Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
I'd like to update openvswitch.
[ Reason ]
Indeed, the updated version I would like to push contains a fix for
CVE-2021-36980 (Debian bug #991308), and a fix for having libofproto
properly installed if activating dpdk (which fixes #992406 and
#989585). This update-alternatives fix has been in Unstable for a long
time already.
[ Impact ]
- CVE-2021-36980.
- Non-working DPDK setup when using LLDP.
[ Tests ]
The OVS package has a test suite that's run at build time.
We also set it in real production and it worked for us.
[ Risks ]
IMO, code is rather trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Cheers,
Thomas Goirand (zigo)
diff -Nru openvswitch-2.15.0+ds1/debian/changelog
openvswitch-2.15.0+ds1/debian/changelog
--- openvswitch-2.15.0+ds1/debian/changelog 2021-02-20 21:58:03.0
+0100
+++ openvswitch-2.15.0+ds1/debian/changelog 2022-01-03 13:53:38.0
+0100
@@ -1,3 +1,14 @@
+openvswitch (2.15.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+ * CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream
+patch (Closes: #991308).
+
+ [ Felix Moessbauer ]
+ * fix ABI incompatibility that crashes OVS when enabling LLDP
+(Closes: #992406).
+
+ -- Thomas Goirand Mon, 03 Jan 2022 13:53:38 +0100
+
openvswitch (2.15.0+ds1-2) unstable; urgency=medium
* Mipsel64 and mipsel: blacklist more tests, as they are failing on these
diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in
openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in
--- openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in
2021-02-20 21:58:03.0 +0100
+++ openvswitch-2.15.0+ds1/debian/openvswitch-common.postinst.in
2022-01-03 13:53:38.0 +0100
@@ -4,7 +4,8 @@
if [ "${1}" = "configure" ] ; then
update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd
/usr/lib/openvswitch-common/ovs-vswitchd 100 \
---slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0
libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0
+--slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0
libopenvswitch.so /usr/lib/openvswitch-common/libopenvswitch-2.15.so.0.0.0 \
+--slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0
libofproto.so /usr/lib/openvswitch-common/libofproto-2.15.so.0.0.0
fi
#DEBHELPER#
diff -Nru openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in
openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in
--- openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in
2021-02-20 21:58:03.0 +0100
+++ openvswitch-2.15.0+ds1/debian/openvswitch-switch-dpdk.postinst.in
2022-01-03 13:53:38.0 +0100
@@ -4,7 +4,8 @@
if [ "${1}" = "configure" ] ; then
update-alternatives --install /usr/sbin/ovs-vswitchd ovs-vswitchd
/usr/lib/openvswitch-switch-dpdk/ovs-vswitchd-dpdk 200 \
---slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0
libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0
+--slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libopenvswitch-2.15.so.0.0.0
libopenvswitch.so /usr/lib/openvswitch-switch-dpdk/libopenvswitch-2.15.so.0.0.0
\
+--slave /usr/lib/%%MULTIARCH_TRIPLETT%%/libofproto-2.15.so.0.0.0
libofproto.so /usr/lib/openvswitch-switch-dpdk/libofproto-2.15.so.0.0.0
fi
#DEBHELPER#
diff -Nru
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
---
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
1970-01-01 01:00:00.0 +0100
+++
openvswitch-2.15.0+ds1/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
2022-01-03 13:53:38.0 +0100
@@ -0,0 +1,87 @@
+Description: CVE-2021-36980: ofp-actions: Fix use-after-free while decoding
RAW_ENCAP.
+ While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
+ ofpbuf if there is no enough space left. However, function
+ 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
+ structure leading to write-after-free and incorrect decoding.
+ .
+ ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x6060011a at pc 0x005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
+ WRITE of size 2 at 0x6060011a thread T0
+ #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
+ #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
+ #2 0x5ed17c in