Bug#1034245: pre-approval: unblock: openvswitch/3.1.1 (CVE-2023-1668)
On 2023-04-11 12:30:16 +0200, Thomas Goirand wrote:
> Hi,
>
> I would very much prefer to upload the latest point release from upstream,
> however, if the release team prefers, here's a debdiff, attached to this
> message, containing a more targeted fix.
>
> Note that the debdiff contains a "quilt refresh" of the ovs-ctl-ipsec.patch
> already present in Bookworm, as I saw offsets when doing "quilt push" (which
> may be annoying depending on your build env). Not sure (because uploaded by
> Luca) how it got in.
>
> Please let me know your decision (ie: latest point release from upstream or
> this patch).
Until somebody has the time to look at the larger diff, I'd propose to
upload the fix now and then worry about the upstream point release.
Cheers
>
> Cheers,
>
> Thomas Goirand (zigo)
> diff -Nru openvswitch-3.1.0/debian/changelog
> openvswitch-3.1.0/debian/changelog
> --- openvswitch-3.1.0/debian/changelog2023-02-21 23:02:16.0
> +0100
> +++ openvswitch-3.1.0/debian/changelog2023-04-11 11:54:40.0
> +0200
> @@ -1,3 +1,11 @@
> +openvswitch (3.1.0-2) unstable; urgency=high
> +
> + * CVE-2023-1668: Remote traffic denial of service via crafted packets with
> IP
> +proto 0. Applied upstream patch: ofproto-dpif-xlate: Always mask ip proto
> +field (Closes: #1034042).
> +
> + -- Thomas Goirand Tue, 11 Apr 2023 11:54:40 +0200
> +
> openvswitch (3.1.0-1) unstable; urgency=medium
>
>[ Luca Boccassi ]
> diff -Nru
> openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
>
> openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
> ---
> openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
> 1970-01-01 01:00:00.0 +0100
> +++
> openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
> 2023-04-11 11:54:40.0 +0200
> @@ -0,0 +1,425 @@
> +Subject: CVE-2023-1668: ofproto-dpif-xlate: Always mask ip proto field.
> + The ofproto layer currently treats nw_proto field as overloaded to mean
> + both that a proper nw layer exists, as well as the value contained in
> + the header for the nw proto. However, this is incorrect behavior as
> + relevant standards permit that any value, including '0' should be treated
> + as a valid value.
> + .
> + Because of this overload, when the ofproto layer builds action list for
> + a packet with nw_proto of 0, it won't build the complete action list that
> + we expect to be built for the packet. That will cause a bad behavior
> + where all packets passing the datapath will fall into an incomplete
> + action set.
> + .
> + The fix here is to unwildcard nw_proto, allowing us to preserve setting
> + actions for protocols which we know have support for the actions we
> + program. This means that a traffic which contains nw_proto == 0 cannot
> + cause connectivity breakage with other traffic on the link.
> +Author: Aaron Conole
> +Date: Fri, 31 Mar 2023 17:17:27 -0400
> +Reported-by: David Marchand
> +Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873
> +Acked-by: Ilya Maximets
> +Signed-off-by: Aaron Conole
> +Signed-off-by: Ilya Maximets
> +Origin: upstream,
> https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9.patch
> +Bug-Debian: https://bugs.debian.org/1034042
> +Last-Update: 2023-04-11
> +
> +diff --git a/include/openvswitch/meta-flow.h
> b/include/openvswitch/meta-flow.h
> +index 045dce8f5fa..3b0220aaa25 100644
> +--- a/include/openvswitch/meta-flow.h
> b/include/openvswitch/meta-flow.h
> +@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue
> *subvalue, struct ds *s);
> + void field_array_set(enum mf_field_id id, const union mf_value *,
> + struct field_array *);
> +
> ++/* Mask the required l3 prerequisites if a 'set' action occurs. */
> ++void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *,
> ++struct flow_wildcards *);
> ++
> + #ifdef __cplusplus
> + }
> + #endif
> +diff --git a/lib/meta-flow.c b/lib/meta-flow.c
> +index c576ae6202a..474344194fa 100644
> +--- a/lib/meta-flow.c
> b/lib/meta-flow.c
> +@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x)
> + bitmap_not(x.bm, MFF_N_IDS);
> + return x;
> + }
> ++
> ++void
> ++mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl,
> ++ struct flow_wildcards *wc)
> ++{
> ++if (is_ip_any(fl) &&
> ++((mf->id == MFF_IPV4_SRC) ||
> ++ (mf->id == MFF_IPV4_DST) ||
> ++ (mf->id == MFF_IPV6_SRC) ||
> ++ (mf->id == MFF_IPV6_DST) ||
> ++ (mf->id == MFF_IPV6_LABEL) ||
> ++ (mf->id == MFF_IP_DSCP) ||
> ++ (mf->id == MFF_IP_ECN) ||
> ++ (mf->id == MFF_IP_TTL))) {
> ++WC_MASK_FIELD(wc, nw_proto);
> ++} else if
Bug#1034245: pre-approval: unblock: openvswitch/3.1.1 (CVE-2023-1668)
Hi,
I would very much prefer to upload the latest point release from
upstream, however, if the release team prefers, here's a debdiff,
attached to this message, containing a more targeted fix.
Note that the debdiff contains a "quilt refresh" of the
ovs-ctl-ipsec.patch already present in Bookworm, as I saw offsets when
doing "quilt push" (which may be annoying depending on your build env).
Not sure (because uploaded by Luca) how it got in.
Please let me know your decision (ie: latest point release from upstream
or this patch).
Cheers,
Thomas Goirand (zigo)diff -Nru openvswitch-3.1.0/debian/changelog openvswitch-3.1.0/debian/changelog
--- openvswitch-3.1.0/debian/changelog 2023-02-21 23:02:16.0 +0100
+++ openvswitch-3.1.0/debian/changelog 2023-04-11 11:54:40.0 +0200
@@ -1,3 +1,11 @@
+openvswitch (3.1.0-2) unstable; urgency=high
+
+ * CVE-2023-1668: Remote traffic denial of service via crafted packets with IP
+proto 0. Applied upstream patch: ofproto-dpif-xlate: Always mask ip proto
+field (Closes: #1034042).
+
+ -- Thomas Goirand Tue, 11 Apr 2023 11:54:40 +0200
+
openvswitch (3.1.0-1) unstable; urgency=medium
[ Luca Boccassi ]
diff -Nru
openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
---
openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
1970-01-01 01:00:00.0 +0100
+++
openvswitch-3.1.0/debian/patches/CVE-2023-1668_ofproto-dpif-xlate_Always_mask_ip_proto_field.patch
2023-04-11 11:54:40.0 +0200
@@ -0,0 +1,425 @@
+Subject: CVE-2023-1668: ofproto-dpif-xlate: Always mask ip proto field.
+ The ofproto layer currently treats nw_proto field as overloaded to mean
+ both that a proper nw layer exists, as well as the value contained in
+ the header for the nw proto. However, this is incorrect behavior as
+ relevant standards permit that any value, including '0' should be treated
+ as a valid value.
+ .
+ Because of this overload, when the ofproto layer builds action list for
+ a packet with nw_proto of 0, it won't build the complete action list that
+ we expect to be built for the packet. That will cause a bad behavior
+ where all packets passing the datapath will fall into an incomplete
+ action set.
+ .
+ The fix here is to unwildcard nw_proto, allowing us to preserve setting
+ actions for protocols which we know have support for the actions we
+ program. This means that a traffic which contains nw_proto == 0 cannot
+ cause connectivity breakage with other traffic on the link.
+Author: Aaron Conole
+Date: Fri, 31 Mar 2023 17:17:27 -0400
+Reported-by: David Marchand
+Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873
+Acked-by: Ilya Maximets
+Signed-off-by: Aaron Conole
+Signed-off-by: Ilya Maximets
+Origin: upstream,
https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9.patch
+Bug-Debian: https://bugs.debian.org/1034042
+Last-Update: 2023-04-11
+
+diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h
+index 045dce8f5fa..3b0220aaa25 100644
+--- a/include/openvswitch/meta-flow.h
b/include/openvswitch/meta-flow.h
+@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue
*subvalue, struct ds *s);
+ void field_array_set(enum mf_field_id id, const union mf_value *,
+ struct field_array *);
+
++/* Mask the required l3 prerequisites if a 'set' action occurs. */
++void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *,
++struct flow_wildcards *);
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/lib/meta-flow.c b/lib/meta-flow.c
+index c576ae6202a..474344194fa 100644
+--- a/lib/meta-flow.c
b/lib/meta-flow.c
+@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x)
+ bitmap_not(x.bm, MFF_N_IDS);
+ return x;
+ }
++
++void
++mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl,
++ struct flow_wildcards *wc)
++{
++if (is_ip_any(fl) &&
++((mf->id == MFF_IPV4_SRC) ||
++ (mf->id == MFF_IPV4_DST) ||
++ (mf->id == MFF_IPV6_SRC) ||
++ (mf->id == MFF_IPV6_DST) ||
++ (mf->id == MFF_IPV6_LABEL) ||
++ (mf->id == MFF_IP_DSCP) ||
++ (mf->id == MFF_IP_ECN) ||
++ (mf->id == MFF_IP_TTL))) {
++WC_MASK_FIELD(wc, nw_proto);
++} else if ((fl->dl_type == htons(ETH_TYPE_ARP)) &&
++ ((mf->id == MFF_ARP_OP) ||
++(mf->id == MFF_ARP_SHA) ||
++(mf->id == MFF_ARP_THA) ||
++(mf->id == MFF_ARP_SPA) ||
++(mf->id == MFF_ARP_TPA))) {
++/* mask only the lower 8 bits. */
++wc->masks.nw_proto = 0xff;
++}
++}
+diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
+index
Bug#1034245: pre-approval: unblock: openvswitch/3.1.1 (CVE-2023-1668)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear release team, I'd like to upload OpenVSwitch 3.1.1 as the fix for CVE-2023-1668. The upstream last point release contains only bugfixes, however, the diff is still kind of significant. The upstream diff contained lots of noise, like documentation, tests, an update of the configure script and so on, that made the diff more difficult to read. I have therefore filtered the diff for all of this, and rm these in the attached diff: - rhel (folder) - Documentation/ref/ovs-actions.7.rst - config.h.in - build-aux - configure - tests (folder) Does the release team agree that it's ok to upload 3.1.1, or should I aim for a more targeted fix? The diff upstream more specific to this CVE is: https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9 I would still prefer to include all bugfixes though, if possible. Please let me know ASAP, as this is a grave security fix. Also note that I've already sent to the security team the fix for the version in Bullseye (and I'll probably also attempt to fix in Buster, maybe later on...). Cheers, Thomas Goirand (zigo) diff -u -N -r openvswitch-3.1.0/aclocal.m4 openvswitch-3.1.1/aclocal.m4 --- openvswitch-3.1.0/aclocal.m42023-02-16 17:31:22.310879633 +0100 +++ openvswitch-3.1.1/aclocal.m42023-04-06 17:12:17.243817086 +0200 @@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.2 -*- Autoconf -*- +# generated automatically by aclocal 1.16.5 -*- Autoconf -*- -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,13 +14,13 @@ m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, -[m4_warning([this file was generated for autoconf 2.69. +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.71],, +[m4_warning([this file was generated for autoconf 2.71. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.])]) -# Copyright (C) 2002-2020 Free Software Foundation, Inc. +# Copyright (C) 2002-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,7 @@ [am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.16.2], [], +m4_if([$1], [1.16.5], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -51,14 +51,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.16.2])dnl +[AM_AUTOMAKE_VERSION([1.16.5])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2020 Free Software Foundation, Inc. +# Copyright (C) 2001-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -110,7 +110,7 @@ # AM_CONDITIONAL-*- Autoconf -*- -# Copyright (C) 1997-2020 Free Software Foundation, Inc. +# Copyright (C) 1997-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -141,7 +141,7 @@ Usually this means the macro was only invoked conditionally.]]) fi])]) -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -332,7 +332,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -400,7 +400,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C)
