Bug#999673: bullseye-pu: package lldpd/1.0.11-1
❦ 29 November 2021 17:32 GMT, Adam D. Barratt: >> > What you've uploaded to bullseye is *not* what you proposed in this >> > request, however. >> > >> > The debdiff attached to this bug report amounts to "4 files >> > changed, >> > 130 insertions(+)", the uploaded package is "39 files changed, 561 >> > insertions(+), 221 deletions(-)" and includes a new upstream >> > release. >> >> Ugh. Very sorry about that! >> >> Here is the appropriate diff. How can I sort out my bad upload? >> Bumping the version number? I hold uploading anything else until you >> approve. > > Ah, I see the confusion - you used the wrong base upload when > generating the first diff. As that resulted in an upload of 1.0.12- > 1+deb11u1 and the fixed package will be 1.0.11-1+deb11u1, they can co- > exist in the processing queue - free to upload the new diff and we will > deal with rejecting the larger diff. Thanks! Done. -- "... all the modern inconveniences ..." -- Mark Twain
Bug#999673: bullseye-pu: package lldpd/1.0.11-1
On Sat, 2021-11-27 at 23:32 +0100, Vincent Bernat wrote: > ❦ 27 November 2021 17:43 GMT, Adam D. Barratt: > > > > > Package: release.debian.org > > > > Severity: normal > > > > Tags: bullseye > > > > User: release.debian@packages.debian.org > > > > Usertags: pu > > > [...] > > > > > > I did the upload to bullseye as I think the change is not > > > controversial. > > > > What you've uploaded to bullseye is *not* what you proposed in this > > request, however. > > > > The debdiff attached to this bug report amounts to "4 files > > changed, > > 130 insertions(+)", the uploaded package is "39 files changed, 561 > > insertions(+), 221 deletions(-)" and includes a new upstream > > release. > > Ugh. Very sorry about that! > > Here is the appropriate diff. How can I sort out my bad upload? > Bumping the version number? I hold uploading anything else until you > approve. Ah, I see the confusion - you used the wrong base upload when generating the first diff. As that resulted in an upload of 1.0.12- 1+deb11u1 and the fixed package will be 1.0.11-1+deb11u1, they can co- exist in the processing queue - free to upload the new diff and we will deal with rejecting the larger diff. Regards, Adam
Bug#999673: bullseye-pu: package lldpd/1.0.11-1
❦ 27 November 2021 17:43 GMT, Adam D. Barratt: >> > Package: release.debian.org >> > Severity: normal >> > Tags: bullseye >> > User: release.debian@packages.debian.org >> > Usertags: pu >> [...] >> >> I did the upload to bullseye as I think the change is not >> controversial. > > What you've uploaded to bullseye is *not* what you proposed in this > request, however. > > The debdiff attached to this bug report amounts to "4 files changed, > 130 insertions(+)", the uploaded package is "39 files changed, 561 > insertions(+), 221 deletions(-)" and includes a new upstream release. Ugh. Very sorry about that! Here is the appropriate diff. How can I sort out my bad upload? Bumping the version number? I hold uploading anything else until you approve. >From a5a413c1f44bb0a063fc9ca4cf56ae7137f53f3d Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 14 Nov 2021 15:42:12 +0100 Subject: [PATCH] Tentative security update for Bullseye --- debian/changelog | 8 ++ ...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++ ...-overflow-when-reading-SONMP-packets.patch | 93 +++ debian/patches/series | 2 + 4 files changed, 130 insertions(+) create mode 100644 debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch create mode 100644 debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch diff --git a/debian/changelog b/debian/changelog index 4fc8b730cc52..6da569249198 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +lldpd (1.0.11-1+deb11u1) bullseye; urgency=high + + * d/patches: sonmp: fix heap overflow when reading SONMP packets. +CVE-2021-43612 + * d/patches: client: do not set VLAN tag if client did not set it + + -- Vincent Bernat Sat, 27 Nov 2021 23:30:43 +0100 + lldpd (1.0.11-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch new file mode 100644 index ..1f65986ae27e --- /dev/null +++ b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch @@ -0,0 +1,27 @@ +From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Wed, 29 Sep 2021 12:02:15 +0200 +Subject: [PATCH] client: do not set VLAN tag if client did not set it + +This fixes a bug where frames could be tagged with VLAN 0 after client +configuration. +--- + src/daemon/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/client.c b/src/daemon/client.c +index b4a08aae80a8..0d0f3ea37a19 100644 +--- a/src/daemon/client.c b/src/daemon/client.c +@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg, + port->p_disable_rx = port->p_disable_tx = 1; + break; + } +- if (set->vlan_tx_enabled >= -1) { ++ if (set->vlan_tx_enabled > -1) { + port->p_vlan_tx_enabled = set->vlan_tx_enabled; + port->p_vlan_tx_tag = set->vlan_tx_tag; + } +-- +2.33.1 + diff --git a/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch new file mode 100644 index ..c06689987c34 --- /dev/null +++ b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch @@ -0,0 +1,93 @@ +From 73d42680fce8598324364dbb31b9bc3b8320adf7 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Sun, 19 Sep 2021 21:18:47 +0200 +Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets + +By sending short SONMP packets, an attacker can make the decoder crash +by reading too much data on the heap. SONMP packets are fixed in size, +just ensure we get the enough bytes to contain a SONMP packet. + +CVE-2021-43612 +--- + NEWS | 2 ++ + src/daemon/protocols/sonmp.c | 2 +- + src/daemon/protocols/sonmp.h | 2 +- + tests/check_sonmp.c | 10 +- + 4 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c +index 41dcf6aa412d..f8f12469e28a 100644 +--- a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c +@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s, + + length = s; + pos = (u_int8_t*)frame; +- if (length < SONMP_SIZE) { ++ if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) { + log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname); + goto malformed; + } +diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h +index 0e60106dae63..ff7a720f0b5d 100644 +--- a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h +@@ -24,7 +24,7 @@ + #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 } + #define LLC_PID_SONMP_HELLO 0x01a2 + #define LLC_PID_SONMP_FLATNET 0x01a1 +-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) +
Bug#999673: bullseye-pu: package lldpd/1.0.11-1
On Sat, 2021-11-27 at 15:49 +0100, Vincent Bernat wrote: > ❦ 14 November 2021 19:21 +01, Vincent Bernat: > > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian@packages.debian.org > > Usertags: pu > [...] > > I did the upload to bullseye as I think the change is not > controversial. What you've uploaded to bullseye is *not* what you proposed in this request, however. The debdiff attached to this bug report amounts to "4 files changed, 130 insertions(+)", the uploaded package is "39 files changed, 561 insertions(+), 221 deletions(-)" and includes a new upstream release. Regards, Adam
Bug#999673: bullseye-pu: package lldpd/1.0.11-1
❦ 14 November 2021 19:21 +01, Vincent Bernat: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu [...] I did the upload to bullseye as I think the change is not controversial. -- The lunatic, the lover, and the poet, Are of imagination all compact... -- Wm. Shakespeare, "A Midsummer Night's Dream"
Bug#999673: bullseye-pu: package lldpd/1.0.11-1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [ Reason ] - - Low-severity security issue when receiving SONMP packets. CVE-2021-43612 - - Annoying bug where LLDP packets are encapsulated in VLAN 0 when some configuration directives are used. Many implementations reject such a packet (regression introduced in 1.0.6) [ Impact ] - - Someone could crash lldpd from another neighbor if the user enables SONMP (quite unlikely). - - People cannot use some configuration directives. [ Tests ] - - Both codes are covered by tests in upstream. The SONMP tests are run during build as well. The VLAN 0 test is not run during build. [ Risks ] - - For SONMP, low risk as it is seldomly used and correctly formed packets are part of the tests run during build. - - For VLAN 0, the change is trivial, tested upstream and reported OK by two users. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - - SONMP: there was a confusion about the size of a packet. The same variable was used for the payload size and for checking the size with Ethernet headers. - - VLAN 0: when changing some settings, a struct containing the changed settings is transmitted. -1 was used to say "no change" but it was interpreted as a change. [ Other info ] - - Security team is OK to fix the security issue in a point release. - - I don't think this is worth fixing the SONMP issue in Buster, but I can do that too. The VLAN issue is not present. -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGRU44SHGJlcm5hdEBk ZWJpYW4ub3JnAAoJEJWkL+g1NSX5++gP/jK+rA7DgjxgweFrlUezPB39QSg6wcmu 9YrUO8wyjSzZ0A51Gfh/afyJAKRKehy3tD/nWvrQumn5ZkYXMhVbock5zJbgnTmo 1ndd2CtIOlpdSceqmnxX83Qt5qj7yHLWCzyAYg+ujgO1Su/IrE6GwwWr3+OBJQdN lwLrbDzIe+Xv+4sYLLhWjO1ApVHpJmLJYYywBWug6YkTa9hx1wixPGm76G1Z4tvc 312L+9uwJqdp85Nb8w29VgBx8nDOWZS54FaimnggmGk895beQdI4wUCGfrJ/Tqkt K4emDeOUv5pUudDYNU98a0byf7Ahif+QVZLS0w9p32uHd7qtr1ZwkmhcO2I0W0jA EWIC7PW3qyQqa8SrD068Sx9jEhCt69uJaQyDUV38DbCmNFjip4oK607XeLuh/WwC R6TI3iMro3T03QSzyYyFvWLJpL0n/xHtoMb0UXWY+KE38uOQQ1Fdv3JkvxxI6q6Z 8FhpTYr1ONE9uj577aMj3bX9BkxdVKKjy48bLEkHhTd1KS/FOLpWMmnlRVNBAr8t KDn09xcsxU+anIGunFwrATqH8sBFOqO0gvr+ylgyswQiW3L8WWM2uyG1+UoO/AeW lwMHk+6WUuejhB/7PzA0Wcv5zfgkwahZRf2zN6ohON6IaVR6Pbn0+lSYU5rlramB dsd1jEbkXZ36 =W7Cl -END PGP SIGNATURE- >From d70b8be04c6d8638e6f2cd612a07e73992fa0798 Mon Sep 17 00:00:00 2001 From: Vincent Bernat Date: Sun, 14 Nov 2021 15:42:12 +0100 Subject: [PATCH] Tentative security update for Bullseye --- debian/changelog | 8 ++ ...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++ ...-overflow-when-reading-SONMP-packets.patch | 93 +++ debian/patches/series | 2 + 4 files changed, 130 insertions(+) create mode 100644 debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch create mode 100644 debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch diff --git a/debian/changelog b/debian/changelog index bb87d8129f9e..68ae7b91d22d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +lldpd (1.0.12-1+deb11u1) bullseye; urgency=high + + * d/patches: sonmp: fix heap overflow when reading SONMP packets. +CVE-2021-43612 + * d/patches: client: do not set VLAN tag if client did not set it + + -- Vincent Bernat Sun, 14 Nov 2021 15:41:59 +0100 + lldpd (1.0.12-1) unstable; urgency=medium * New upstream release. diff --git a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch new file mode 100644 index ..1f65986ae27e --- /dev/null +++ b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch @@ -0,0 +1,27 @@ +From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Wed, 29 Sep 2021 12:02:15 +0200 +Subject: [PATCH] client: do not set VLAN tag if client did not set it + +This fixes a bug where frames could be tagged with VLAN 0 after client +configuration. +--- + src/daemon/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/daemon/client.c b/src/daemon/client.c +index b4a08aae80a8..0d0f3ea37a19 100644 +--- a/src/daemon/client.c b/src/daemon/client.c +@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg, + port->p_disable_rx = port->p_disable_tx = 1; + break; + } +- if (set->vlan_tx_enabled >= -1) { ++ if (set->vlan_tx_enabled > -1) { + port->p_vlan_tx_enabled = set->vlan_tx_enabled; + port->p_vlan_tx_tag = set->vla