diff -Nru frr-8.1/debian/changelog frr-8.1/debian/changelog --- frr-8.1/debian/changelog 2022-10-05 16:35:26.000000000 +0000 +++ frr-8.1/debian/changelog 2023-06-02 17:56:18.000000000 +0000 @@ -1,3 +1,20 @@ +frr (8.1-1ubuntu1.4) jammy-security; urgency=medium + + * SECURITY UPDATE: denial of service via bgp_attr_psid_sub() + - debian/patches/CVE-2023-31490.patch: ensure stream received has + enough data in bgpd/bgp_attr.c. + - CVE-2023-31490 + + -- Marc Deslauriers Fri, 02 Jun 2023 13:56:18 -0400 + +frr (8.1-1ubuntu1.3) jammy; urgency=medium + + * d/frr.postinst: don't change log ownership if the syslog user + doesn't exist. Thanks to Alessandro Ratti + for the fix (LP: #1991812). + + -- Andreas Hasenack Fri, 28 Oct 2022 11:38:34 -0300 + frr (8.1-1ubuntu1.2) jammy-security; urgency=medium * SECURITY UPDATE: DoS via out-of-bounds read diff -Nru frr-8.1/debian/frr.postinst frr-8.1/debian/frr.postinst --- frr-8.1/debian/frr.postinst 2022-07-19 20:36:23.000000000 +0000 +++ frr-8.1/debian/frr.postinst 2022-10-28 14:38:34.000000000 +0000 @@ -50,26 +50,28 @@ # fix logging for Ubuntu, which does not run rsyslog as root (LP: #1958162), # and upgrades from quagga (what the block above used to do also for /var/log) -# frr user was created above, this really shouldn't fail -frruid=`getent passwd frr | cut -d : -f 3` -frrgid=`getent group frr | cut -d : -f 3` +if getent passwd syslog > /dev/null; then + # frr user was created above, this really shouldn't fail + frruid=`getent passwd frr | cut -d : -f 3` + frrgid=`getent group frr | cut -d : -f 3` -find \ - /var/log/frr \ - \( -uid 0 -o -uid $quaggauid -o -uid $frruid \) -a \ - \( -gid 0 -o -gid $quaggauid -o -gid $frrgid \) | \ - while read filename; do + find \ + /var/log/frr \ + \( -uid 0 -o -uid $quaggauid -o -uid $frruid \) -a \ + \( -gid 0 -o -gid $quaggauid -o -gid $frrgid \) | \ + while read filename; do - # don't chown anything that has ACLs (but don't fail if we don't - # have getfacl) - if { getfacl -c "$filename" 2>/dev/null || true; } \ - | egrep -q -v '^((user|group|other)::|$)'; then - : - else - chown syslog:adm "$filename" - chmod o-rwx "$filename" - fi -done + # don't chown anything that has ACLs (but don't fail if we don't + # have getfacl) + if { getfacl -c "$filename" 2>/dev/null || true; } \ + | egrep -q -v '^((user|group|other)::|$)'; then + : + else + chown syslog:adm "$filename" + chmod o-rwx "$filename" + fi + done +fi # fix misconfigured vtysh.conf & frr.conf ownership caused by config save # mishandling in earlier FRR (and Quagga) versions diff -Nru frr-8.1/debian/patches/CVE-2023-31490.patch frr-8.1/debian/patches/CVE-2023-31490.patch --- frr-8.1/debian/patches/CVE-2023-31490.patch 1970-01-01 00:00:00.000000000 +0000 +++ frr-8.1/debian/patches/CVE-2023-31490.patch 2023-06-02 17:56:12.000000000 +0000 @@ -0,0 +1,150 @@ +From 06431bfa7570f169637ebb5898f0b0cc3b010802 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Tue, 6 Dec 2022 10:23:11 -0500 +Subject: [PATCH] bgpd: Ensure stream received has enough data + +BGP_PREFIX_SID_SRV6_L3_SERVICE attributes must not +fully trust the length value specified in the nlri. +Always ensure that the amount of data we need to read +can be fullfilled. + +Reported-by: Iggy Frankovic +Signed-off-by: Donald Sharp +--- + bgpd/bgp_attr.c | 79 ++++++++++++++++--------------------------------- + 1 file changed, 25 insertions(+), 54 deletions(-) + +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2728,9 +2728,21 @@ static bgp_attr_parse_ret_t bgp_attr_psi + uint8_t sid_type, sid_flags; + char buf[BUFSIZ]; + ++ /* ++ * Check that we actually have at least as much data as ++ * specified by the length field ++ */ ++ if (STREAM_READABLE(peer->curr) < length) { ++ flog_err( ++ EC_BGP_ATTR_LEN, ++ "Prefix SID specifies length %hu, but only %zu bytes remain", ++ length, STREAM_READABLE(peer->curr)); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); ++ } ++ + if (type == BGP_PREFIX_SID_LABEL_INDEX) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { ++ if (length != BGP_PREFIX_SID_LABEL_INDEX_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID label index length is %hu instead of %u", + length, BGP_PREFIX_SID_LABEL_INDEX_LENGTH); +@@ -2752,12 +2764,8 @@ static bgp_attr_parse_ret_t bgp_attr_psi + /* Store label index; subsequently, we'll check on + * address-family */ + attr->label_index = label_index; +- } +- +- /* Placeholder code for the IPv6 SID type */ +- else if (type == BGP_PREFIX_SID_IPV6) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_IPV6_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_IPV6) { ++ if (length != BGP_PREFIX_SID_IPV6_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID IPv6 length is %hu instead of %u", + length, BGP_PREFIX_SID_IPV6_LENGTH); +@@ -2771,10 +2779,7 @@ static bgp_attr_parse_ret_t bgp_attr_psi + stream_getw(peer->curr); + + stream_get(&ipv6_sid, peer->curr, 16); +- } +- +- /* Placeholder code for the Originator SRGB type */ +- else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { ++ } else if (type == BGP_PREFIX_SID_ORIGINATOR_SRGB) { + /* + * ietf-idr-bgp-prefix-sid-05: + * Length is the total length of the value portion of the +@@ -2800,19 +2805,6 @@ static bgp_attr_parse_ret_t bgp_attr_psi + } + + /* +- * Check that we actually have at least as much data as +- * specified by the length field +- */ +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err(EC_BGP_ATTR_LEN, +- "Prefix SID Originator SRGB specifies length %hu, but only %zu bytes remain", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- +- /* + * Check that the portion of the TLV containing the sequence of + * SRGBs corresponds to a multiple of the SRGB size; to get + * that length, we skip the 16 bit flags field +@@ -2835,12 +2827,8 @@ static bgp_attr_parse_ret_t bgp_attr_psi + stream_get(&srgb_base, peer->curr, 3); + stream_get(&srgb_range, peer->curr, 3); + } +- } +- +- /* Placeholder code for the VPN-SID Service type */ +- else if (type == BGP_PREFIX_SID_VPN_SID) { +- if (STREAM_READABLE(peer->curr) < length +- || length != BGP_PREFIX_SID_VPN_SID_LENGTH) { ++ } else if (type == BGP_PREFIX_SID_VPN_SID) { ++ if (length != BGP_PREFIX_SID_VPN_SID_LENGTH) { + flog_err(EC_BGP_ATTR_LEN, + "Prefix SID VPN SID length is %hu instead of %u", + length, BGP_PREFIX_SID_VPN_SID_LENGTH); +@@ -2876,39 +2864,22 @@ static bgp_attr_parse_ret_t bgp_attr_psi + attr->srv6_vpn->sid_flags = sid_flags; + sid_copy(&attr->srv6_vpn->sid, &ipv6_sid); + attr->srv6_vpn = srv6_vpn_intern(attr->srv6_vpn); +- } +- +- /* Placeholder code for the SRv6 L3 Service type */ +- else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { +- if (STREAM_READABLE(peer->curr) < length) { ++ } else if (type == BGP_PREFIX_SID_SRV6_L3_SERVICE) { ++ if (STREAM_READABLE(peer->curr) < 1) { + flog_err( + EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 L3-Service length is %hu, but only %zu bytes remain", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed(args, +- BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); ++ "Prefix SID SRV6 L3 Service not enough data left, it must be at least 1 byte"); ++ return bgp_attr_malformed( ++ args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, ++ args->total); + } +- + /* ignore reserved */ + stream_getc(peer->curr); + + return bgp_attr_srv6_service(args); + } +- + /* Placeholder code for Unsupported TLV */ + else { +- +- if (STREAM_READABLE(peer->curr) < length) { +- flog_err( +- EC_BGP_ATTR_LEN, +- "Prefix SID SRv6 length is %hu - too long, only %zu remaining in this UPDATE", +- length, STREAM_READABLE(peer->curr)); +- return bgp_attr_malformed( +- args, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, +- args->total); +- } +- + if (bgp_debug_update(peer, NULL, NULL, 1)) + zlog_debug( + "%s attr Prefix-SID sub-type=%u is not supported, skipped", diff -Nru frr-8.1/debian/patches/series frr-8.1/debian/patches/series --- frr-8.1/debian/patches/series 2022-10-05 16:35:22.000000000 +0000 +++ frr-8.1/debian/patches/series 2023-06-02 17:56:12.000000000 +0000 @@ -5,3 +5,4 @@ disable_isisd_fuzz_test.patch CVE-2022-37032.patch CVE-2022-37035.patch +CVE-2023-31490.patch