Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libndp for openSUSE:Factory checked in at 2024-07-08 19:06:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libndp (Old) and /work/SRC/openSUSE:Factory/.libndp.new.2080 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libndp" Mon Jul 8 19:06:58 2024 rev:9 rq:1185980 version:1.8 Changes: -------- --- /work/SRC/openSUSE:Factory/libndp/libndp.changes 2022-01-20 00:12:07.814569263 +0100 +++ /work/SRC/openSUSE:Factory/.libndp.new.2080/libndp.changes 2024-07-08 19:07:17.080599353 +0200 @@ -1,0 +2,6 @@ +Thu Jun 27 20:52:57 UTC 2024 - Michael Gorse <mgo...@suse.com> + +- Add libndp-CVE-2024-5564.patch: add a check on the route + information option length field (bsc#1225771 CVE-2024-5564). + +------------------------------------------------------------------- New: ---- libndp-CVE-2024-5564.patch BETA DEBUG BEGIN: New: - Add libndp-CVE-2024-5564.patch: add a check on the route information option length field (bsc#1225771 CVE-2024-5564). BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libndp.spec ++++++ --- /var/tmp/diff_new_pack.t27Deh/_old 2024-07-08 19:07:17.792625394 +0200 +++ /var/tmp/diff_new_pack.t27Deh/_new 2024-07-08 19:07:17.796625540 +0200 @@ -1,7 +1,7 @@ # # spec file for package libndp # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,8 @@ Group: Productivity/Networking/Other URL: http://libndp.org/ Source: http://libndp.org/files/libndp-%{version}.tar.gz +# PATCH-FIX-UPSTREAM libndp-CVE-2024-5564.patch bsc#1225771 mgo...@suse.com -- add a check on the route information option length field. +Patch0: libndp-CVE-2024-5564.patch BuildRequires: pkgconfig %description @@ -49,7 +51,7 @@ programs using libndp. %prep -%setup -q +%autosetup -p1 %build %configure \ ++++++ libndp-CVE-2024-5564.patch ++++++ >From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 From: Hangbin Liu <liuhang...@gmail.com> Date: Wed, 5 Jun 2024 11:57:43 +0800 Subject: [PATCH] libndp: valid route information option length RFC 4191 specifies that the Route Information Option Length should be 1, 2, or 3, depending on the Prefix Length. A malicious node could potentially trigger a buffer overflow and crash the tool by sending an IPv6 router advertisement message containing the "Route Information" option with a "Length" field larger than 3. To address this, add a check on the length field. Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") Reported-by: Evgeny Vereshchagin <evv...@gmail.com> Suggested-by: Felix Maurer <fmau...@redhat.com> Signed-off-by: Hangbin Liu <liuhang...@gmail.com> Signed-off-by: Jiri Pirko <j...@nvidia.com> --- libndp/libndp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libndp/libndp.c b/libndp/libndp.c index 6314717..72ec92e 100644 --- a/libndp/libndp.c +++ b/libndp/libndp.c @@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) */ if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) return false; + + /* The Length field is 1, 2, or 3 depending on the Prefix Length. + * If Prefix Length is greater than 64, then Length must be 3. + * If Prefix Length is greater than 0, then Length must be 2 or 3. + * If Prefix Length is zero, then Length must be 1, 2, or 3. + */ + if (ri->nd_opt_ri_len > 3 || + (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || + (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) + return false; + return true; } -- 2.45.0
