--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
[ Reason ]
- - Low-severity security issue when receiving SONMP packets.
CVE-2021-43612
- - Annoying bug where LLDP packets are encapsulated in VLAN 0 when some
configuration directives are used. Many implementations reject such
a packet (regression introduced in 1.0.6)
[ Impact ]
- - Someone could crash lldpd from another neighbor if the user enables
SONMP (quite unlikely).
- - People cannot use some configuration directives.
[ Tests ]
- - Both codes are covered by tests in upstream. The SONMP tests are run
during build as well. The VLAN 0 test is not run during build.
[ Risks ]
- - For SONMP, low risk as it is seldomly used and correctly formed
packets are part of the tests run during build.
- - For VLAN 0, the change is trivial, tested upstream and reported OK by two
users.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- - SONMP: there was a confusion about the size of a packet. The same
variable was used for the payload size and for checking the size
with Ethernet headers.
- - VLAN 0: when changing some settings, a struct containing the changed
settings is transmitted. -1 was used to say "no change" but it was
interpreted as a change.
[ Other info ]
- - Security team is OK to fix the security issue in a point release.
- - I don't think this is worth fixing the SONMP issue in Buster, but I
can do that too. The VLAN issue is not present.
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGRU44SHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5++gP/jK+rA7DgjxgweFrlUezPB39QSg6wcmu
9YrUO8wyjSzZ0A51Gfh/afyJAKRKehy3tD/nWvrQumn5ZkYXMhVbock5zJbgnTmo
1ndd2CtIOlpdSceqmnxX83Qt5qj7yHLWCzyAYg+ujgO1Su/IrE6GwwWr3+OBJQdN
lwLrbDzIe+Xv+4sYLLhWjO1ApVHpJmLJYYywBWug6YkTa9hx1wixPGm76G1Z4tvc
312L+9uwJqdp85Nb8w29VgBx8nDOWZS54FaimnggmGk895beQdI4wUCGfrJ/Tqkt
K4emDeOUv5pUudDYNU98a0byf7Ahif+QVZLS0w9p32uHd7qtr1ZwkmhcO2I0W0jA
EWIC7PW3qyQqa8SrD068Sx9jEhCt69uJaQyDUV38DbCmNFjip4oK607XeLuh/WwC
R6TI3iMro3T03QSzyYyFvWLJpL0n/xHtoMb0UXWY+KE38uOQQ1Fdv3JkvxxI6q6Z
8FhpTYr1ONE9uj577aMj3bX9BkxdVKKjy48bLEkHhTd1KS/FOLpWMmnlRVNBAr8t
KDn09xcsxU+anIGunFwrATqH8sBFOqO0gvr+ylgyswQiW3L8WWM2uyG1+UoO/AeW
lwMHk+6WUuejhB/7PzA0Wcv5zfgkwahZRf2zN6ohON6IaVR6Pbn0+lSYU5rlramB
dsd1jEbkXZ36
=W7Cl
-----END PGP SIGNATURE-----
>From d70b8be04c6d8638e6f2cd612a07e73992fa0798 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <ber...@debian.org>
Date: Sun, 14 Nov 2021 15:42:12 +0100
Subject: [PATCH] Tentative security update for Bullseye
---
debian/changelog | 8 ++
...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++++++
...-overflow-when-reading-SONMP-packets.patch | 93 +++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 130 insertions(+)
create mode 100644
debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
create mode 100644
debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
diff --git a/debian/changelog b/debian/changelog
index bb87d8129f9e..68ae7b91d22d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lldpd (1.0.12-1+deb11u1) bullseye; urgency=high
+
+ * d/patches: sonmp: fix heap overflow when reading SONMP packets.
+ CVE-2021-43612
+ * d/patches: client: do not set VLAN tag if client did not set it
+
+ -- Vincent Bernat <ber...@debian.org> Sun, 14 Nov 2021 15:41:59 +0100
+
lldpd (1.0.12-1) unstable; urgency=medium
* New upstream release.
diff --git
a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
new file mode 100644
index 000000000000..1f65986ae27e
--- /dev/null
+++
b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
@@ -0,0 +1,27 @@
+From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vinc...@bernat.ch>
+Date: Wed, 29 Sep 2021 12:02:15 +0200
+Subject: [PATCH] client: do not set VLAN tag if client did not set it
+
+This fixes a bug where frames could be tagged with VLAN 0 after client
+configuration.
+---
+ src/daemon/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index b4a08aae80a8..0d0f3ea37a19 100644
+--- a/src/daemon/client.c
++++ b/src/daemon/client.c
+@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg,
+ port->p_disable_rx = port->p_disable_tx = 1;
+ break;
+ }
+- if (set->vlan_tx_enabled >= -1) {
++ if (set->vlan_tx_enabled > -1) {
+ port->p_vlan_tx_enabled = set->vlan_tx_enabled;
+ port->p_vlan_tx_tag = set->vlan_tx_tag;
+ }
+--
+2.33.1
+
diff --git
a/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
new file mode 100644
index 000000000000..c06689987c34
--- /dev/null
+++
b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
@@ -0,0 +1,93 @@
+From 73d42680fce8598324364dbb31b9bc3b8320adf7 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vinc...@bernat.ch>
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+CVE-2021-43612
+---
+ NEWS | 2 ++
+ src/daemon/protocols/sonmp.c | 2 +-
+ src/daemon/protocols/sonmp.h | 2 +-
+ tests/check_sonmp.c | 10 +++++-----
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index 41dcf6aa412d..f8f12469e28a 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+
+ length = s;
+ pos = (u_int8_t*)frame;
+- if (length < SONMP_SIZE) {
++ if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ log_warnx("sonmp", "too short SONMP frame received on %s",
hardware->h_ifname);
+ goto malformed;
+ }
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106dae63..ff7a720f0b5d 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+
+ struct sonmp_chassis {
+ int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208fffc1..b25f0e2fbb88 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet
+ Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+ Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+- Length: 22
++ Length: 19
+ Logical-Link Control
+ DSAP: SNAP (0xaa)
+ IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet
+ Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+ Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+- Length: 22
++ Length: 19
+ Logical-Link Control
+ DSAP: SNAP (0xaa)
+ IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ */
+ char pkt1[] = {
+ 0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 0x01 };
+ char pkt2[] = {
+ 0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 0x01 };
+@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ chassis.c_id_len = ETHER_ADDR_LEN;
+ TAILQ_INIT(&chassis.c_mgmt);
+ addr = inet_addr("172.17.142.37");
+- mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
++ mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
+ &addr, sizeof(in_addr_t), 0);
+ if (mgmt == NULL)
+ ck_abort();
+--
+2.33.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 66ab5767af9a..f3ba6553bd59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
0001-build-put-ZSH-completion-in-vendor-completions.patch
+0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
+0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
--
2.33.1
--- End Message ---
