subject:"Bug#999673\: bullseye\-pu\: package lldpd\/1.0.11\-1"

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-29 Thread Vincent Bernat

 ❦ 29 November 2021 17:32 GMT, Adam D. Barratt:

>> > What you've uploaded to bullseye is *not* what you proposed in this
>> > request, however.
>> > 
>> > The debdiff attached to this bug report amounts to "4 files
>> > changed,
>> > 130 insertions(+)", the uploaded package is "39 files changed, 561
>> > insertions(+), 221 deletions(-)" and includes a new upstream
>> > release.
>> 
>> Ugh. Very sorry about that!
>> 
>> Here is the appropriate diff. How can I sort out my bad upload?
>> Bumping the version number? I hold uploading anything else until you
>> approve.
>
> Ah, I see the confusion - you used the wrong base upload when
> generating the first diff. As that resulted in an upload of 1.0.12-
> 1+deb11u1 and the fixed package will be 1.0.11-1+deb11u1, they can co-
> exist in the processing queue - free to upload the new diff and we will
> deal with rejecting the larger diff.

Thanks! Done.
-- 
"... all the modern inconveniences ..."
-- Mark Twain

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-29 Thread Adam D. Barratt

On Sat, 2021-11-27 at 23:32 +0100, Vincent Bernat wrote:
>  ❦ 27 November 2021 17:43 GMT, Adam D. Barratt:
> 
> > > > Package: release.debian.org
> > > > Severity: normal
> > > > Tags: bullseye
> > > > User: release.debian@packages.debian.org
> > > > Usertags: pu
> > > [...]
> > > 
> > > I did the upload to bullseye as I think the change is not
> > > controversial.
> > 
> > What you've uploaded to bullseye is *not* what you proposed in this
> > request, however.
> > 
> > The debdiff attached to this bug report amounts to "4 files
> > changed,
> > 130 insertions(+)", the uploaded package is "39 files changed, 561
> > insertions(+), 221 deletions(-)" and includes a new upstream
> > release.
> 
> Ugh. Very sorry about that!
> 
> Here is the appropriate diff. How can I sort out my bad upload?
> Bumping the version number? I hold uploading anything else until you
> approve.

Ah, I see the confusion - you used the wrong base upload when
generating the first diff. As that resulted in an upload of 1.0.12-
1+deb11u1 and the fixed package will be 1.0.11-1+deb11u1, they can co-
exist in the processing queue - free to upload the new diff and we will
deal with rejecting the larger diff.

Regards,

Adam

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-27 Thread Vincent Bernat

 ❦ 27 November 2021 17:43 GMT, Adam D. Barratt:

>> > Package: release.debian.org
>> > Severity: normal
>> > Tags: bullseye
>> > User: release.debian@packages.debian.org
>> > Usertags: pu
>> [...]
>> 
>> I did the upload to bullseye as I think the change is not
>> controversial.
>
> What you've uploaded to bullseye is *not* what you proposed in this
> request, however.
>
> The debdiff attached to this bug report amounts to "4 files changed,
> 130 insertions(+)", the uploaded package is "39 files changed, 561
> insertions(+), 221 deletions(-)" and includes a new upstream release.

Ugh. Very sorry about that!

Here is the appropriate diff. How can I sort out my bad upload? Bumping
the version number? I hold uploading anything else until you approve.

>From a5a413c1f44bb0a063fc9ca4cf56ae7137f53f3d Mon Sep 17 00:00:00 2001
From: Vincent Bernat 
Date: Sun, 14 Nov 2021 15:42:12 +0100
Subject: [PATCH] Tentative security update for Bullseye

---
 debian/changelog  |  8 ++
 ...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++
 ...-overflow-when-reading-SONMP-packets.patch | 93 +++
 debian/patches/series |  2 +
 4 files changed, 130 insertions(+)
 create mode 100644 debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
 create mode 100644 debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch

diff --git a/debian/changelog b/debian/changelog
index 4fc8b730cc52..6da569249198 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lldpd (1.0.11-1+deb11u1) bullseye; urgency=high
+
+  * d/patches: sonmp: fix heap overflow when reading SONMP packets.
+CVE-2021-43612
+  * d/patches: client: do not set VLAN tag if client did not set it
+
+ -- Vincent Bernat   Sat, 27 Nov 2021 23:30:43 +0100
+
 lldpd (1.0.11-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
new file mode 100644
index ..1f65986ae27e
--- /dev/null
+++ b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
@@ -0,0 +1,27 @@
+From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Wed, 29 Sep 2021 12:02:15 +0200
+Subject: [PATCH] client: do not set VLAN tag if client did not set it
+
+This fixes a bug where frames could be tagged with VLAN 0 after client
+configuration.
+---
+ src/daemon/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index b4a08aae80a8..0d0f3ea37a19 100644
+--- a/src/daemon/client.c
 b/src/daemon/client.c
+@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg,
+ 		port->p_disable_rx = port->p_disable_tx = 1;
+ 		break;
+ 	}
+-	if (set->vlan_tx_enabled >= -1) {
++	if (set->vlan_tx_enabled > -1) {
+ 		port->p_vlan_tx_enabled = set->vlan_tx_enabled;
+ 		port->p_vlan_tx_tag = set->vlan_tx_tag;
+ 	}
+-- 
+2.33.1
+
diff --git a/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
new file mode 100644
index ..c06689987c34
--- /dev/null
+++ b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
@@ -0,0 +1,93 @@
+From 73d42680fce8598324364dbb31b9bc3b8320adf7 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+CVE-2021-43612
+---
+ NEWS |  2 ++
+ src/daemon/protocols/sonmp.c |  2 +-
+ src/daemon/protocols/sonmp.h |  2 +-
+ tests/check_sonmp.c  | 10 +-
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index 41dcf6aa412d..f8f12469e28a 100644
+--- a/src/daemon/protocols/sonmp.c
 b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106dae63..ff7a720f0b5d 100644
+--- a/src/daemon/protocols/sonmp.h
 b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) +

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-27 Thread Adam D. Barratt

On Sat, 2021-11-27 at 15:49 +0100, Vincent Bernat wrote:
>  ❦ 14 November 2021 19:21 +01, Vincent Bernat:
> 
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian@packages.debian.org
> > Usertags: pu
> [...]
> 
> I did the upload to bullseye as I think the change is not
> controversial.

What you've uploaded to bullseye is *not* what you proposed in this
request, however.

The debdiff attached to this bug report amounts to "4 files changed,
130 insertions(+)", the uploaded package is "39 files changed, 561
insertions(+), 221 deletions(-)" and includes a new upstream release.

Regards,

Adam

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-27 Thread Vincent Bernat

 ❦ 14 November 2021 19:21 +01, Vincent Bernat:

> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
[...]

I did the upload to bullseye as I think the change is not controversial.
-- 
The lunatic, the lover, and the poet,
Are of imagination all compact...
-- Wm. Shakespeare, "A Midsummer Night's Dream"

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

2021-11-14 Thread Vincent Bernat

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

[ Reason ]

- - Low-severity security issue when receiving SONMP packets.
  CVE-2021-43612

- - Annoying bug where LLDP packets are encapsulated in VLAN 0 when some
  configuration directives are used. Many implementations reject such
  a packet (regression introduced in 1.0.6)

[ Impact ]

- - Someone could crash lldpd from another neighbor if the user enables
  SONMP (quite unlikely).

- - People cannot use some configuration directives.

[ Tests ]

- - Both codes are covered by tests in upstream. The SONMP tests are run
  during build as well. The VLAN 0 test is not run during build.

[ Risks ]

- - For SONMP, low risk as it is seldomly used and correctly formed
  packets are part of the tests run during build.

- - For VLAN 0, the change is trivial, tested upstream and reported OK by two 
users.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

- - SONMP: there was a confusion about the size of a packet. The same
  variable was used for the payload size and for checking the size
  with Ethernet headers.

- - VLAN 0: when changing some settings, a struct containing the changed
  settings is transmitted. -1 was used to say "no change" but it was
  interpreted as a change.

[ Other info ]

- - Security team is OK to fix the security issue in a point release.

- - I don't think this is worth fixing the SONMP issue in Buster, but I
  can do that too. The VLAN issue is not present.


-BEGIN PGP SIGNATURE-

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGRU44SHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5++gP/jK+rA7DgjxgweFrlUezPB39QSg6wcmu
9YrUO8wyjSzZ0A51Gfh/afyJAKRKehy3tD/nWvrQumn5ZkYXMhVbock5zJbgnTmo
1ndd2CtIOlpdSceqmnxX83Qt5qj7yHLWCzyAYg+ujgO1Su/IrE6GwwWr3+OBJQdN
lwLrbDzIe+Xv+4sYLLhWjO1ApVHpJmLJYYywBWug6YkTa9hx1wixPGm76G1Z4tvc
312L+9uwJqdp85Nb8w29VgBx8nDOWZS54FaimnggmGk895beQdI4wUCGfrJ/Tqkt
K4emDeOUv5pUudDYNU98a0byf7Ahif+QVZLS0w9p32uHd7qtr1ZwkmhcO2I0W0jA
EWIC7PW3qyQqa8SrD068Sx9jEhCt69uJaQyDUV38DbCmNFjip4oK607XeLuh/WwC
R6TI3iMro3T03QSzyYyFvWLJpL0n/xHtoMb0UXWY+KE38uOQQ1Fdv3JkvxxI6q6Z
8FhpTYr1ONE9uj577aMj3bX9BkxdVKKjy48bLEkHhTd1KS/FOLpWMmnlRVNBAr8t
KDn09xcsxU+anIGunFwrATqH8sBFOqO0gvr+ylgyswQiW3L8WWM2uyG1+UoO/AeW
lwMHk+6WUuejhB/7PzA0Wcv5zfgkwahZRf2zN6ohON6IaVR6Pbn0+lSYU5rlramB
dsd1jEbkXZ36
=W7Cl
-END PGP SIGNATURE-
>From d70b8be04c6d8638e6f2cd612a07e73992fa0798 Mon Sep 17 00:00:00 2001
From: Vincent Bernat 
Date: Sun, 14 Nov 2021 15:42:12 +0100
Subject: [PATCH] Tentative security update for Bullseye

---
 debian/changelog  |  8 ++
 ...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++
 ...-overflow-when-reading-SONMP-packets.patch | 93 +++
 debian/patches/series |  2 +
 4 files changed, 130 insertions(+)
 create mode 100644 
debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
 create mode 100644 
debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch

diff --git a/debian/changelog b/debian/changelog
index bb87d8129f9e..68ae7b91d22d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lldpd (1.0.12-1+deb11u1) bullseye; urgency=high
+
+  * d/patches: sonmp: fix heap overflow when reading SONMP packets.
+CVE-2021-43612
+  * d/patches: client: do not set VLAN tag if client did not set it
+
+ -- Vincent Bernat   Sun, 14 Nov 2021 15:41:59 +0100
+
 lldpd (1.0.12-1) unstable; urgency=medium
 
   * New upstream release.
diff --git 
a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch 
b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
new file mode 100644
index ..1f65986ae27e
--- /dev/null
+++ 
b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
@@ -0,0 +1,27 @@
+From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat 
+Date: Wed, 29 Sep 2021 12:02:15 +0200
+Subject: [PATCH] client: do not set VLAN tag if client did not set it
+
+This fixes a bug where frames could be tagged with VLAN 0 after client
+configuration.
+---
+ src/daemon/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index b4a08aae80a8..0d0f3ea37a19 100644
+--- a/src/daemon/client.c
 b/src/daemon/client.c
+@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg,
+   port->p_disable_rx = port->p_disable_tx = 1;
+   break;
+   }
+-  if (set->vlan_tx_enabled >= -1) {
++  if (set->vlan_tx_enabled > -1) {
+   port->p_vlan_tx_enabled = set->vlan_tx_enabled;
+   port->p_vlan_tx_tag = set->vla

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

Bug#999673: bullseye-pu: package lldpd/1.0.11-1

6 matches

Site Navigation

Mail list logo

Footer information