Backport fix for CVE-2017-9263 and CVE-2017-9265

Resolves: #1457327, #1457335

openvswitch-CVE-2017-9263.patch

@@ -0,0 +1,31 @@
+From ebeef5b165fff88eff987628b5d849a6bffd017b Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Fri, 26 May 2017 13:22:26 -0700
+Subject: [PATCH] ofp-print: Don't abort on unknown reason in role status
+ message.
+
+A buggy or malicious switch could send a role status message with a bad
+reason code, which if printed by OVS would cause it to abort.  This fixes
+the problem.
+
+Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
+---
+ lib/ofp-print.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ofp-print.c b/lib/ofp-print.c
+index c03af61c3f..796039e728 100644
+--- a/lib/ofp-print.c
++++ b/lib/ofp-print.c
+@@ -2098,7 +2098,8 @@ ofp_print_role_status_message(struct ds *string, const struct ofp_header *oh)
+         break;
+     case OFPCRR_N_REASONS:
+     default:
+-        OVS_NOT_REACHED();
++        ds_put_cstr(string, "(unknown)");
++        break;
+     }
+ }
+ 

openvswitch-CVE-2017-9265.patch

@@ -0,0 +1,33 @@
+From 050f90662dde1da1ee3cdd209a9b65196a808811 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Fri, 26 May 2017 12:59:06 -0700
+Subject: [PATCH] ofp-util: Check length of buckets in
+ ofputil_pull_ofp15_group_mod().
+
+This code blindly read forward for the number of bytes specified by the
+message without checking that it was in range.
+
+This bug is part of OpenFlow 1.5 support.  Open vSwitch does not enable
+OpenFlow 1.5 support by default.
+
+Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Yi-Hung Wei <yihung.wei@gmail.com>
+---
+ lib/ofp-util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c
+index 92c17f4837..39ab8362d0 100644
+--- a/lib/ofp-util.c
++++ b/lib/ofp-util.c
+@@ -9418,6 +9418,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version,
+     }
+ 
+     bucket_list_len = ntohs(ogm->bucket_array_len);
++    if (bucket_list_len > msg->size) {
++        return OFPERR_OFPBRC_BAD_LEN;
++    }
+     error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version,
+                                        gm->type, &gm->buckets);
+     if (error) {

openvswitch.spec

@@ -30,7 +30,7 @@
 
 Name: openvswitch
 Version: 2.7.1
-Release: 1%{?snapshot}%{?dist}
+Release: 2%{?snapshot}%{?dist}
 Summary: Open vSwitch daemon/database/utilities
 
 # Nearly all of openvswitch is ASL 2.0.  The bugtool is LGPLv2+, and the
@@ -42,6 +42,10 @@ Source0: http://openvswitch.org/releases/%{name}-%{version}%{?snap_gitsha}.tar.g
 Source1: http://fast.dpdk.org/rel/dpdk-%{dpdkver}.tar.gz
 Source2: ovs-snapshot.sh
 
+Patch1: openvswitch-CVE-2017-9263.patch
+Patch2: openvswitch-CVE-2017-9265.patch
+
+
 %if %{with dpdk}
 %define dpdkarches x86_64 i686 aarch64 ppc64le
 
@@ -644,6 +648,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_unitdir}/ovn-controller-vtep.service
 
 %changelog
+* Fri Jul 14 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.1-2
+- Backport fix for CVE-2017-9263 (#1457327)
+- Backport fix fox CVE-2017-9265 (#1457335)
+
 * Thu Jul 06 2017 Timothy Redaelli <tredaelli@redhat.com> - 2.7.1-1
 - Updated to Open vSwitch 2.7.1 and DPDK 16.11.2 (#1468234)