diff -Nru openvswitch-2.6.1/debian/changelog openvswitch-2.6.1/debian/changelog --- openvswitch-2.6.1/debian/changelog 2017-02-09 12:14:29.000000000 +0000 +++ openvswitch-2.6.1/debian/changelog 2017-08-24 18:09:53.000000000 +0000 @@ -1,3 +1,23 @@ +openvswitch (2.6.1-0ubuntu5.1) zesty-security; urgency=medium + + * SECURITY UPDATE: DoS while parsing OFPT_QUEUE_GET_CONFIG_REPLY message + - debian/patches/CVE-2017-9214.patch: properly check length in + lib/ofp-util.c. + - CVE-2017-9214 + * SECURITY UPDATE: DoS while parsing OpenFlow role status message + - debian/patches/CVE-2017-9263.patch: don't abort on unknown reason in + lib/ofp-print.c. + - CVE-2017-9263 + * SECURITY UPDATE: DoS in firewall implementation + - debian/patches/CVE-2017-9264.patch: fix checks for header sizes in + lib/conntrack.c. + - CVE-2017-9264 + * SECURITY UPDATE: DoS while parsing group mod OpenFlow message + - debian/patches/CVE-2017-9265.patch: check length in lib/ofp-util.c. + - CVE-2017-9265 + + -- Marc Deslauriers Thu, 24 Aug 2017 14:09:53 -0400 + openvswitch (2.6.1-0ubuntu5) zesty; urgency=medium * Enable openvswitch-switch-dpdk for ppc64el (LP: #1663206) diff -Nru openvswitch-2.6.1/debian/patches/CVE-2017-9214.patch openvswitch-2.6.1/debian/patches/CVE-2017-9214.patch --- openvswitch-2.6.1/debian/patches/CVE-2017-9214.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.6.1/debian/patches/CVE-2017-9214.patch 2017-08-24 18:09:25.000000000 +0000 @@ -0,0 +1,30 @@ +From fafbfa6ea46911aeb0083f166fed215ca71e22b6 Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Sat, 20 May 2017 16:38:24 -0700 +Subject: [PATCH] ofp-util: Fix buffer overread in + ofputil_pull_queue_get_config_reply10(). + +msg->size isn't the relevant measurement here because we're only supposed +to read 'len' bytes. Reading more than that causes 'len' to underflow to a +large number at the end of the loop. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Greg Rose +--- + lib/ofp-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openvswitch-2.6.1/lib/ofp-util.c +=================================================================== +--- openvswitch-2.6.1.orig/lib/ofp-util.c 2017-08-24 14:09:23.565192214 -0400 ++++ openvswitch-2.6.1/lib/ofp-util.c 2017-08-24 14:09:23.561192214 -0400 +@@ -2585,7 +2585,7 @@ ofputil_pull_queue_get_config_reply10(st + + hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); + prop_len = ntohs(hdr->len); +- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) { ++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) { + return OFPERR_OFPBRC_BAD_LEN; + } + diff -Nru openvswitch-2.6.1/debian/patches/CVE-2017-9263.patch openvswitch-2.6.1/debian/patches/CVE-2017-9263.patch --- openvswitch-2.6.1/debian/patches/CVE-2017-9263.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.6.1/debian/patches/CVE-2017-9263.patch 2017-08-24 18:09:32.000000000 +0000 @@ -0,0 +1,31 @@ +From b76d4a81b8fbbc339d33b767e141c473ba350678 Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Fri, 26 May 2017 13:22:26 -0700 +Subject: [PATCH] ofp-print: Don't abort on unknown reason in role status + message. + +A buggy or malicious switch could send a role status message with a bad +reason code, which if printed by OVS would cause it to abort. This fixes +the problem. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Yi-Hung Wei +--- + lib/ofp-print.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: openvswitch-2.6.1/lib/ofp-print.c +=================================================================== +--- openvswitch-2.6.1.orig/lib/ofp-print.c 2017-08-24 14:09:30.353192253 -0400 ++++ openvswitch-2.6.1/lib/ofp-print.c 2017-08-24 14:09:30.349192253 -0400 +@@ -2086,7 +2086,8 @@ ofp_print_role_status_message(struct ds + break; + case OFPCRR_N_REASONS: + default: +- OVS_NOT_REACHED(); ++ ds_put_cstr(string, "(unknown)"); ++ break; + } + } + diff -Nru openvswitch-2.6.1/debian/patches/CVE-2017-9264.patch openvswitch-2.6.1/debian/patches/CVE-2017-9264.patch --- openvswitch-2.6.1/debian/patches/CVE-2017-9264.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.6.1/debian/patches/CVE-2017-9264.patch 2017-08-24 18:09:38.000000000 +0000 @@ -0,0 +1,65 @@ +From 40225b0c04e2ae3e353cae12b8561ff237125b92 Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Fri, 3 Mar 2017 21:16:17 -0800 +Subject: [PATCH] conntrack: Fix checks for TCP, UDP, and IPv6 header sizes. + +Otherwise a malformed packet could cause a read up to about 40 bytes past +the end of the packet. The packet would still likely be dropped because +of checksum verification. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Daniele Di Proietto +--- + lib/conntrack.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +Index: openvswitch-2.6.1/lib/conntrack.c +=================================================================== +--- openvswitch-2.6.1.orig/lib/conntrack.c 2017-08-24 14:09:36.113192285 -0400 ++++ openvswitch-2.6.1/lib/conntrack.c 2017-08-24 14:09:36.109192285 -0400 +@@ -564,15 +564,15 @@ extract_l3_ipv6(struct conn_key *key, co + const char **new_data) + { + const struct ovs_16aligned_ip6_hdr *ip6 = data; +- uint8_t nw_proto = ip6->ip6_nxt; +- uint8_t nw_frag = 0; +- + if (new_data) { + if (OVS_UNLIKELY(size < sizeof *ip6)) { + return false; + } + } + ++ uint8_t nw_proto = ip6->ip6_nxt; ++ uint8_t nw_frag = 0; ++ + data = ip6 + 1; + size -= sizeof *ip6; + +@@ -619,8 +619,11 @@ check_l4_tcp(const struct conn_key *key, + const void *l3) + { + const struct tcp_header *tcp = data; +- size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4; ++ if (size < sizeof *tcp) { ++ return false; ++ } + ++ size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4; + if (OVS_UNLIKELY(tcp_len < TCP_HEADER_LEN || tcp_len > size)) { + return false; + } +@@ -633,8 +636,11 @@ check_l4_udp(const struct conn_key *key, + const void *l3) + { + const struct udp_header *udp = data; +- size_t udp_len = ntohs(udp->udp_len); ++ if (size < sizeof *udp) { ++ return false; ++ } + ++ size_t udp_len = ntohs(udp->udp_len); + if (OVS_UNLIKELY(udp_len < UDP_HEADER_LEN || udp_len > size)) { + return false; + } diff -Nru openvswitch-2.6.1/debian/patches/CVE-2017-9265.patch openvswitch-2.6.1/debian/patches/CVE-2017-9265.patch --- openvswitch-2.6.1/debian/patches/CVE-2017-9265.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.6.1/debian/patches/CVE-2017-9265.patch 2017-08-24 18:09:43.000000000 +0000 @@ -0,0 +1,33 @@ +From 1752ea92dc11935e0595d208fdfe8203baf5b55c Mon Sep 17 00:00:00 2001 +From: Ben Pfaff +Date: Fri, 26 May 2017 12:59:06 -0700 +Subject: [PATCH] ofp-util: Check length of buckets in + ofputil_pull_ofp15_group_mod(). + +This code blindly read forward for the number of bytes specified by the +message without checking that it was in range. + +This bug is part of OpenFlow 1.5 support. Open vSwitch does not enable +OpenFlow 1.5 support by default. + +Reported-by: Bhargava Shastry +Signed-off-by: Ben Pfaff +Acked-by: Yi-Hung Wei +--- + lib/ofp-util.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: openvswitch-2.6.1/lib/ofp-util.c +=================================================================== +--- openvswitch-2.6.1.orig/lib/ofp-util.c 2017-08-24 14:09:41.825192317 -0400 ++++ openvswitch-2.6.1/lib/ofp-util.c 2017-08-24 14:09:41.821192317 -0400 +@@ -9386,6 +9386,9 @@ ofputil_pull_ofp15_group_mod(struct ofpb + } + + bucket_list_len = ntohs(ogm->bucket_array_len); ++ if (bucket_list_len > msg->size) { ++ return OFPERR_OFPBRC_BAD_LEN; ++ } + error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version, + gm->type, &gm->buckets); + if (error) { diff -Nru openvswitch-2.6.1/debian/patches/series openvswitch-2.6.1/debian/patches/series --- openvswitch-2.6.1/debian/patches/series 2016-11-15 13:27:38.000000000 +0000 +++ openvswitch-2.6.1/debian/patches/series 2017-08-24 18:09:40.000000000 +0000 @@ -0,0 +1,4 @@ +CVE-2017-9214.patch +CVE-2017-9263.patch +CVE-2017-9264.patch +CVE-2017-9265.patch