diff --git a/SOURCES/0009-CVE-2022-36440-40302.patch b/SOURCES/0009-CVE-2022-36440-40302.patch new file mode 100644 index 0000000..08de573 --- /dev/null +++ b/SOURCES/0009-CVE-2022-36440-40302.patch @@ -0,0 +1,59 @@ +From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 30 Sep 2022 08:51:45 -0400 +Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in + peek_for_as4_capability + +In peek_for_as4_capability the code is checking that the +stream has at least 2 bytes to read ( the opt_type and the +opt_length ). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +is configured then FRR is reading 3 bytes. Which is not good +since the packet could be badly formated. Ensure that +FRR has the appropriate data length to read the data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_open.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index 7248f034a5a..a760a7ca013 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length) + uint8_t opt_type; + uint16_t opt_length; + +- /* Check the length. */ +- if (stream_get_getp(s) + 2 > end) ++ /* Ensure we can read the option type */ ++ if (stream_get_getp(s) + 1 > end) + goto end; + +- /* Fetch option type and length. */ ++ /* Fetch the option type */ + opt_type = stream_getc(s); +- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +- ? stream_getw(s) +- : stream_getc(s); ++ ++ /* ++ * Check the length and fetch the opt_length ++ * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) ++ * then we do a getw which is 2 bytes. So we need to ++ * ensure that we can read that as well ++ */ ++ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { ++ if (stream_get_getp(s) + 2 > end) ++ goto end; ++ ++ opt_length = stream_getw(s); ++ } else { ++ if (stream_get_getp(s) + 1 > end) ++ goto end; ++ ++ opt_length = stream_getc(s); ++ } + + /* Option length check. */ + if (stream_get_getp(s) + opt_length > end) diff --git a/SOURCES/0010-CVE-2022-43681.patch b/SOURCES/0010-CVE-2022-43681.patch new file mode 100644 index 0000000..73fcfc3 --- /dev/null +++ b/SOURCES/0010-CVE-2022-43681.patch @@ -0,0 +1,47 @@ +From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Wed, 2 Nov 2022 13:24:48 -0400 +Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to + read + +If a operator receives an invalid packet that is of insufficient size +then it is possible for BGP to assert during reading of the packet +instead of gracefully resetting the connection with the peer. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index 769f9613da8..72d6a923175 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size) + || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) { + uint8_t opttype; + ++ if (STREAM_READABLE(peer->curr) < 1) { ++ flog_err( ++ EC_BGP_PKT_OPEN, ++ "%s: stream does not have enough bytes for extended optional parameters", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return BGP_Stop; ++ } ++ + opttype = stream_getc(peer->curr); + if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) { ++ if (STREAM_READABLE(peer->curr) < 2) { ++ flog_err( ++ EC_BGP_PKT_OPEN, ++ "%s: stream does not have enough bytes to read the extended optional parameters optlen", ++ peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return BGP_Stop; ++ } + optlen = stream_getw(peer->curr); + SET_FLAG(peer->sflags, + PEER_STATUS_EXT_OPT_PARAMS_LENGTH); diff --git a/SOURCES/0011-CVE-2022-40318.patch b/SOURCES/0011-CVE-2022-40318.patch new file mode 100644 index 0000000..e4dadfb --- /dev/null +++ b/SOURCES/0011-CVE-2022-40318.patch @@ -0,0 +1,70 @@ +From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Fri, 30 Sep 2022 08:57:43 -0400 +Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in + bgp_open_option_parse + +In bgp_open_option_parse the code is checking that the +stream has at least 2 bytes to read ( the opt_type and +the opt_length). However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +is configured then FRR is reading 3 bytes. Which is not good +since the packet could be badly formateed. Ensure that +FRR has the appropriate data length to read the data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c +index a760a7ca013..d1667fac261 100644 +--- a/bgpd/bgp_open.c ++++ b/bgpd/bgp_open.c +@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length, + uint8_t opt_type; + uint16_t opt_length; + +- /* Must have at least an OPEN option header */ +- if (STREAM_READABLE(s) < 2) { ++ /* ++ * Check that we can read the opt_type and fetch it ++ */ ++ if (STREAM_READABLE(s) < 1) { + zlog_info("%s Option length error", peer->host); + bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, + BGP_NOTIFY_OPEN_MALFORMED_ATTR); + return -1; + } +- +- /* Fetch option type and length. */ + opt_type = stream_getc(s); +- opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer) +- ? stream_getw(s) +- : stream_getc(s); ++ ++ /* ++ * Check the length of the stream to ensure that ++ * FRR can properly read the opt_length. Then read it ++ */ ++ if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) { ++ if (STREAM_READABLE(s) < 2) { ++ zlog_info("%s Option length error", peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return -1; ++ } ++ ++ opt_length = stream_getw(s); ++ } else { ++ if (STREAM_READABLE(s) < 1) { ++ zlog_info("%s Option length error", peer->host); ++ bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR, ++ BGP_NOTIFY_OPEN_MALFORMED_ATTR); ++ return -1; ++ } ++ ++ opt_length = stream_getc(s); ++ } + + /* Option length check. */ + if (STREAM_READABLE(s) < opt_length) { diff --git a/SOURCES/0009-bfd-not-working-in-vrf.patch b/SOURCES/0012-bfd-not-working-in-vrf.patch similarity index 100% rename from SOURCES/0009-bfd-not-working-in-vrf.patch rename to SOURCES/0012-bfd-not-working-in-vrf.patch diff --git a/SOURCES/0010-CVE-2023-38802.patch b/SOURCES/0013-CVE-2023-38802.patch similarity index 100% rename from SOURCES/0010-CVE-2023-38802.patch rename to SOURCES/0013-CVE-2023-38802.patch diff --git a/SOURCES/frr.if b/SOURCES/frr.if index d96499d..8dbabba 100644 --- a/SOURCES/frr.if +++ b/SOURCES/frr.if @@ -160,3 +160,55 @@ interface(`frr_admin',` systemd_read_fifo_file_passwd_run($1) ') ') + +######################################## +# +# Interface compatibility blocks +# +# The following definitions ensure compatibility with distribution policy +# versions that do not contain given interfaces (epel, or older Fedora +# releases). +# Each block tests for existence of given interface and defines it if needed. +# + +###################################### +## +## Watch ifconfig_var_run_t directories +## +## +## +## Domain allowed access. +## +## +# +ifndef(`sysnet_watch_ifconfig_run',` + interface(`sysnet_watch_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## +## Read ifconfig_var_run_t files and link files +## +## +## +## Domain allowed access. +## +## +# +ifndef(`sysnet_read_ifconfig_run',` + interface(`sysnet_read_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') diff --git a/SOURCES/frr.te b/SOURCES/frr.te index 0178c2a..d9d1169 100644 --- a/SOURCES/frr.te +++ b/SOURCES/frr.te @@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t) # # frr local policy # -allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; +allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; -allow frr_t self:packet_socket create; +allow frr_t self:packet_socket create_socket_perms; allow frr_t self:process { setcap setpgid }; allow frr_t self:rawip_socket create_socket_perms; allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; @@ -95,6 +95,10 @@ domain_use_interactive_fds(frr_t) fs_read_nsfs_files(frr_t) sysnet_exec_ifconfig(frr_t) +sysnet_read_ifconfig_run(frr_t) +sysnet_watch_ifconfig_run(frr_t) + +ipsec_domtrans_mgmt(frr_t) userdom_read_admin_home_files(frr_t) diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 603f6c9..d47a61e 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 8.3.1 -Release: 5%{?checkout}%{?dist}.2 +Release: 11%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -71,8 +71,11 @@ Patch0005: 0005-ospf-api.patch Patch0006: 0006-graceful-restart.patch Patch0007: 0007-cve-2022-37032.patch Patch0008: 0008-frr-non-root-user.patch -Patch0009: 0009-bfd-not-working-in-vrf.patch -Patch0010: 0010-CVE-2023-38802.patch +Patch0009: 0009-CVE-2022-36440-40302.patch +Patch0010: 0010-CVE-2022-43681.patch +Patch0011: 0011-CVE-2022-40318.patch +Patch0012: 0012-bfd-not-working-in-vrf.patch +Patch0013: 0013-CVE-2023-38802.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -278,13 +281,28 @@ make check PYTHON=%{__python3} %endif %changelog -* Wed Sep 06 2023 Michal Ruprich - 8.3.1-5.2 -- Resolves: #2236711 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router +* Wed Sep 13 2023 Michal Ruprich - 8.3.1-11 +- Resolves: #2231001 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router -* Wed Jun 07 2023 Michal Ruprich - 8.3.1-5.1 -- Resolves: #2212921 - BFD not working through VRF +* Thu Aug 10 2023 Michal Ruprich - 8.3.1-10 +- Related: #2216912 - adding sys_admin to capabilities -* Wed Mar 15 2023 MSVSphere Packaging Team - 8.2.2-4 +* Tue Aug 08 2023 Michal Ruprich - 8.3.1-9 +- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec + +* Mon Aug 07 2023 Michal Ruprich - 8.3.1-8 +- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces + +* Wed Jun 07 2023 Michal Ruprich - 8.3.1-7 +- Resolves: #2168855 - BFD not working through VRF + +* Tue May 23 2023 Michal Ruprich - 8.3.1-6 +- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function +- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff +- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff +- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting + +* Wed Mar 15 2023 MSVSphere Packaging Team - 8.3.1-5 - Rebuilt for MSVSphere 9.1. * Mon Nov 28 2022 Michal Ruprich - 8.3.1-5