commit frr for openSUSE:Factory

Fri, 23 Aug 2024 13:28:36 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package frr for openSUSE:Factory checked in 
at 2024-08-23 22:27:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/frr (Old)
 and      /work/SRC/openSUSE:Factory/.frr.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "frr"

Fri Aug 23 22:27:25 2024 rev:34 rq:1195727 version:10.0.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/frr/frr.changes  2024-08-10 19:12:41.289960458 
+0200
+++ /work/SRC/openSUSE:Factory/.frr.new.2698/frr.changes        2024-08-23 
22:28:18.544995204 +0200
@@ -1,0 +2,15 @@
+Thu Aug 22 13:02:19 UTC 2024 - Marius Tomaschewski <[email protected]>
+
+- Apply upstream fix for crash in bgp_attr_encap that were missing
+  a check of the actual remaining stream length before taking the
+  TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502):
+  + 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
+- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
+  specific, e.g. aarch64) "make check" test failures (bsc#1180217).
+  + 0001-disable-zmq-test.patch
+- Re-added hardening patch for systemd service(s) (bsc#1181400):
+  + harden_frr.service.patch
+- Cleanup unknown --enable-systemd and correct the --sysconfdir
+  and --localstatedir configure options to not end in …/frr.
+
+-------------------------------------------------------------------
@@ -34,0 +50 @@
+

New:
----
  0001-disable-zmq-test.patch
  0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
  harden_frr.service.patch

BETA DEBUG BEGIN:
  New:  + 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
  specific, e.g. aarch64) "make check" test failures (bsc#1180217).
  New:  TLV value (CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502):
  + 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
- Re-added 0001-disable-zmq-test.patch to avoid (sporadic or arch
  New:- Re-added hardening patch for systemd service(s) (bsc#1181400):
  + harden_frr.service.patch
- Cleanup unknown --enable-systemd and correct the --sysconfdir
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ frr.spec ++++++
--- /var/tmp/diff_new_pack.Voe464/_old  2024-08-23 22:28:19.061016666 +0200
+++ /var/tmp/diff_new_pack.Voe464/_new  2024-08-23 22:28:19.065016832 +0200
@@ -39,6 +39,9 @@
 #Git-Clone:     https://github.com/FRRouting/frr.git
 Source:         
https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.d
+Patch0:         harden_frr.service.patch
+Patch1:         0001-disable-zmq-test.patch
+Patch2:         0002-bgpd-Check-the-actual-remaining-stream-length-before.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -78,7 +81,7 @@
 Requires(post): %{install_info_prereq}
 Requires(pre):  %{install_info_prereq}
 Requires(pre):  shadow
-Requires(preun): %{install_info_prereq}
+Requires(preun):%{install_info_prereq}
 Recommends:     logrotate
 Conflicts:      quagga
 Provides:       zebra = %{version}
@@ -204,8 +207,8 @@
 autoreconf -fiv
 %configure \
     --disable-silent-rules \
-    --sysconfdir=%{_sysconfdir}/%{name} \
-    --localstatedir=%{frr_statedir} \
+    --sysconfdir=%{_sysconfdir}\
+    --localstatedir=%{_rundir} \
     --sbindir=%{frr_daemondir} \
     --with-moduledir=%{_libdir}/frr/modules \
     --disable-static \
@@ -259,9 +262,8 @@
     --with-crypto=openssl \
     --enable-config-rollbacks \
 %if %{with grpc}
-    --enable-grpc \
+    --enable-grpc
 %endif
-    --enable-systemd
 
 make %{?_smp_mflags} MAKEINFO="makeinfo --no-split"
 

++++++ 0001-disable-zmq-test.patch ++++++
>From a19581f960db4c5f4f3b759e2d7ecf3e9ac73381 Mon Sep 17 00:00:00 2001
From: Ruben Torrero Marijnissen <[email protected]>
Date: Mon, 21 Dec 2020 18:36:43 +0000
Subject: [PATCH] tests: disable zeromq tests due to build service timeouts
References: bsc#1180217
---
 tests/lib/test_zmq.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tests/lib/test_zmq.py b/tests/lib/test_zmq.py
index 1f8ee5416..b298fe7b5 100644
--- a/tests/lib/test_zmq.py
+++ b/tests/lib/test_zmq.py
@@ -5,8 +5,7 @@ import os
     program = "./test_zmq"
 
     @pytest.mark.skipif(
-        'S["ZEROMQ_TRUE"]=""\n' not in open("../config.status").readlines(),
-        reason="ZEROMQ not enabled",
+        reason="Test disabled due to intermittent build service timeouts"
     )
     def test_refout(self):
         return super(TestZMQ, self).test_refout()
-- 
2.29.2

++++++ 0002-bgpd-Check-the-actual-remaining-stream-length-before.patch ++++++
>From 605485a7c470f6e49c3f5712f2c4692fea3019e7 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <[email protected]>
Date: Wed, 31 Jul 2024 08:35:14 +0300
Subject: [PATCH] bgpd: Check the actual remaining stream length before taking
 TLV value
Upstream: yes
References: CVE-2024-44070,bsc#1229438,gh#FRRouting/frr#16502

```
    0 0xb50b9f898028 in __sanitizer_print_stack_trace 
(/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x368028) 
(BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    1 0xb50b9f7ed8e4 in fuzzer::PrintStackTrace() 
(/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2bd8e4) 
(BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    2 0xb50b9f7d4d9c in fuzzer::Fuzzer::CrashCallback() 
(/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/.libs/bgpd+0x2a4d9c) 
(BuildId: 3292703ed7958b20076550c967f879db8dc27ca7)
    3 0xe0d12d7469cc  (linux-vdso.so.1+0x9cc) (BuildId: 
1a77697e9d723fe22246cfd7641b140c427b7e11)
    4 0xe0d12c88f1fc in __pthread_kill_implementation nptl/pthread_kill.c:43:17
    5 0xe0d12c84a678 in gsignal signal/../sysdeps/posix/raise.c:26:13
    6 0xe0d12c83712c in abort stdlib/abort.c:79:7
    7 0xe0d12d214724 in _zlog_assert_failed 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/zlog.c:789:2
    8 0xe0d12d1285e4 in stream_get 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/lib/stream.c:324:3
    9 0xb50b9f8e47c4 in bgp_attr_encap 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:2758:3
    10 0xb50b9f8dcd38 in bgp_attr_parse 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_attr.c:3783:10
    11 0xb50b9faf74b4 in bgp_update_receive 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:2383:20
    12 0xb50b9faf1dcc in bgp_process_packet 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_packet.c:4075:11
    13 0xb50b9f8c90d0 in LLVMFuzzerTestOneInput 
/home/ubuntu/frr-public/frr_public_private-libfuzzer/bgpd/bgp_main.c:582:3
```

Reported-by: Iggy Frankovic <[email protected]>
Signed-off-by: Donatas Abraitis <[email protected]>
(cherry picked from commit 0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5)

diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 40e074d058..4ebb45e3de 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2727,6 +2727,14 @@ static int bgp_attr_encap(struct bgp_attr_parser_args 
*args)
                                                  args->total);
                }
 
+               if (STREAM_READABLE(BGP_INPUT(peer)) < sublength) {
+                       zlog_err("Tunnel Encap attribute sub-tlv length %d 
exceeds remaining stream length %zu",
+                                sublength, STREAM_READABLE(BGP_INPUT(peer)));
+                       return bgp_attr_malformed(args,
+                                                 
BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
+                                                 args->total);
+               }
+
                /* alloc and copy sub-tlv */
                /* TBD make sure these are freed when attributes are released */
                tlv = XCALLOC(MTYPE_ENCAP_TLV,
-- 
2.43.0


++++++ harden_frr.service.patch ++++++
Index: frr-frr-8.1/tools/frr.service.in
===================================================================
--- frr-frr-8.1.orig/tools/frr.service.in
+++ frr-frr-8.1/tools/frr.service.in
@@ -7,6 +7,16 @@ Before=network.target
 OnFailure=heartbeat-failed@%n
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Nice=-5
 Type=forking
 NotifyAccess=all
Index: frr-frr-8.1/tools/[email protected]
===================================================================
--- frr-frr-8.1.orig/tools/[email protected]
+++ frr-frr-8.1/tools/[email protected]
@@ -7,6 +7,16 @@ Before=network.target
 OnFailure=heartbeat-failed@%n
 
 [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ReadWritePaths=/etc/frr
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
 Nice=-5
 Type=forking
 NotifyAccess=all

Reply via email to