Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi!
I would like to push the attached patch to jessie-pu to fix some
security problems present in lldpd: lldpd can crash when receiving
malformed LLDP management addresses. I have been in contact with
security team and they think a stable update is good enough. Patches
come from upstream.
I will also have to upload an update for wheezy which is affected as
well. Should I use this same bug number or open a new one?
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv
k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3
810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877
OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr
YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec
DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU
CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9
baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa
0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo
YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT
DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm
NeW8E4mLWj3OvpdCVM1+
=ZmXr
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index f3e44f04b0e6..f9097375eee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lldpd (0.7.11-2+deb8u1) jessie; urgency=medium
+
+ * Fix a segfault when receiving incorrectly formed LLDP management
+addresses:
+ - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+ * Fix an assert error when receiving incorrectly formed LLDP management
+addresses:
+ - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
+
+ -- Vincent Bernat Sun, 25 Oct 2015 13:20:22 +0100
+
lldpd (0.7.11-2) unstable; urgency=medium
* Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix
diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
new file mode 100644
index ..ee73682ad2a2
--- /dev/null
+++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
@@ -0,0 +1,36 @@
+From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat
+Date: Sun, 4 Oct 2015 01:50:38 +0200
+Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management
+ address TLV
+
+When a remote device was advertising a too large management address
+while still respecting TLV boundaries, lldpd would crash due to a buffer
+overflow. However, the buffer being a static one, this buffer overflow
+is not exploitable if hardening was not disabled. This bug exists since
+version 0.5.6.
+---
+ src/daemon/lldp.c | 7 ++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index ae01ccc5078a..cc3585623476 100644
+--- a/src/daemon/lldp.c
b/src/daemon/lldp.c
+@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ case LLDP_TLV_MGMT_ADDR:
+ CHECK_TLV_SIZE(1, "Management address");
+ addr_str_length = PEEK_UINT8;
+- CHECK_TLV_SIZE(addr_str_length, "Management address");
++ if (addr_str_length > sizeof(addr_str_buffer)) {
++log_warnx("lldp", "too large management address on %s",
++hardware->h_ifname);
++goto malformed;
++ }
++ CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+ PEEK_BYTES(addr_str_buffer, addr_str_length);
+ addr_length = addr_str_length - 1;
+ addr_family = addr_str_buffer[0];
+--
+2.6.2
+
diff --git a/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
new file mode 100644
index ..ad61ea2904c6
--- /dev/null
+++ b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
@@ -0,0 +1,135 @@
+From 18d81c30e6bc2f2c6b6e591c10893b9cd6f227aa Mon Sep 17 00:00:00 2001
+From: Vincent Bernat
+Date: Sun, 4 Oct 2015 02:24:29 +0200
+Subject: [PATCH 2/2] protocols: don't use assert on paths that can be reached
+
+Malformed packets should not make lldpd crash. Ensure we can handle them
+by not using assert() in this part.
+---
+ src/daemon/cdp.c | 10 +++---
+ src/daemon/edp.c