--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package lldpd/0.7.11-2
- From: Vincent Bernat <bernat@debian.org>
- Date: Sun, 25 Oct 2015 13:39:42 +0100
- Message-id: <144577678274.16576.4794090686589547794.reportbug@zoro.exoscale.ch>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi!
I would like to push the attached patch to jessie-pu to fix some
security problems present in lldpd: lldpd can crash when receiving
malformed LLDP management addresses. I have been in contact with
security team and they think a stable update is good enough. Patches
come from upstream.
I will also have to upload an update for wheezy which is affected as
well. Should I use this same bug number or open a new one?
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-rc5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWLM2OAAoJEJWkL+g1NSX5XPIP/3Ph55SbIng0TD4sZyk/yTwv
k/30N3Xe7EAO9SQeNeQ/anBQOjJkowZTdWbSx7JspMWf6K8y8UO8+9oRAC2EeQe3
810N8Mj2NFyK8LDWiwZgGnsBjIdtwg0N7c05gUG26z+LepchJ01FP6e7SE+tk877
OuwJxU6QooCBJcAh+VHu0zqiRdR/TkCL4Yr5mIgcQnI8Kxk/f9U77gGruiOeb/jr
YeN5JbrF6yH46Bg/loHgt+iyck7KSnlXgiKqCsd/Vcc4s/nF3KHular0oii/8oec
DHhbrr+1yZWF605WJbK9rRrrKKQFr4+uPRlg5AbQBAZOb3C6rhGDiS4xlpFE6QVU
CL3/aEkLqRPQ5LV+ps8XBFAvj+3PQaJjpOeksOAcVUJVXLRvZsI1BDTb9ArPXtX9
baMqSpmGjRdSj3b99sGIKnfyzZbOgiM5N5SFQXB/mgr2m40YlzfkeWAJrGIS9TEa
0NFp2QEg8pCfQeFo1S3T7FCX8TO/JPyLPVmQvTe+80g11lpIFhqXD1JwAkj4wDoo
YtMK8F9bocJaPEsJ3tHVblD+zRKld9LDASWKEPj6czj/uAA+ZvaHQ2AyYhD/lhHT
DLJs0hKWZs4CC3Ht8n5/0OFA3UQEpI1npioR0+Qi36smfb+9yTtuL6S9ip3+edwm
NeW8E4mLWj3OvpdCVM1+
=ZmXr
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index f3e44f04b0e6..f9097375eee4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+lldpd (0.7.11-2+deb8u1) jessie; urgency=medium
+
+ * Fix a segfault when receiving incorrectly formed LLDP management
+ addresses:
+ - 0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+ * Fix an assert error when receiving incorrectly formed LLDP management
+ addresses:
+ - 0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
+
+ -- Vincent Bernat <bernat@debian.org> Sun, 25 Oct 2015 13:20:22 +0100
+
lldpd (0.7.11-2) unstable; urgency=medium
* Cherry-pick 0001-lib-fix-pkgconfig-file-substitutions.patch to fix
diff --git a/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
new file mode 100644
index 000000000000..ee73682ad2a2
--- /dev/null
+++ b/debian/patches/0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
@@ -0,0 +1,36 @@
+From 805fbe5f18ef170c63aa2e529acf92c95d3b83b1 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Sun, 4 Oct 2015 01:50:38 +0200
+Subject: [PATCH 1/2] lldp: fix a buffer overflow when handling management
+ address TLV
+
+When a remote device was advertising a too large management address
+while still respecting TLV boundaries, lldpd would crash due to a buffer
+overflow. However, the buffer being a static one, this buffer overflow
+is not exploitable if hardening was not disabled. This bug exists since
+version 0.5.6.
+---
+ src/daemon/lldp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index ae01ccc5078a..cc3585623476 100644
+--- a/src/daemon/lldp.c
++++ b/src/daemon/lldp.c
+@@ -625,7 +625,12 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ case LLDP_TLV_MGMT_ADDR:
+ CHECK_TLV_SIZE(1, "Management address");
+ addr_str_length = PEEK_UINT8;
+- CHECK_TLV_SIZE(addr_str_length, "Management address");
++ if (addr_str_length > sizeof(addr_str_buffer)) {
++ log_warnx("lldp", "too large management address on %s",
++ hardware->h_ifname);
++ goto malformed;
++ }
++ CHECK_TLV_SIZE(1 + addr_str_length, "Management address");
+ PEEK_BYTES(addr_str_buffer, addr_str_length);
+ addr_length = addr_str_length - 1;
+ addr_family = addr_str_buffer[0];
+--
+2.6.2
+
diff --git a/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
new file mode 100644
index 000000000000..ad61ea2904c6
--- /dev/null
+++ b/debian/patches/0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
@@ -0,0 +1,135 @@
+From 18d81c30e6bc2f2c6b6e591c10893b9cd6f227aa Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.im>
+Date: Sun, 4 Oct 2015 02:24:29 +0200
+Subject: [PATCH 2/2] protocols: don't use assert on paths that can be reached
+
+Malformed packets should not make lldpd crash. Ensure we can handle them
+by not using assert() in this part.
+---
+ src/daemon/cdp.c | 10 +++++++---
+ src/daemon/edp.c | 1 -
+ src/daemon/lldp.c | 14 ++++++++------
+ src/daemon/lldpd.c | 1 -
+ src/daemon/sonmp.c | 8 +++++---
+ 5 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/src/daemon/cdp.c b/src/daemon/cdp.c
+index 4974b00eecbf..c78d64b1f01c 100644
+--- a/src/daemon/cdp.c
++++ b/src/daemon/cdp.c
+@@ -25,7 +25,6 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <arpa/inet.h>
+-#include <assert.h>
+
+ static int
+ cdp_send(struct lldpd *global,
+@@ -437,8 +436,13 @@ cdp_decode(struct lldpd *cfg, char *frame, int s,
+ mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &addr,
+ sizeof(struct in_addr), 0);
+ if (mgmt == NULL) {
+- assert(errno == ENOMEM);
+- log_warn("cdp", "unable to allocate memory for management address");
++ if (errno == ENOMEM)
++ log_warn("cdp",
++ "unable to allocate memory for management address");
++ else
++ log_warn("cdp",
++ "too large management address received on %s",
++ hardware->h_ifname);
+ goto malformed;
+ }
+ TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+diff --git a/src/daemon/edp.c b/src/daemon/edp.c
+index 106d9f6387bc..bf60e4d92363 100644
+--- a/src/daemon/edp.c
++++ b/src/daemon/edp.c
+@@ -25,7 +25,6 @@
+ #include <errno.h>
+ #include <arpa/inet.h>
+ #include <fnmatch.h>
+-#include <assert.h>
+
+ static int seq = 0;
+
+diff --git a/src/daemon/lldp.c b/src/daemon/lldp.c
+index cc3585623476..367655c983bd 100644
+--- a/src/daemon/lldp.c
++++ b/src/daemon/lldp.c
+@@ -20,7 +20,6 @@
+
+ #include <unistd.h>
+ #include <errno.h>
+-#include <assert.h>
+ #include <time.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+@@ -151,7 +150,7 @@ lldp_send(struct lldpd *global,
+ /* Management addresses */
+ TAILQ_FOREACH(mgmt, &chassis->c_mgmt, m_entries) {
+ proto = lldpd_af_to_lldp_proto(mgmt->m_family);
+- assert(proto != LLDP_MGMT_ADDR_NONE);
++ if (proto == LLDP_MGMT_ADDR_NONE) continue;
+ if (!(
+ POKE_START_LLDP_TLV(LLDP_TLV_MGMT_ADDR) &&
+ /* Size of the address, including its type */
+@@ -648,10 +647,13 @@ lldp_decode(struct lldpd *cfg, char *frame, int s,
+ iface = 0;
+ mgmt = lldpd_alloc_mgmt(af, addr_ptr, addr_length, iface);
+ if (mgmt == NULL) {
+- assert(errno == ENOMEM);
+- log_warn("lldp", "unable to allocate memory "
+- "for management address");
+- goto malformed;
++ if (errno == ENOMEM)
++ log_warn("lldp", "unable to allocate memory "
++ "for management address");
++ else
++ log_warn("lldp", "too large management address "
++ "received on %s", hardware->h_ifname);
++ goto malformed;
+ }
+ TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+ break;
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 10c5ed791926..c659bfe69abd 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -195,7 +195,6 @@ lldpd_alloc_mgmt(int family, void *addrptr, size_t addrsize, u_int32_t iface)
+ return NULL;
+ }
+ mgmt->m_family = family;
+- assert(addrsize <= LLDPD_MGMT_MAXADDRSIZE);
+ memcpy(&mgmt->m_addr, addrptr, addrsize);
+ mgmt->m_addrsize = addrsize;
+ mgmt->m_iface = iface;
+diff --git a/src/daemon/sonmp.c b/src/daemon/sonmp.c
+index 30930cb34093..b55d73b7a59b 100644
+--- a/src/daemon/sonmp.c
++++ b/src/daemon/sonmp.c
+@@ -24,7 +24,6 @@
+ #include <unistd.h>
+ #include <errno.h>
+ #include <arpa/inet.h>
+-#include <assert.h>
+
+ static struct sonmp_chassis sonmp_chassis_types[] = {
+ {1, "unknown (via SONMP)"},
+@@ -358,8 +357,11 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ }
+ mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, &address, sizeof(struct in_addr), 0);
+ if (mgmt == NULL) {
+- assert(errno == ENOMEM);
+- log_warn("sonmp", "unable to allocate memory for management address");
++ if (errno == ENOMEM)
++ log_warn("sonmp", "unable to allocate memory for management address");
++ else
++ log_warn("sonmp", "too large management address received on %s",
++ hardware->h_ifname);
+ goto malformed;
+ }
+ TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+--
+2.6.2
+
diff --git a/debian/patches/series b/debian/patches/series
index be92513c17cf..98a44eae6655 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
0001-systemd-fix-systemd-unit-file.patch
0001-lib-fix-pkgconfig-file-substitutions.patch
+0001-lldp-fix-a-buffer-overflow-when-handling-management-.patch
+0002-protocols-don-t-use-assert-on-paths-that-can-be-reac.patch
--- End Message ---