Bug#924544: unblock: CVE-2019-9735: neutron/13.0.2-13
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear release team,
CVE-2019-9735 was discovered against Neutron. I've applied the upstream
patch and rebuilt the package. The debdiff is attached. It also includes
a quick fix for the compatibility with SQLAlchemy 1.3.1, which Piotr
would like to upload and see migrate to Buster.
Debdiff is attached.
Please unblock neutron/13.0.2-13 ASAP to fix this CVE bug.
Cheers,
Thomas Goirand (zigo)
diff -Nru neutron-13.0.2/debian/changelog neutron-13.0.2/debian/changelog
--- neutron-13.0.2/debian/changelog 2019-02-01 09:35:46.000000000 +0100
+++ neutron-13.0.2/debian/changelog 2019-03-14 00:13:45.000000000 +0100
@@ -1,3 +1,19 @@
+neutron (2:13.0.2-13) unstable; urgency=high
+
+ * CVE-2019-9735: it's possible to add a security group rule for VRRP with a
+ dport. Apply upstream patch: When converting sg rules to iptables, do not
+ emit dport if not supported. (Closes: #924508).
+
+ -- Thomas Goirand <zigo@debian.org> Thu, 14 Mar 2019 00:13:45 +0100
+
+neutron (2:13.0.2-12) unstable; urgency=medium
+
+ * Fix rootwrap patch to work against Python 3.7.
+ * Add Join_on_explcit_relationship_paths.patch, which adds compatibility
+ with SQLAlchemy >= 1.3.x (previously, adding a floating IP would fail).
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 13 Mar 2019 13:49:34 +0100
+
neutron (2:13.0.2-10) unstable; urgency=medium
* Fix reading [nova]/auth_url in config script.
diff -Nru neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
--- neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch 1970-01-01 01:00:00.000000000 +0100
+++ neutron-13.0.2/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch 2019-03-14 00:13:45.000000000 +0100
@@ -0,0 +1,81 @@
+Description: CVE-2019-9735: When converting sg rules to iptables, do not emit dport if not supported
+ Since iptables-restore doesn't support --dport with protocol vrrp,
+ it errors out setting the security groups on the hypervisor.
+ .
+ Marking this a partial fix, since we need a change to prevent
+ adding those incompatible rules in the first place, but this
+ patch will stop the bleeding.
+From: Doug Wiegley <dwiegley@salesforce.com>
+Date: Sat, 2 Mar 2019 22:35:52 -0700
+Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
+Bug-Debian: https://bugs.debian.org/924508
+Bug-Ubuntu: https://bugs.launchpad.net/neutron/+bug/1818385
+Origin: upstream, https://review.openstack.org/#/c/640685/
+Last-Update: 2019-03-15
+
+diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py
+index 496376d..5fb9740 100644
+--- a/neutron/agent/linux/iptables_firewall.py
++++ b/neutron/agent/linux/iptables_firewall.py
+@@ -46,6 +46,15 @@ IPSET_DIRECTION = {constants.INGRESS_DIRECTION: 'src',
+ comment_rule = iptables_manager.comment_rule
+ libc = ctypes.CDLL(util.find_library('libc.so.6'))
+
++# iptables protocols that support --dport and --sport
++IPTABLES_PORT_PROTOCOLS = [
++ constants.PROTO_NAME_DCCP,
++ constants.PROTO_NAME_SCTP,
++ constants.PROTO_NAME_TCP,
++ constants.PROTO_NAME_UDP,
++ constants.PROTO_NAME_UDPLITE
++]
++
+
+ def get_hybrid_port_name(port_name):
+ return (constants.TAP_DEVICE_PREFIX + port_name)[:n_const.LINUX_DEV_LEN]
+@@ -731,11 +740,12 @@ class IptablesFirewallDriver(firewall.FirewallDriver):
+ # icmp code can be 0 so we cannot use "if port_range_max" here
+ if port_range_max is not None:
+ args[-1] += '/%s' % port_range_max
+- elif port_range_min == port_range_max:
+- args += ['--%s' % direction, '%s' % (port_range_min,)]
+- else:
+- args += ['-m', 'multiport', '--%ss' % direction,
+- '%s:%s' % (port_range_min, port_range_max)]
++ elif protocol in IPTABLES_PORT_PROTOCOLS:
++ if port_range_min == port_range_max:
++ args += ['--%s' % direction, '%s' % (port_range_min,)]
++ else:
++ args += ['-m', 'multiport', '--%ss' % direction,
++ '%s:%s' % (port_range_min, port_range_max)]
+ return args
+
+ def _ip_prefix_arg(self, direction, ip_prefix):
+diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+index d7268bc..7ab8a0a 100644
+--- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py
++++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+@@ -276,6 +276,20 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase):
+ egress = None
+ self._test_prepare_port_filter(rule, ingress, egress)
+
++ def test_filter_bad_vrrp_with_dport(self):
++ rule = {'ethertype': 'IPv4',
++ 'direction': 'ingress',
++ 'protocol': 'vrrp',
++ 'port_range_min': 10,
++ 'port_range_max': 10}
++ # Dest port isn't support with VRRP, so don't send it
++ # down to iptables.
++ ingress = mock.call.add_rule('ifake_dev',
++ '-p vrrp -j RETURN',
++ top=False, comment=None)
++ egress = None
++ self._test_prepare_port_filter(rule, ingress, egress)
++
+ def test_filter_ipv4_ingress_tcp_port_by_num(self):
+ rule = {'ethertype': 'IPv4',
+ 'direction': 'ingress',
+--
+cgit v1.1
+
diff -Nru neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch
--- neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch 1970-01-01 01:00:00.000000000 +0100
+++ neutron-13.0.2/debian/patches/Join_on_explcit_relationship_paths.patch 2019-03-14 00:13:45.000000000 +0100
@@ -0,0 +1,25 @@
+From: Mike Bayer <mike_mp@zzzcomputing.com>
+Subject: Join on explcit relationship paths
+ The join() in get_router_for_floatingip() is joining from entity
+ to entity without an explicit ON clause which creates an ambiguous
+ situation. SQLAlchemy 1.3 guards against this now, so use the
+ real relationship-bound path so that the ORM does not need to guess.
+Date: Fri, 8 Mar 2019 14:09:14 -0500
+Closes-bug: #1819260
+Change-Id: Ia377a9d1a32a78abdaee74c79e395acd77e486ef
+Origin: upstream, https://review.openstack.org/#/c/642117/
+Last-Update: 2019-03-13
+
+Index: neutron/neutron/db/l3_db.py
+===================================================================
+--- neutron.orig/neutron/db/l3_db.py
++++ neutron/neutron/db/l3_db.py
+@@ -1137,7 +1137,7 @@ class L3_NAT_dbonly_mixin(l3.RouterPlugi
+ # TODO(lujinluo): Need IPAllocation and Port object
+ routerport_qry = context.session.query(
+ RouterPort.router_id, models_v2.IPAllocation.ip_address).join(
+- models_v2.Port, models_v2.IPAllocation).filter(
++ RouterPort.port, models_v2.Port.fixed_ips).filter(
+ models_v2.Port.network_id == internal_port['network_id'],
+ RouterPort.port_type.in_(constants.ROUTER_INTERFACE_OWNERS),
+ models_v2.IPAllocation.subnet_id == internal_subnet['id']
diff -Nru neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch
--- neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch 2019-02-01 09:35:46.000000000 +0100
+++ neutron-13.0.2/debian/patches/rootwrap-fix-for-neutron-fwaas.patch 2019-03-14 00:13:45.000000000 +0100
@@ -11,4 +11,4 @@
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
+
+# Added by Debian package maintainer, needed for neutron-fwaas
-+kill_keepalived_state_change: KillFilter, root, python3.6, -15, -9, -HUP
++kill_keepalived_state_change: KillFilter, root, python3.7, -15, -9, -HUP
diff -Nru neutron-13.0.2/debian/patches/series neutron-13.0.2/debian/patches/series
--- neutron-13.0.2/debian/patches/series 2019-02-01 09:35:46.000000000 +0100
+++ neutron-13.0.2/debian/patches/series 2019-03-14 00:13:45.000000000 +0100
@@ -1,3 +1,5 @@
flake8-legacy.patch
#remove-test_start_random_port_with_ipv6.patch
rootwrap-fix-for-neutron-fwaas.patch
+Join_on_explcit_relationship_paths.patch
+CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
Reply to: