* CVE-2022-4337 & CVE-2022-4338: Out-of-Bounds Read and Integer Underflow in

    Organization Specific TLV. Added upstream patches (Closes: #1027273).

diff --git a/debian/changelog b/debian/changelog
index b9f5afb50a4e14c78474ee54a60188ff4adda59e..44b1ecd198f0d0e34c20e27a96f67872badb2ebc 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 openvswitch (2.15.0+ds1-2+deb11u2) bullseye; urgency=medium
 
   * Fix ovs-dpctl-top by removing 3 wrong hunks in py3-compat.patch.
+  * CVE-2022-4337 & CVE-2022-4338: Out-of-Bounds Read and Integer Underflow in
+    Organization Specific TLV. Added upstream patches (Closes: #1027273).
 
  -- Thomas Goirand <zigo@debian.org>  Mon, 03 Oct 2022 12:59:27 +0200
 

diff --git a/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch b/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch
new file mode 100644 (file)
index 0000000..d328112
--- /dev/null
+++ b/debian/patches/CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch
@@ -0,0 +1,29 @@
+Description: CVE-2022-4337 CVE-2022-4338 fix bugs when parsing malformed LLDP packets
+Author: cq <cq674350529@163.com>
+Date: Tue, 22 Nov 2022 11:05:03 +0800
+Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
+Signed-off-by: Qian Chen <cq674350529@163.com>
+Bug-Debian: https://bugs.debian.org/1027273
+Origin: upstream, https://github.com/openvswitch/ovs/commit/48b21e2b511a4d1ee5871e04fffe26a3ecc967dc.patch
+Last-Update: 2023-01-03
+
+Index: openvswitch/lib/lldp/lldp.c
+===================================================================
+--- openvswitch.orig/lib/lldp/lldp.c
++++ openvswitch/lib/lldp/lldp.c
+@@ -581,6 +581,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED
+ 
+                 switch(tlv_subtype) {
+                 case LLDP_TLV_AA_ELEMENT_SUBTYPE:
++                    CHECK_TLV_SIZE(50, "ELEMENT");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     aa_element_dword = PEEK_UINT32;
+@@ -627,6 +628,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED
+                     break;
+ 
+                 case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE:
++                    CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     /* Subtract off tlv type and length (2Bytes) + OUI (3B) +

diff --git a/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch b/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch
new file mode 100644 (file)
index 0000000..e5f89ee
--- /dev/null
+++ b/debian/patches/CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch
@@ -0,0 +1,47 @@
+Description: CVE-2022-4337 CVE-2022-4338 Add a unit test for LLDP
+Author: cq <cq674350529@163.com>
+Date: Thu, 1 Dec 2022 11:45:20 +0800
+Signed-off-by: Qian Chen <cq674350529@163.com>
+Bug-Debian: https://bugs.debian.org/1027273
+Origin: upstream, https://github.com/openvswitch/ovs/commit/e00600a8892dc9e245222e1de0b12fff186aaeda.patch
+Last-Update: 2023-01-03
+
+Index: openvswitch/tests/system-traffic.at
+===================================================================
+--- openvswitch.orig/tests/system-traffic.at
++++ openvswitch/tests/system-traffic.at
+@@ -6354,3 +6354,34 @@ OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0
+ 
+ OVS_TRAFFIC_VSWITCHD_STOP
+ AT_CLEANUP
++
++AT_SETUP([autoattach - malformed lldp])
++OVS_TRAFFIC_VSWITCHD_START()
++
++ADD_NAMESPACES(at_ns0)
++
++dnl Set up simple bridge port to receive lldp packets
++ADD_VETH(p0, at_ns0, br-auto, "172.31.1.1/24", "f6:b4:26:aa:5f:00")
++
++NETNS_DAEMONIZE([at_ns0], [tcpdump -l -n -xx -U -i p0 > p0.pcap], [tcpdump.pid])
++sleep 1
++
++dnl Enable lldp
++AT_CHECK([ovs-vsctl set interface ovs-p0 lldp:enable=true])
++
++dnl Send a malformed lldp packet
++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 01 80 c2 00 00 0e f6 b4 26 aa 5f 00 88 cc 02 07 04 f6 b4 26 aa 5f 00 04 03 05 76 32 06 02 00 78 0c 50 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 44 45 41 44 42 45 45 46 fe 05 00 04 0d 0c 01 00 00 >/dev/null])
++
++dnl Check the logs and autoattach rx statistics here
++dnl Check the expected lldp packet
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0000: *0180 *c200 *000e *f6b4 *26aa *5f00 *88cc *0207" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0010: *04f6 *b426 *aa5f *0004 *0305 *7632 *0602 *0078" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0020: *0c50 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0030: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0040: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0050: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0060: *4546 *4445 *4144 *4245 *4546 *4445 *4144 *4245" 2>&1 1>/dev/null])
++OVS_WAIT_UNTIL([cat p0.pcap | grep -E "0x0070: *4546 *fe05 *0004 *0d0c *0100 *00" 2>&1 1>/dev/null])
++
++OVS_TRAFFIC_VSWITCHD_STOP
++AT_CLEANUP

diff --git a/debian/patches/series b/debian/patches/series
index f8a605ce1f8368f711798d922c159fae88e0f57e..a86eae1a00fb84494dcde06507e7b34dca5c61ab 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
 remove-include-debian-automake.mk.patch
 py3-compat.patch
 CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
+CVE-2022-4337and8_1_fix_bugs_when_parsing_malformed_LLDP_packets.patch
+CVE-2022-4337and8_2_Add_a_unit_test_for_LLDP.patch