import frr-8.3.1-11.el9_3

1 year ago · 0648fbd27f
parent 0b71c3d730
commit 0648fbd27f
8 changed files with 260 additions and 10 deletions
--- a/SOURCES/0009-CVE-2022-36440-40302.patch
+++ b/SOURCES/0009-CVE-2022-36440-40302.patch
@ -0,0 +1,59 @@
+From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Fri, 30 Sep 2022 08:51:45 -0400
+Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
+ peek_for_as4_capability
+
+In peek_for_as4_capability the code is checking that the
+stream has at least 2 bytes to read ( the opt_type and the
+opt_length ).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+is configured then FRR is reading 3 bytes.  Which is not good
+since the packet could be badly formated.  Ensure that
+FRR has the appropriate data length to read the data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_open.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index 7248f034a5a..a760a7ca013 100644
+--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
+@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
+ 		uint8_t opt_type;
+ 		uint16_t opt_length;
+ 
+-		/* Check the length. */
+-		if (stream_get_getp(s) + 2 > end)
+		/* Ensure we can read the option type */
+		if (stream_get_getp(s) + 1 > end)
+ 			goto end;
+ 
+-		/* Fetch option type and length. */
+		/* Fetch the option type */
+ 		opt_type = stream_getc(s);
+-		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+-				     ? stream_getw(s)
+-				     : stream_getc(s);
+
+		/*
+		 * Check the length and fetch the opt_length
+		 * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+		 * then we do a getw which is 2 bytes.  So we need to
+		 * ensure that we can read that as well
+		 */
+		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+			if (stream_get_getp(s) + 2 > end)
+				goto end;
+
+			opt_length = stream_getw(s);
+		} else {
+			if (stream_get_getp(s) + 1 > end)
+				goto end;
+
+			opt_length = stream_getc(s);
+		}
+ 
+ 		/* Option length check. */
+ 		if (stream_get_getp(s) + opt_length > end)
--- a/SOURCES/0010-CVE-2022-43681.patch
+++ b/SOURCES/0010-CVE-2022-43681.patch
@ -0,0 +1,47 @@
+From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 2 Nov 2022 13:24:48 -0400
+Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
+ read
+
+If a operator receives an invalid packet that is of insufficient size
+then it is possible for BGP to assert during reading of the packet
+instead of gracefully resetting the connection with the peer.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_packet.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index 769f9613da8..72d6a923175 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
+ 	    || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
+ 		uint8_t opttype;
+ 
+		if (STREAM_READABLE(peer->curr) < 1) {
+			flog_err(
+				EC_BGP_PKT_OPEN,
+				"%s: stream does not have enough bytes for extended optional parameters",
+				peer->host);
+			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+			return BGP_Stop;
+		}
+
+ 		opttype = stream_getc(peer->curr);
+ 		if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
+			if (STREAM_READABLE(peer->curr) < 2) {
+				flog_err(
+					EC_BGP_PKT_OPEN,
+					"%s: stream does not have enough bytes to read the extended optional parameters optlen",
+					peer->host);
+				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+				return BGP_Stop;
+			}
+ 			optlen = stream_getw(peer->curr);
+ 			SET_FLAG(peer->sflags,
+ 				 PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
--- a/SOURCES/0011-CVE-2022-40318.patch
+++ b/SOURCES/0011-CVE-2022-40318.patch
@ -0,0 +1,70 @@
+From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Fri, 30 Sep 2022 08:57:43 -0400
+Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
+ bgp_open_option_parse
+
+In bgp_open_option_parse the code is checking that the
+stream has at least 2 bytes to read ( the opt_type and
+the opt_length).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+is configured then FRR is reading 3 bytes.  Which is not good
+since the packet could be badly formateed.  Ensure that
+FRR has the appropriate data length to read the data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
+index a760a7ca013..d1667fac261 100644
+--- a/bgpd/bgp_open.c
+++ b/bgpd/bgp_open.c
+@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
+ 		uint8_t opt_type;
+ 		uint16_t opt_length;
+ 
+-		/* Must have at least an OPEN option header */
+-		if (STREAM_READABLE(s) < 2) {
+		/*
+		 * Check that we can read the opt_type and fetch it
+		 */
+		if (STREAM_READABLE(s) < 1) {
+ 			zlog_info("%s Option length error", peer->host);
+ 			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+ 					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+ 			return -1;
+ 		}
+-
+-		/* Fetch option type and length. */
+ 		opt_type = stream_getc(s);
+-		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
+-				     ? stream_getw(s)
+-				     : stream_getc(s);
+
+		/*
+		 * Check the length of the stream to ensure that
+		 * FRR can properly read the opt_length. Then read it
+		 */
+		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
+			if (STREAM_READABLE(s) < 2) {
+				zlog_info("%s Option length error", peer->host);
+				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+				return -1;
+			}
+
+			opt_length = stream_getw(s);
+		} else {
+			if (STREAM_READABLE(s) < 1) {
+				zlog_info("%s Option length error", peer->host);
+				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
+						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
+				return -1;
+			}
+
+			opt_length = stream_getc(s);
+		}
+ 
+ 		/* Option length check. */
+ 		if (STREAM_READABLE(s) < opt_length) {
--- a/SOURCES/0012-bfd-not-working-in-vrf.patch
+++ b/SOURCES/0012-bfd-not-working-in-vrf.patch
--- a/SOURCES/0013-CVE-2023-38802.patch
+++ b/SOURCES/0013-CVE-2023-38802.patch
--- a/SOURCES/frr.if
+++ b/SOURCES/frr.if
@ -160,3 +160,55 @@ interface(`frr_admin',`
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
+
+########################################
+#
+# Interface compatibility blocks
+#
+# The following definitions ensure compatibility with distribution policy
+# versions that do not contain given interfaces (epel, or older Fedora
+# releases).
+# Each block tests for existence of given interface and defines it if needed.
+#
+
+######################################
+## <summary>
+##	Watch ifconfig_var_run_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_watch_ifconfig_run',`
+	interface(`sysnet_watch_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
+
+########################################
+## <summary>
+##	Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+	interface(`sysnet_read_ifconfig_run',`
+		gen_require(`
+			type ifconfig_var_run_t;
+		')
+
+		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+	')
+')
--- a/SOURCES/frr.te
+++ b/SOURCES/frr.te
@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket create;
+allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
 allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@ -95,6 +95,10 @@ domain_use_interactive_fds(frr_t)
 fs_read_nsfs_files(frr_t)

 sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)
+sysnet_watch_ifconfig_run(frr_t)
+
+ipsec_domtrans_mgmt(frr_t)

 userdom_read_admin_home_files(frr_t)

--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@

 Name: frr
 Version: 8.3.1
-Release: 5%{?checkout}%{?dist}.2
+Release: 11%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -71,8 +71,11 @@ Patch0005: 0005-ospf-api.patch
 Patch0006: 0006-graceful-restart.patch
 Patch0007: 0007-cve-2022-37032.patch
 Patch0008: 0008-frr-non-root-user.patch
-Patch0009: 0009-bfd-not-working-in-vrf.patch
-Patch0010: 0010-CVE-2023-38802.patch
+Patch0009: 0009-CVE-2022-36440-40302.patch
+Patch0010: 0010-CVE-2022-43681.patch
+Patch0011: 0011-CVE-2022-40318.patch
+Patch0012: 0012-bfd-not-working-in-vrf.patch
+Patch0013: 0013-CVE-2023-38802.patch

 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -278,13 +281,28 @@ make check PYTHON=%{__python3}
 %endif

 %changelog
-* Wed Sep 06 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5.2
- Resolves: #2236711 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router
+* Wed Sep 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-11
+- Resolves: #2231001 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router

-* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5.1
- Resolves: #2212921 - BFD not working through VRF
+* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
+- Related: #2216912 - adding sys_admin to capabilities

-* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 8.2.2-4
+* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
+- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
+
+* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
+- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
+
+* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
+- Resolves: #2168855 - BFD not working through VRF
+
+* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
+- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
+- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
+- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
+- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
+
+* Wed Mar 15 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 8.3.1-5
 - Rebuilt for MSVSphere 9.1.

 * Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5