Browse code
Fix CVE-2017-9214, CVE-2017-9265
Change-Id: Ic2435bdd76a59d7e4b3392d8f4e4e875f3e7e8f3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2970
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Vinay Kulkarni authored on 2017/06/17 04:39:22Showing 4 changed files
- SPECS/ovs/OVS-CVE-2017-9214.patch
- SPECS/ovs/OVS-CVE-2017-9265.patch
- SPECS/ovs/openvswitch.spec
- SPECS/ovs/ovs-CVE-2017-9264.patch
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,20 @@ |
| 0 |
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> |
|
| 1 |
+Signed-off-by: Ben Pfaff <blp at ovn.org> |
|
| 2 |
+--- |
|
| 3 |
+ lib/ofp-util.c | 2 +- |
|
| 4 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
|
| 5 |
+ |
|
| 6 |
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c |
|
| 7 |
+index bdf89b6c3017..f05ca398c13e 100644 |
|
| 8 |
+--- a/lib/ofp-util.c |
|
| 9 |
+@@ -2610,7 +2610,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg, |
|
| 10 |
+ |
|
| 11 |
+ hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr); |
|
| 12 |
+ prop_len = ntohs(hdr->len); |
|
| 13 |
+- if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
|
|
| 14 |
++ if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
|
|
| 15 |
+ return OFPERR_OFPBRC_BAD_LEN; |
|
| 16 |
+ } |
|
| 17 |
+ |
|
| 18 |
+-- |
| 0 | 19 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,21 @@ |
| 0 |
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> |
|
| 1 |
+Signed-off-by: Ben Pfaff <blp at ovn.org> |
|
| 2 |
+--- |
|
| 3 |
+ lib/ofp-util.c | 3 +++ |
|
| 4 |
+ 1 file changed, 3 insertions(+) |
|
| 5 |
+ |
|
| 6 |
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c |
|
| 7 |
+index f05ca398c13e..46bc628d4191 100644 |
|
| 8 |
+--- a/lib/ofp-util.c |
|
| 9 |
+@@ -9581,6 +9581,9 @@ ofputil_pull_ofp15_group_mod(struct ofpbuf *msg, enum ofp_version ofp_version, |
|
| 10 |
+ } |
|
| 11 |
+ |
|
| 12 |
+ bucket_list_len = ntohs(ogm->bucket_array_len); |
|
| 13 |
++ if (bucket_list_len > msg->size) {
|
|
| 14 |
++ return OFPERR_OFPBRC_BAD_LEN; |
|
| 15 |
++ } |
|
| 16 |
+ error = ofputil_pull_ofp15_buckets(msg, bucket_list_len, ofp_version, |
|
| 17 |
+ gm->type, &gm->buckets); |
|
| 18 |
+ if (error) {
|
|
| 19 |
+-- |
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
Summary: Open vSwitch daemon/database/utilities |
| 4 | 4 |
Name: openvswitch |
| 5 | 5 |
Version: 2.7.0 |
| 6 |
-Release: 3%{?dist}
|
|
| 6 |
+Release: 4%{?dist}
|
|
| 7 | 7 |
License: ASL 2.0 and LGPLv2+ |
| 8 | 8 |
URL: http://www.openvswitch.org/ |
| 9 | 9 |
Group: System Environment/Daemons |
| ... | ... |
@@ -11,8 +11,9 @@ Vendor: VMware, Inc. |
| 11 | 11 |
Distribution: Photon |
| 12 | 12 |
|
| 13 | 13 |
Source0: http://openvswitch.org/releases/%{name}-%{version}.tar.gz
|
| 14 |
-Patch0: ovs-CVE-2017-9264.patch |
|
| 15 | 14 |
%define sha1 openvswitch=0f324ccfe52ae84a2b102a7f2db1411f4debacf6 |
| 15 |
+Patch0: OVS-CVE-2017-9214.patch |
|
| 16 |
+Patch1: OVS-CVE-2017-9265.patch |
|
| 16 | 17 |
|
| 17 | 18 |
BuildRequires: gcc >= 4.0.0 |
| 18 | 19 |
BuildRequires: libcap-ng |
| ... | ... |
@@ -72,6 +73,7 @@ It contains the documentation and manpages for openvswitch. |
| 72 | 72 |
%prep |
| 73 | 73 |
%setup -q |
| 74 | 74 |
%patch0 -p1 |
| 75 |
+%patch1 -p1 |
|
| 75 | 76 |
|
| 76 | 77 |
%build |
| 77 | 78 |
./configure \ |
| ... | ... |
@@ -167,6 +169,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}
|
| 167 | 167 |
%{_mandir}/man8/vtep-ctl.8.gz
|
| 168 | 168 |
|
| 169 | 169 |
%changelog |
| 170 |
+* Fri Jun 16 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.7.0-4 |
|
| 171 |
+- Fix CVE-2017-9214, CVE-2017-9265 |
|
| 170 | 172 |
* Mon Jun 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 2.7.0-3 |
| 171 | 173 |
- Fix CVE-2017-9264 |
| 172 | 174 |
* Tue May 23 2017 Xiaolin Li <xiaolinl@vmware.com> 2.7.0-2 |
| 173 | 175 |
deleted file mode 100644 |
| ... | ... |
@@ -1,47 +0,0 @@ |
| 1 |
-Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de> |
|
| 2 |
-Signed-off-by: Ben Pfaff <blp at ovn.org> |
|
| 3 |
- lib/conntrack.c | 14 ++++++++++++-- |
|
| 4 |
- 1 file changed, 12 insertions(+), 2 deletions(-) |
|
| 5 |
- |
|
| 6 |
-diff --git a/lib/conntrack.c b/lib/conntrack.c |
|
| 7 |
-index 9bea3d93e4ad..9c1dd63648b8 100644 |
|
| 8 |
-+++ b/lib/conntrack.c |
|
| 9 |
-@@ -568,6 +568,10 @@ extract_l3_ipv6(struct conn_key *key, const void *data, size_t size, |
|
| 10 |
- const char **new_data) |
|
| 11 |
- {
|
|
| 12 |
- const struct ovs_16aligned_ip6_hdr *ip6 = data; |
|
| 13 |
-+ if (size < sizeof *ip6) {
|
|
| 14 |
-+ return false; |
|
| 15 |
-+ } |
|
| 16 |
-+ |
|
| 17 |
- uint8_t nw_proto = ip6->ip6_nxt; |
|
| 18 |
- uint8_t nw_frag = 0; |
|
| 19 |
- |
|
| 20 |
-@@ -623,8 +627,11 @@ check_l4_tcp(const struct conn_key *key, const void *data, size_t size, |
|
| 21 |
- const void *l3) |
|
| 22 |
- {
|
|
| 23 |
- const struct tcp_header *tcp = data; |
|
| 24 |
-- size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4; |
|
| 25 |
-+ if (size < sizeof *tcp) {
|
|
| 26 |
-+ return false; |
|
| 27 |
-+ } |
|
| 28 |
- |
|
| 29 |
-+ size_t tcp_len = TCP_OFFSET(tcp->tcp_ctl) * 4; |
|
| 30 |
- if (OVS_UNLIKELY(tcp_len < TCP_HEADER_LEN || tcp_len > size)) {
|
|
| 31 |
- return false; |
|
| 32 |
- } |
|
| 33 |
-@@ -637,8 +644,11 @@ check_l4_udp(const struct conn_key *key, const void *data, size_t size, |
|
| 34 |
- const void *l3) |
|
| 35 |
- {
|
|
| 36 |
- const struct udp_header *udp = data; |
|
| 37 |
-- size_t udp_len = ntohs(udp->udp_len); |
|
| 38 |
-+ if (size < sizeof *udp) {
|
|
| 39 |
-+ return false; |
|
| 40 |
-+ } |
|
| 41 |
- |
|
| 42 |
-+ size_t udp_len = ntohs(udp->udp_len); |
|
| 43 |
- if (OVS_UNLIKELY(udp_len < UDP_HEADER_LEN || udp_len > size)) {
|
|
| 44 |
- return false; |
|
| 45 |
- } |