Version in base suite: 1.2.4-2

Base version: fastnetmon_1.2.4-2
Target version: fastnetmon_1.2.4-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/fastnetmon/fastnetmon_1.2.4-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/fastnetmon/fastnetmon_1.2.4-2+deb12u1.dsc

 changelog                    |   14 ++++++
 patches/CVE-2024-56072.patch |   87 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2024-56073.patch |   72 +++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 4 files changed, 175 insertions(+)

diff -Nru fastnetmon-1.2.4/debian/changelog fastnetmon-1.2.4/debian/changelog
--- fastnetmon-1.2.4/debian/changelog	2023-03-14 14:23:10.000000000 +0000
+++ fastnetmon-1.2.4/debian/changelog	2024-12-23 09:30:10.000000000 +0000
@@ -1,3 +1,17 @@
+fastnetmon (1.2.4-2+deb12u1) bookworm-security; urgency=medium
+
+  [ Moritz Mühlenhoff ]
+  * Fixes CVE-2024-56073: Zero-length templates for Netflow v9 allow remote
+    attackers to cause a denial of service (divide-by-zero error and
+    application crash).
+    Closes: #1090387
+  * Fixes CVE-2024-56072: The sFlow v5 plugin allows remote attackers to cause
+    a denial of service (application crash) via a crafted packet that
+    specifies many sFlow samples.
+    Closes: #1090388
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Mon, 23 Dec 2024 10:30:10 +0100
+
 fastnetmon (1.2.4-2) unstable; urgency=medium
 
   * Add upstream patches 03-gobgp-3.12 and 04-gobgp-bindings to support goBGP
diff -Nru fastnetmon-1.2.4/debian/patches/CVE-2024-56072.patch fastnetmon-1.2.4/debian/patches/CVE-2024-56072.patch
--- fastnetmon-1.2.4/debian/patches/CVE-2024-56072.patch	1970-01-01 00:00:00.000000000 +0000
+++ fastnetmon-1.2.4/debian/patches/CVE-2024-56072.patch	2024-12-23 09:30:10.000000000 +0000
@@ -0,0 +1,87 @@
+Combined 1.2.4 backport of
+
+From 5164a29603fff9dd445b7660a35090989f005000 Mon Sep 17 00:00:00 2001
+From: Pavel Odintsov <pavel.odintsov@gmail.com>
+Date: Fri, 13 Dec 2024 02:08:40 +0300
+Subject: [PATCH] Fixed DoS vulnerability in sFlow v5 plugin which caused crash
+ of FastNetMon with specially crafted packet. Reported by Evgeny Shtanov aka
+ @Klavishnik
+
+and
+
+From 65c40ee92dd5bcad1ab52cbafa1afd62cf669e48 Mon Sep 17 00:00:00 2001
+From: Pavel Odintsov <pavel.odintsov@gmail.com>
+Date: Fri, 13 Dec 2024 02:32:10 +0300
+Subject: [PATCH] Added capping logic for sFlow counter and flow samples to
+ reduce chances of DoS
+
+--- fastnetmon-1.2.4.orig/src/libsflow/libsflow.hpp
++++ fastnetmon-1.2.4/src/libsflow/libsflow.hpp
+@@ -17,6 +17,15 @@
+ // We need it for sanity checks
+ const uint32_t max_udp_packet_size = 65535;
+ 
++// We need to limit number of samples by reasonable number
++const int32_t max_sflow_sample_number = 256;
++
++// We need to limit number of counter samples by reasonable number
++const uint32_t max_number_of_counter_records = 256;
++
++// We need to limit number of flow samples by reasonable number
++const uint32_t max_number_of_flow_records = 256;
++
+ enum class sflow_sample_type_t : unsigned int {
+     FLOW_SAMPLE             = 1,
+     COUNTER_SAMPLE          = 2,
+--- fastnetmon-1.2.4.orig/src/sflow_plugin/sflow_collector.cpp
++++ fastnetmon-1.2.4/src/sflow_plugin/sflow_collector.cpp
+@@ -318,6 +318,17 @@ bool process_sflow_flow_sample(uint8_t*
+         return false;
+     }
+ 
++    if (sflow_sample_header_unified_accessor.get_number_of_flow_records() > max_number_of_flow_records) {
++        logger << log4cpp::Priority::ERROR << plugin_log_prefix << "flow records number "
++            << sflow_sample_header_unified_accessor.get_number_of_flow_records()
++            << " exceeds maximum value "
++            << max_number_of_flow_records;
++
++        sflow_bad_flow_samples++;
++
++        return false;
++    }
++
+     uint8_t* flow_record_zone_start = data_pointer + sflow_sample_header_unified_accessor.get_original_payload_length();
+ 
+     vector_tuple_t vector_tuple;
+@@ -494,6 +505,16 @@ void parse_sflow_v5_packet(uint8_t* payl
+         return;
+     }
+ 
++    // As we're going to allocate memory using this value as number of elements 
++    // we need to ensure that we capped it by reasonable value
++    if (sflow_header_accessor.get_datagram_samples_count() > max_sflow_sample_number) {
++         logger << log4cpp::Priority::ERROR << plugin_log_prefix
++               << "Number of sFlow samples in packet " << sflow_header_accessor.get_datagram_samples_count()
++              << " exceeds allowed maximum value " << max_sflow_sample_number;
++        sflow_bad_packets++;
++        return;
++    }
++    
+     vector_sample_tuple_t samples_vector;
+     samples_vector.reserve(sflow_header_accessor.get_datagram_samples_count());
+ 
+@@ -581,6 +602,14 @@ bool process_sflow_counter_sample(uint8_
+         return false;
+     }
+ 
++    if (sflow_counter_header_unified_accessor.get_number_of_counter_records() > max_number_of_counter_records) {
++        logger << log4cpp::Priority::ERROR << plugin_log_prefix << "number of counter records "
++                << sflow_counter_header_unified_accessor.get_number_of_counter_records()
++                << " exceeds maximum value "
++                << max_number_of_counter_records;
++        return false;
++    }
++    
+     counter_record_sample_vector_t counter_record_sample_vector;
+     counter_record_sample_vector.reserve(sflow_counter_header_unified_accessor.get_number_of_counter_records());
+ 
diff -Nru fastnetmon-1.2.4/debian/patches/CVE-2024-56073.patch fastnetmon-1.2.4/debian/patches/CVE-2024-56073.patch
--- fastnetmon-1.2.4/debian/patches/CVE-2024-56073.patch	1970-01-01 00:00:00.000000000 +0000
+++ fastnetmon-1.2.4/debian/patches/CVE-2024-56073.patch	2024-12-23 09:30:10.000000000 +0000
@@ -0,0 +1,72 @@
+Backport to 1.2.4 of:
+
+From a36718525e08ad0f2a809363001bf105efc5fe1c Mon Sep 17 00:00:00 2001
+From: Pavel Odintsov <pavel.odintsov@gmail.com>
+Date: Fri, 13 Dec 2024 15:08:14 +0300
+Subject: [PATCH] DoS: explicitly blocked zero length data templates for
+ Netflow v9 as they have no sense DoS: explicitly blocked zero length options
+ templates for Netflow v9 as they have no sense DoS: Added fix for FPE /
+ division by zero in Netflow v9 logic when length of template is zero
+
+Reported by Evgeny Shtanov aka Klavishnik
+
+--- fastnetmon-1.2.4.orig/src/netflow_plugin/netflow_collector.cpp
++++ fastnetmon-1.2.4/src/netflow_plugin/netflow_collector.cpp
+@@ -614,7 +614,9 @@ bool process_netflow_v9_options_template
+     std::vector<peer_nf9_record_t> template_records_map;
+     uint32_t total_size = 0;
+ 
+-    for (; offset < fast_ntoh(options_nested_header->option_length);) {
++    uint32_t option_length = fast_ntoh(options_nested_header->option_length);
++
++    for (; offset < option_length;) {
+         records_number++;
+         nf9_template_flowset_record_t* tmplr = (nf9_template_flowset_record_t*)(zone_address_without_skopes + offset);
+ 
+@@ -642,6 +644,15 @@ bool process_netflow_v9_options_template
+ 
+     field_template.option_scope_length = scopes_total_size;
+ 
++    // Templates with total length which is zero do not make any sense and have to be ignored
++    // We need templates to decode data blob and decoding zero length value is meaningless
++    if (field_template.total_len == 0) {
++       logger << log4cpp::Priority::ERROR
++               << "Received zero length malformed options Netfow v9 template " << template_id
++               << " from " << client_addres_in_string_format;
++        return false;
++    }
++    
+     // logger << log4cpp::Priority::INFO << "Read options template:" << print_peer_nf9_template(field_template);
+ 
+     // Add/update template
+@@ -947,6 +958,15 @@ bool process_netflow_v9_template(uint8_t
+             // TODO: introduce nf9_check_rec_len
+         }
+ 
++        // Templates with total length which is zero do not make any sense and have to be ignored
++        // We need templates to decode data blob and decoding zero length value is meaningless
++        if (total_size == 0) {
++            logger << log4cpp::Priority::ERROR
++                << "Received zero length malformed data Netflow v9 template " << template_id
++                << " from " << client_addres_in_string_format;
++            return false;
++        }
++	
+         field_template.template_id = template_id;
+         field_template.num_records = count;
+         field_template.total_len   = total_size;
+@@ -1943,6 +1963,14 @@ bool process_netflow_v10_data(uint8_t* p
+         return false;
+     }
+ 
++    // Check that template total length is not zero as we're going to divide by it
++    if (flowset_template->total_len == 0) {
++        logger << log4cpp::Priority::ERROR
++               << "Zero template length is not valid "
++               << "client " << client_addres_in_string_format << " source_id: " << source_id;
++       return false;
++    }
++    
+     uint32_t offset       = sizeof(*dath);
+     uint32_t num_flowsets = (len - offset) / flowset_template->total_len;
+ 
diff -Nru fastnetmon-1.2.4/debian/patches/series fastnetmon-1.2.4/debian/patches/series
--- fastnetmon-1.2.4/debian/patches/series	2023-03-14 14:23:10.000000000 +0000
+++ fastnetmon-1.2.4/debian/patches/series	2024-12-23 09:30:10.000000000 +0000
@@ -2,3 +2,5 @@
 02-boost.diff
 03-gobgp-3.12.diff
 04-gobgp-bindings.diff
+CVE-2024-56073.patch
+CVE-2024-56072.patch