Bug#802942: jessie-pu: package lldpd/0.7.11-2

2015-10-27 Thread Adam D. Barratt 
Control: tags -1 + pending

On Mon, 2015-10-26 at 14:06 +0100, Vincent Bernat wrote:
>  ❦ 25 octobre 2015 13:07 GMT, "Adam D. Barratt"  :
> 
> >> I would like to push the attached patch to jessie-pu to fix some
> >> security problems present in lldpd: lldpd can crash when receiving
> >> malformed LLDP management addresses. I have been in contact with
> >> security team and they think a stable update is good enough. Patches
> >> come from upstream.
> >
> > Please go ahead.
> 
> Uploaded.

Flagged for acceptance.

> >> I will also have to upload an update for wheezy which is affected as
> >> well. Should I use this same bug number or open a new one?
> >
> > Please open a new bug. At the very least the updates for wheezy and
> > jessie will be released in separate point releases so need to be
> > separately trackable.
> 
> My bad, the version in wheezy is not vulnerable.

Okay.

Regards,

Adam

Bug#802942: jessie-pu: package lldpd/0.7.11-2

2015-10-26 Thread Vincent Bernat 
 ❦ 25 octobre 2015 13:07 GMT, "Adam D. Barratt"  :

>> I would like to push the attached patch to jessie-pu to fix some
>> security problems present in lldpd: lldpd can crash when receiving
>> malformed LLDP management addresses. I have been in contact with
>> security team and they think a stable update is good enough. Patches
>> come from upstream.
>
> Please go ahead.

Uploaded.

>> I will also have to upload an update for wheezy which is affected as
>> well. Should I use this same bug number or open a new one?
>
> Please open a new bug. At the very least the updates for wheezy and
> jessie will be released in separate point releases so need to be
> separately trackable.

My bad, the version in wheezy is not vulnerable.
-- 
Use debugging compilers.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#802942: jessie-pu: package lldpd/0.7.11-2

2015-10-25 Thread Vincent Bernat 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi!

I would like to push the attached patch to jessie-pu to fix some
security problems present in lldpd: lldpd can crash when receiving
malformed LLDP management addresses. I have been in contact with
security team and they think a stable update is good enough. Patches
come from upstream.

I will also have to upload an update for wheezy which is affected as
well. Should I use this same bug number or open a new one?

- -- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv
k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3
810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877
OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr
YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec
DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU
CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9
baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa
0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo
YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT
DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm
NeW8E4mLWj3OvpdCVM1+
=ZmXr
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index f3e44f04b0e6..f9097375eee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lldpd (0.7.11-2+deb8u1) jessie; urgency=medium
+
+  * Fix a segfault when receiving incorrectly formed LLDP management
+addresses:
+ - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+  * Fix an assert error when receiving incorrectly formed LLDP management
+addresses:
+ - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
+
+ -- Vincent Bernat   Sun, 25 Oct 2015 13:20:22 +0100
+
 lldpd (0.7.11-2) unstable; urgency=medium
 
   * Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix
diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
new file mode 100644
index ..ee73682ad2a2
--- /dev/null
+++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
@@ -0,0 +1,36 @@
+From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Sun, 4 Oct 2015 01:50:38 +0200
+Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management
+ address TLV
+
+When a remote device was advertising a too large management address
+while still respecting TLV boundaries, lldpd would crash due to a buffer
+overflow. However, the buffer being a static one, this buffer overflow
+is not exploitable if hardening was not disabled. This bug exists since
+version 0.5.6.
+---
+ src/daemon/lldp.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index ae01ccc5078a..cc3585623476 100644
+--- a/src/daemon/lldp.c
 b/src/daemon/lldp.c
+@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ 		case LLDP_TLV_MGMT_ADDR:
+ 			CHECK_TLV_SIZE(1, "Management address");
+ 			addr_str_length = PEEK_UINT8;
+-			CHECK_TLV_SIZE(addr_str_length, "Management address");
++			if (addr_str_length > sizeof(addr_str_buffer)) {
++log_warnx("lldp", "too large management address on %s",
++hardware->h_ifname);
++goto malformed;
++			}
++			CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+ 			PEEK_BYTES(addr_str_buffer, addr_str_length);
+ 			addr_length = addr_str_length - 1;
+ 			addr_family = addr_str_buffer[0];
+-- 
+2.6.2
+
diff --git a/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
new file mode 100644
index ..ad61ea2904c6
--- /dev/null
+++ b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
@@ -0,0 +1,135 @@
+From 18d81c30e6bc2f2c6b6e591c10893b9cd6f227aa Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Sun, 4 Oct 2015 02:24:29 +0200
+Subject: [PATCH 2/2] protocols: don't use assert on paths that can be reached
+
+Malformed packets should not make lldpd crash. Ensure we can handle them
+by not using assert() in this part.
+---
+ src/daemon/cdp.c   | 10 +++---
+ src/daemon/edp.c

Bug#802942: jessie-pu: package lldpd/0.7.11-2

2015-10-25 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2015-10-25 at 13:39 +0100, Vincent Bernat wrote:
> I would like to push the attached patch to jessie-pu to fix some
> security problems present in lldpd: lldpd can crash when receiving
> malformed LLDP management addresses. I have been in contact with
> security team and they think a stable update is good enough. Patches
> come from upstream.

Please go ahead.

> I will also have to upload an update for wheezy which is affected as
> well. Should I use this same bug number or open a new one?

Please open a new bug. At the very least the updates for wheezy and
jessie will be released in separate point releases so need to be
separately trackable.

Regards,

Adam