diff -Nru openvswitch-2.5.2/debian/changelog openvswitch-2.5.2/debian/changelog --- openvswitch-2.5.2/debian/changelog 2017-03-15 13:55:24.000000000 +0000 +++ openvswitch-2.5.2/debian/changelog 2017-08-24 18:15:38.000000000 +0000 @@ -1,3 +1,19 @@ +openvswitch (2.5.2-0ubuntu0.16.04.2) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS while parsing OFPT_QUEUE_GET_CONFIG_REPLY message + - debian/patches/CVE-2017-9214.patch: properly check length in + lib/ofp-util.c. + - CVE-2017-9214 + * SECURITY UPDATE: DoS while parsing OpenFlow role status message + - debian/patches/CVE-2017-9263.patch: don't abort on unknown reason in + lib/ofp-print.c. + - CVE-2017-9263 + * SECURITY UPDATE: DoS while parsing group mod OpenFlow message + - debian/patches/CVE-2017-9265.patch: check length in lib/ofp-util.c. + - CVE-2017-9265 + + -- Marc Deslauriers Thu, 24 Aug 2017 14:15:05 -0400 + openvswitch (2.5.2-0ubuntu0.16.04.1) xenial; urgency=medium * New upstream point release (LP: #1673063). diff -Nru openvswitch-2.5.2/debian/patches/CVE-2017-9214.patch openvswitch-2.5.2/debian/patches/CVE-2017-9214.patch --- openvswitch-2.5.2/debian/patches/CVE-2017-9214.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.5.2/debian/patches/CVE-2017-9214.patch 2017-08-24 18:14:30.000000000 +0000 @@ -0,0 +1,32 @@ +Backport of: + +From fafbfa6ea46911aeb0083f166fed215ca71e22b6 Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Sat, 20 May 2017 16:38:24 -0700 +Subject: [PATCH] ofp-util: Fix buffer overread in + ofputil_pull_queue_get_config_reply10(). + +msg->size isn't the relevant measurement here because we're only supposed +to read 'len' bytes. Reading more than that causes 'len' to underflow to a +large number at the end of the loop. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Greg Rose +--- + lib/ofp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openvswitch-2.5.2/lib/ofp-util.c +=================================================================== +--- openvswitch-2.5.2.orig/lib/ofp-util.c 2017-08-24 14:13:47.149193702 -0400 ++++ openvswitch-2.5.2/lib/ofp-util.c 2017-08-24 14:14:12.849193847 -0400 +@@ -2694,7 +2694,7 @@ ofputil_pull_queue_get_config_reply(stru + + hdr = ofpbuf_at_assert(reply, 0, sizeof *hdr); + prop_len = ntohs(hdr->len); +- if (prop_len < sizeof *hdr || prop_len > reply->size || prop_len % 8) { ++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { + return OFPERR_OFPBRC_BAD_LEN; + } + diff -Nru openvswitch-2.5.2/debian/patches/CVE-2017-9263.patch openvswitch-2.5.2/debian/patches/CVE-2017-9263.patch --- openvswitch-2.5.2/debian/patches/CVE-2017-9263.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.5.2/debian/patches/CVE-2017-9263.patch 2017-08-24 18:14:51.000000000 +0000 @@ -0,0 +1,31 @@ +From b76d4a81b8fbbc339d33b767e141c473ba350678 Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Fri, 26 May 2017 13:22:26 -0700 +Subject: [PATCH] ofp-print: Don't abort on unknown reason in role status + message. + +A buggy or malicious switch could send a role status message with a bad +reason code, which if printed by OVS would cause it to abort. This fixes +the problem. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Yi-Hung Wei +--- + lib/ofp-print.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: openvswitch-2.5.2/lib/ofp-print.c +=================================================================== +--- openvswitch-2.5.2.orig/lib/ofp-print.c 2017-08-24 14:14:47.493194043 -0400 ++++ openvswitch-2.5.2/lib/ofp-print.c 2017-08-24 14:14:47.493194043 -0400 +@@ -1905,7 +1905,8 @@ ofp_print_role_status_message(struct ds + break; + case OFPCRR_N_REASONS: + default: +- OVS_NOT_REACHED(); ++ ds_put_cstr(string, "(unknown)"); ++ break; + } + } + diff -Nru openvswitch-2.5.2/debian/patches/CVE-2017-9265.patch openvswitch-2.5.2/debian/patches/CVE-2017-9265.patch --- openvswitch-2.5.2/debian/patches/CVE-2017-9265.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.5.2/debian/patches/CVE-2017-9265.patch 2017-08-24 18:15:03.000000000 +0000 @@ -0,0 +1,33 @@ +From 1752ea92dc11935e0595d208fdfe8203baf5b55c Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Fri, 26 May 2017 12:59:06 -0700 +Subject: [PATCH] ofp-util: Check length of buckets in + ofputil_pull_ofp15_group_mod(). + +This code blindly read forward for the number of bytes specified by the +message without checking that it was in range. + +This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable +OpenFlow 1.5 support by default. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Yi-Hung Wei +--- + lib/ofp-util.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: openvswitch-2.5.2/lib/ofp-util.c +=================================================================== +--- openvswitch-2.5.2.orig/lib/ofp-util.c 2017-08-24 14:15:01.397194121 -0400 ++++ openvswitch-2.5.2/lib/ofp-util.c 2017-08-24 14:15:01.393194121 -0400 +@@ -8812,6 +8812,9 @@ ofputil_pull_ofp15_group_mod(struct ofpb + } + + bucket_list_len = ntohs(ogm->bucket_array_len); ++ if (bucket_list_len > msg->size) { ++ return OFPERR_OFPBRC_BAD_LEN; ++ } + error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version, + gm->type, &gm->buckets); + if (error) { diff -Nru openvswitch-2.5.2/debian/patches/series openvswitch-2.5.2/debian/patches/series --- openvswitch-2.5.2/debian/patches/series 2017-03-15 12:36:58.000000000 +0000 +++ openvswitch-2.5.2/debian/patches/series 2017-08-24 18:15:00.000000000 +0000 @@ -1,2 +1,5 @@ ovs-ctl-dpdk.patch system-dpdk.patch +CVE-2017-9214.patch +CVE-2017-9263.patch +CVE-2017-9265.patch