/man
+${MAKE-make} install-man install-man-rst mandir="$abs_distdir"/man
 (cd $distdir && mv `find man -type f` . && rm -rf man)
 manpages=`cd $distdir && echo *`
 
diff -Nru openvswitch-2.10.6+ds1/configure.ac 
openvswitch-2.10.7+ds1/configure.ac
--- openvswitch-2.10.6+ds1/configure.ac 2021-01-18 13:17:23.000000000 +0100
+++ openvswitch-2.10.7+ds1/configure.ac 2021-02-12 15:48:11.000000000 +0100
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 AC_PREREQ(2.63)
-AC_INIT(openvswitch, 2.10.6, b...@openvswitch.org)
+AC_INIT(openvswitch, 2.10.7, b...@openvswitch.org)
 AC_CONFIG_SRCDIR([datapath/datapath.c])
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_AUX_DIR([build-aux])
diff -Nru openvswitch-2.10.6+ds1/debian/changelog 
openvswitch-2.10.7+ds1/debian/changelog
--- openvswitch-2.10.6+ds1/debian/changelog     2021-01-18 13:18:47.000000000 
+0100
+++ openvswitch-2.10.7+ds1/debian/changelog     2021-02-12 15:48:38.000000000 
+0100
@@ -1,3 +1,15 @@
+openvswitch (2.10.7+ds1-0+deb10u1) buster-security; urgency=medium
+
+  * New upstream point release:
+    - Addresses CVE-2020-35498: denial of service attacks, in which crafted
+      network packets could cause the packet lookup to ignore network header
+      fields from layers 3 and 4. The crafted network packet is an ordinary
+      IPv4 or IPv6 packet with Ethernet padding length above 255 bytes. This
+      causes the packet sanity check to abort parsing header fields after
+      layer 2 (Closes: #982493).
+
+ -- Thomas Goirand <z...@debian.org>  Fri, 12 Feb 2021 15:48:38 +0100
+
 openvswitch (2.10.6+ds1-0+deb10u1) buster-security; urgency=high
 
   * New upstream point release:
diff -Nru openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml 
openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml
--- openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml 2021-01-18 
13:17:23.000000000 +0100
+++ openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml 2021-02-12 
15:48:11.000000000 +0100
@@ -83,6 +83,8 @@
     - name: checkout
       uses: actions/checkout@v2
 
+    - name: update APT cache
+      run:  sudo apt update || true
     - name: install common dependencies
       run:  sudo apt install -y ${{ env.dependencies }}
     - name: install libunbound
diff -Nru openvswitch-2.10.6+ds1/lib/conntrack.c 
openvswitch-2.10.7+ds1/lib/conntrack.c
--- openvswitch-2.10.6+ds1/lib/conntrack.c      2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/lib/conntrack.c      2021-02-12 15:48:11.000000000 
+0100
@@ -640,7 +640,7 @@
 reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
 {
     char *tail = dp_packet_tail(pkt);
-    uint8_t pad = dp_packet_l2_pad_size(pkt);
+    uint16_t pad = dp_packet_l2_pad_size(pkt);
     struct conn_key inner_key;
     const char *inner_l4 = NULL;
     uint16_t orig_l3_ofs = pkt->l3_ofs;
diff -Nru openvswitch-2.10.6+ds1/lib/dp-packet.h 
openvswitch-2.10.7+ds1/lib/dp-packet.h
--- openvswitch-2.10.6+ds1/lib/dp-packet.h      2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/lib/dp-packet.h      2021-02-12 15:48:11.000000000 
+0100
@@ -65,7 +65,7 @@
 
     /* All the following elements of this struct are copied in a single call
      * of memcpy in dp_packet_clone_with_headroom. */
-    uint8_t l2_pad_size;           /* Detected l2 padding size.
+    uint16_t l2_pad_size;          /* Detected l2 padding size.
                                     * Padding is non-pullable. */
     uint16_t l2_5_ofs;             /* MPLS label stack offset, or UINT16_MAX */
     uint16_t l3_ofs;               /* Network-level header offset,
@@ -95,8 +95,8 @@
 void *dp_packet_resize_l2_5(struct dp_packet *, int increment);
 static inline void *dp_packet_eth(const struct dp_packet *);
 static inline void dp_packet_reset_offsets(struct dp_packet *);
-static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *);
-static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t);
+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *);
+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t);
 static inline void *dp_packet_l2_5(const struct dp_packet *);
 static inline void dp_packet_set_l2_5(struct dp_packet *, void *);
 static inline void *dp_packet_l3(const struct dp_packet *);
@@ -295,14 +295,14 @@
     b->l4_ofs = UINT16_MAX;
 }
 
-static inline uint8_t
+static inline uint16_t
 dp_packet_l2_pad_size(const struct dp_packet *b)
 {
     return b->l2_pad_size;
 }
 
 static inline void
-dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size)
+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size)
 {
     ovs_assert(pad_size <= dp_packet_size(b));
     b->l2_pad_size = pad_size;
diff -Nru openvswitch-2.10.6+ds1/lib/flow.c openvswitch-2.10.7+ds1/lib/flow.c
--- openvswitch-2.10.6+ds1/lib/flow.c   2021-01-18 13:17:23.000000000 +0100
+++ openvswitch-2.10.7+ds1/lib/flow.c   2021-02-12 15:48:11.000000000 +0100
@@ -642,7 +642,7 @@
 
     tot_len = ntohs(nh->ip_tot_len);
     if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len ||
-                size - tot_len > UINT8_MAX)) {
+                size - tot_len > UINT16_MAX)) {
         return false;
     }
 
@@ -680,8 +680,8 @@
     if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
         return false;
     }
-    /* Jumbo Payload option not supported yet. */
-    if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT8_MAX)) {
+
+    if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) {
         return false;
     }
 
diff -Nru openvswitch-2.10.6+ds1/lib/odp-util.c 
openvswitch-2.10.7+ds1/lib/odp-util.c
--- openvswitch-2.10.6+ds1/lib/odp-util.c       2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/lib/odp-util.c       2021-02-12 15:48:11.000000000 
+0100
@@ -371,7 +371,8 @@
         break;
     }
     default:
-        OVS_NOT_REACHED();
+        ds_put_cstr(ds, ",<error: unknown mdtype>");
+        break;
     }
     ds_put_format(ds, ")");
 }
diff -Nru openvswitch-2.10.6+ds1/NEWS openvswitch-2.10.7+ds1/NEWS
--- openvswitch-2.10.6+ds1/NEWS 2021-01-18 13:17:23.000000000 +0100
+++ openvswitch-2.10.7+ds1/NEWS 2021-02-12 15:48:11.000000000 +0100
@@ -1,3 +1,9 @@
+v2.10.7 - 10 Feb 2021
+---------------------
+   - Bug fixes
+   - Security:
+     * Fixed packet parsing vulnerability CVE-2020-35498.
+
 v2.10.6 - 13 Jan 2021
 ---------------------
    - Bug fixes
diff -Nru openvswitch-2.10.6+ds1/python/setup.py 
openvswitch-2.10.7+ds1/python/setup.py
--- openvswitch-2.10.6+ds1/python/setup.py      2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/python/setup.py      2021-02-12 15:48:11.000000000 
+0100
@@ -82,7 +82,7 @@
     ext_modules=[setuptools.Extension("ovs._json", sources=["ovs/_json.c"],
                                       libraries=['openvswitch'])],
     cmdclass={'build_ext': try_build_ext},
-    install_requires=['sortedcontainers'],
+    install_requires=['six', 'sortedcontainers'],
 )
 
 try:
diff -Nru openvswitch-2.10.6+ds1/tests/classifier.at 
openvswitch-2.10.7+ds1/tests/classifier.at
--- openvswitch-2.10.6+ds1/tests/classifier.at  2021-01-18 13:17:23.000000000 
+0100
+++ openvswitch-2.10.7+ds1/tests/classifier.at  2021-02-12 15:48:11.000000000 
+0100
@@ -306,3 +306,39 @@
 ])
 OVS_VSWITCHD_STOP
 AT_CLEANUP
+
+# Flow classifier a packet with excess of padding.
+AT_SETUP([flow classifier - packet with extra padding])
+OVS_VSWITCHD_START
+add_of_ports br0 1 2
+AT_DATA([flows.txt], [dnl
+priority=5,ip,ip_dst=1.1.1.1,actions=1
+priority=5,ip,ip_dst=1.1.1.2,actions=2
+priority=0,actions=drop
+])
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+# normal packet plus 255 bytes of padding (8bit padding).
+# 255 * 2 = 510
+padding=$(printf '%*s' 510 | tr ' ' '0')
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], 
[stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+# normal packet plus padding up to 65535 bytes of length (16bit limit).
+# 65535 - 43 = 65492
+# 65492 * 2 = 130984
+padding=$(printf '%*s' 130984 | tr ' ' '0')
+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], 
[stdout])
+AT_CHECK([tail -2 stdout], [0],
+  [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no
+Datapath actions: 2
+])
+OVS_VSWITCHD_STOP
+AT_CLEANUP

Reply via email to