On 2/10/21 8:59 PM, Salvatore Bonaccorso wrote:
> Source: openvswitch
> Version: 2.15.0~git20210104.def6eb1ea+dfsg1-4
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
> Control: found -1 2.10.6+ds1-0+deb10u1
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2
> Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12
>
> Hi,
>
> The following vulnerability was published for openvswitch.
>
> CVE-2020-35498[0]:
> | Packet parsing vulnerability
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-35498
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35498
> [1] https://www.openwall.com/lists/oss-security/2021/02/10/4
>
> Regards,
> Salvatore
Hi Salvatore,
Please find the attached debdiff for the upload to security-master.
Please approve this upload.
Note that Sid is already fixed (with a cherry-picked patch).
Cheers,
Thomas Goirand (zigo)
diff -Nru openvswitch-2.10.6+ds1/build-aux/dist-docs
openvswitch-2.10.7+ds1/build-aux/dist-docs
--- openvswitch-2.10.6+ds1/build-aux/dist-docs 2021-01-18 13:17:23.0
+0100
+++ openvswitch-2.10.7+ds1/build-aux/dist-docs 2021-02-12 15:48:11.0
+0100
@@ -43,7 +43,7 @@
mkdir $distdir
# Install manpages.
-${MAKE-make} install-man mandir="$abs_distdir"/man
+${MAKE-make} install-man install-man-rst mandir="$abs_distdir"/man
(cd $distdir && mv `find man -type f` . && rm -rf man)
manpages=`cd $distdir && echo *`
diff -Nru openvswitch-2.10.6+ds1/configure.ac
openvswitch-2.10.7+ds1/configure.ac
--- openvswitch-2.10.6+ds1/configure.ac 2021-01-18 13:17:23.0 +0100
+++ openvswitch-2.10.7+ds1/configure.ac 2021-02-12 15:48:11.0 +0100
@@ -13,7 +13,7 @@
# limitations under the License.
AC_PREREQ(2.63)
-AC_INIT(openvswitch, 2.10.6, b...@openvswitch.org)
+AC_INIT(openvswitch, 2.10.7, b...@openvswitch.org)
AC_CONFIG_SRCDIR([datapath/datapath.c])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_AUX_DIR([build-aux])
diff -Nru openvswitch-2.10.6+ds1/debian/changelog
openvswitch-2.10.7+ds1/debian/changelog
--- openvswitch-2.10.6+ds1/debian/changelog 2021-01-18 13:18:47.0
+0100
+++ openvswitch-2.10.7+ds1/debian/changelog 2021-02-12 15:48:38.0
+0100
@@ -1,3 +1,15 @@
+openvswitch (2.10.7+ds1-0+deb10u1) buster-security; urgency=medium
+
+ * New upstream point release:
+- Addresses CVE-2020-35498: denial of service attacks, in which crafted
+ network packets could cause the packet lookup to ignore network header
+ fields from layers 3 and 4. The crafted network packet is an ordinary
+ IPv4 or IPv6 packet with Ethernet padding length above 255 bytes. This
+ causes the packet sanity check to abort parsing header fields after
+ layer 2 (Closes: #982493).
+
+ -- Thomas Goirand Fri, 12 Feb 2021 15:48:38 +0100
+
openvswitch (2.10.6+ds1-0+deb10u1) buster-security; urgency=high
* New upstream point release:
diff -Nru openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml
openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml
--- openvswitch-2.10.6+ds1/.github/workflows/build-and-test.yml 2021-01-18
13:17:23.0 +0100
+++ openvswitch-2.10.7+ds1/.github/workflows/build-and-test.yml 2021-02-12
15:48:11.0 +0100
@@ -83,6 +83,8 @@
- name: checkout
uses: actions/checkout@v2
+- name: update APT cache
+ run: sudo apt update || true
- name: install common dependencies
run: sudo apt install -y ${{ env.dependencies }}
- name: install libunbound
diff -Nru openvswitch-2.10.6+ds1/lib/conntrack.c
openvswitch-2.10.7+ds1/lib/conntrack.c
--- openvswitch-2.10.6+ds1/lib/conntrack.c 2021-01-18 13:17:23.0
+0100
+++ openvswitch-2.10.7+ds1/lib/conntrack.c 2021-02-12 15:48:11.0
+0100
@@ -640,7 +640,7 @@
reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn)
{
char *tail = dp_packet_tail(pkt);
-uint8_t pad = dp_packet_l2_pad_size(pkt);
+uint16_t pad = dp_packet_l2_pad_size(pkt);
struct conn_key inner_key;
const char *inner_l4 = NULL;
uint16_t orig_l3_ofs = pkt->l3_ofs;
diff -Nru openvswitch-2.10.6+ds1/lib/dp-packet.h
openvswitch-2.10.7+ds1/lib/dp-packet.h
--- openvswitch-2.10.6+ds1/lib/dp-packet.h 2021-01-18 13:17:23.0
+0100
+++ openvswitch-2.10.7+ds1/lib/dp-packet.h 2021-02-12 15:48:11.0
+0100
@@ -65,7 +65,7 @@
/* All the following elements of this struct are copied in a single call
* of memcpy in dp_packet_clone_with_headroom. */
-uint8_t l2_pad_size; /* Detected l2 padding size.
+uint16_t l2_pad_size; /* Detected l2 padding size.
* Padding is non-pullable. */
uint16_t l2_5_ofs;