Version in base suite: 2.15.0+ds1-2+deb11u1 Base version: openvswitch_2.15.0+ds1-2+deb11u1 Target version: openvswitch_2.15.0+ds1-2+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openvswitch/openvswitch_2.15.0+ds1-2+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openvswitch/openvswitch_2.15.0+ds1-2+deb11u2.dsc changelog | 8 + patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch | 29 ++++++ patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch | 47 ++++++++++ patches/py3-compat.patch | 27 ----- patches/series | 2 5 files changed, 86 insertions(+), 27 deletions(-) diff -Nru openvswitch-2.15.0+ds1/debian/changelog openvswitch-2.15.0+ds1/debian/changelog --- openvswitch-2.15.0+ds1/debian/changelog 2022-01-03 12:53:38.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/changelog 2022-10-03 10:59:27.000000000 +0000 @@ -1,3 +1,11 @@ +openvswitch (2.15.0+ds1-2+deb11u2) bullseye-security; urgency=medium + + * Fix ovs-dpctl-top by removing 3 wrong hunks in py3-compat.patch. + * CVE-2022-4337 & CVE-2022-4338: Out-of-Bounds Read and Integer Underflow in + Organization Specific TLV. Added upstream patches (Closes: #1027273). + + -- Thomas Goirand Mon, 03 Oct 2022 12:59:27 +0200 + openvswitch (2.15.0+ds1-2+deb11u1) bullseye; urgency=medium * CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch 2022-10-03 10:59:27.000000000 +0000 @@ -0,0 +1,29 @@ +Description: CVE-2022-4337 CVE-2022-4338 fix bugs when parsing malformed LLDP packets +Author: cq +Date: Tue, 22 Nov 2022 11:05:03 +0800 +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Signed-off-by: Qian Chen +Bug-Debian: https://bugs.debian.org/1027273 +Origin: upstream, https://github.com/openvswitch/ovs/commit/48b21e2b511a4d1ee5871e04fffe26a3ecc967dc.patch +Last-Update: 2023-01-03 + +Index: openvswitch/lib/lldp/lldp.c +=================================================================== +--- openvswitch.orig/lib/lldp/lldp.c ++++ openvswitch/lib/lldp/lldp.c +@@ -581,6 +581,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -627,6 +628,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + diff -Nru openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch --- openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch 2022-10-03 10:59:27.000000000 +0000 @@ -0,0 +1,47 @@ +Description: CVE-2022-4337 CVE-2022-4338 Add a unit test for LLDP +Author: cq +Date: Thu, 1 Dec 2022 11:45:20 +0800 +Signed-off-by: Qian Chen +Bug-Debian: https://bugs.debian.org/1027273 +Origin: upstream, https://github.com/openvswitch/ovs/commit/e00600a8892dc9e245222e1de0b12fff186aaeda.patch +Last-Update: 2023-01-03 + +Index: openvswitch/tests/system-traffic.at +=================================================================== +--- openvswitch.orig/tests/system-traffic.at ++++ openvswitch/tests/system-traffic.at +@@ -6354,3 +6354,34 @@ OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0 + + OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP ++ ++AT_SETUP([autoattach - malformed lldp]) ++OVS_TRAFFIC_VSWITCHD_START() ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up simple bridge port to receive lldp packets ++ADD_VETH(p0, at_ns0, br-auto, "172.31.1.1/24", "f6:b4:26:aa:5f:00") ++ ++NETNS_DAEMONIZE([at_ns0], [tcpdump -l -n -xx -U -i p0 > p0.pcap], [tcpdump.pid]) ++sleep 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface ovs-p0 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 01 80 c2 00 00 0e f6 b4 26 aa 5f 00 88 cc 02 07 04 f6 b4 26 aa 5f 00 04 03 05 76 32 06 02 00 78 0c 50 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 fe 05 00 04 0d 0c 01 00 00 >/dev/null]) ++ ++dnl Check the logs and autoattach rx statistics here ++dnl Check the expected lldp packet ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0000: *0180 *c200 *000e *f6b4 *26aa *5f00 *88cc *0207" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0010: *04f6 *b426 *aa5f *0004 *0305 *7632 *0602 *0078" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0020: *0c50 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0030: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0040: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0050: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0060: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null]) ++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0070: *4546 *fe05 *0004 *0d0c *0100 *00" 2>&1 1>/dev/null]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP ++AT_CLEANUP diff -Nru openvswitch-2.15.0+ds1/debian/patches/py3-compat.patch openvswitch-2.15.0+ds1/debian/patches/py3-compat.patch --- openvswitch-2.15.0+ds1/debian/patches/py3-compat.patch 2022-01-03 12:53:38.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/py3-compat.patch 2022-10-03 10:59:27.000000000 +0000 @@ -147,33 +147,6 @@ import sys import os try: -@@ -419,7 +421,7 @@ def flow_line_iter(line): - rc.append(element) - element = "" - else: -- element += ch -+ element += str(ch) - - if (paren_count): - raise ValueError(line) -@@ -468,7 +470,7 @@ def flow_line_split(line): - - """ - -- results = re.split(', ', line) -+ results = re.split(b', ', line) - - (field, stats, action) = (results[0], results[1:-1], results[-1]) - -@@ -963,7 +965,7 @@ class FlowDB: - if not isinstance(line, str): - line = str(line) - -- line = line.rstrip("\n") -+ line = line.rstrip(b"\n") - (fields, stats, _) = flow_line_split(line) - - try: --- a/utilities/ovs-l3ping.in +++ b/utilities/ovs-l3ping.in @@ -18,8 +18,10 @@ opening holes in the firewall for the XM diff -Nru openvswitch-2.15.0+ds1/debian/patches/series openvswitch-2.15.0+ds1/debian/patches/series --- openvswitch-2.15.0+ds1/debian/patches/series 2022-01-03 12:53:38.000000000 +0000 +++ openvswitch-2.15.0+ds1/debian/patches/series 2022-10-03 10:59:27.000000000 +0000 @@ -1,3 +1,5 @@ remove-include-debian-automake.mk.patch py3-compat.patch CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch +CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch +CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch