Bug#999673: bullseye-pu: package lldpd/1.0.11-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#999673: bullseye-pu: package lldpd/1.0.11-1
From: Vincent Bernat <bernat@debian.org>
Date: Sun, 14 Nov 2021 19:21:06 +0100
Message-id: <[🔎] 163691406634.648493.3210558189659196139.reportbug@neo.luffy.cx>
Reply-to: Vincent Bernat <bernat@debian.org>, 999673@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[ Reason ]

- - Low-severity security issue when receiving SONMP packets.
  CVE-2021-43612

- - Annoying bug where LLDP packets are encapsulated in VLAN 0 when some
  configuration directives are used. Many implementations reject such
  a packet (regression introduced in 1.0.6)

[ Impact ]

- - Someone could crash lldpd from another neighbor if the user enables
  SONMP (quite unlikely).

- - People cannot use some configuration directives.

[ Tests ]

- - Both codes are covered by tests in upstream. The SONMP tests are run
  during build as well. The VLAN 0 test is not run during build.

[ Risks ]

- - For SONMP, low risk as it is seldomly used and correctly formed
  packets are part of the tests run during build.

- - For VLAN 0, the change is trivial, tested upstream and reported OK by two users.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]

- - SONMP: there was a confusion about the size of a packet. The same
  variable was used for the payload size and for checking the size
  with Ethernet headers.

- - VLAN 0: when changing some settings, a struct containing the changed
  settings is transmitted. -1 was used to say "no change" but it was
  interpreted as a change.

[ Other info ]

- - Security team is OK to fix the security issue in a point release.

- - I don't think this is worth fixing the SONMP issue in Buster, but I
  can do that too. The VLAN issue is not present.


-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEErvI0h2bzccaJpzYAlaQv6DU1JfkFAmGRU44SHGJlcm5hdEBk
ZWJpYW4ub3JnAAoJEJWkL+g1NSX5++gP/jK+rA7DgjxgweFrlUezPB39QSg6wcmu
9YrUO8wyjSzZ0A51Gfh/afyJAKRKehy3tD/nWvrQumn5ZkYXMhVbock5zJbgnTmo
1ndd2CtIOlpdSceqmnxX83Qt5qj7yHLWCzyAYg+ujgO1Su/IrE6GwwWr3+OBJQdN
lwLrbDzIe+Xv+4sYLLhWjO1ApVHpJmLJYYywBWug6YkTa9hx1wixPGm76G1Z4tvc
312L+9uwJqdp85Nb8w29VgBx8nDOWZS54FaimnggmGk895beQdI4wUCGfrJ/Tqkt
K4emDeOUv5pUudDYNU98a0byf7Ahif+QVZLS0w9p32uHd7qtr1ZwkmhcO2I0W0jA
EWIC7PW3qyQqa8SrD068Sx9jEhCt69uJaQyDUV38DbCmNFjip4oK607XeLuh/WwC
R6TI3iMro3T03QSzyYyFvWLJpL0n/xHtoMb0UXWY+KE38uOQQ1Fdv3JkvxxI6q6Z
8FhpTYr1ONE9uj577aMj3bX9BkxdVKKjy48bLEkHhTd1KS/FOLpWMmnlRVNBAr8t
KDn09xcsxU+anIGunFwrATqH8sBFOqO0gvr+ylgyswQiW3L8WWM2uyG1+UoO/AeW
lwMHk+6WUuejhB/7PzA0Wcv5zfgkwahZRf2zN6ohON6IaVR6Pbn0+lSYU5rlramB
dsd1jEbkXZ36
=W7Cl
-----END PGP SIGNATURE-----

>From d70b8be04c6d8638e6f2cd612a07e73992fa0798 Mon Sep 17 00:00:00 2001
From: Vincent Bernat <bernat@debian.org>
Date: Sun, 14 Nov 2021 15:42:12 +0100
Subject: [PATCH] Tentative security update for Bullseye

---
 debian/changelog                              |  8 ++
 ...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++++++
 ...-overflow-when-reading-SONMP-packets.patch | 93 +++++++++++++++++++
 debian/patches/series                         |  2 +
 4 files changed, 130 insertions(+)
 create mode 100644 debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
 create mode 100644 debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch

diff --git a/debian/changelog b/debian/changelog
index bb87d8129f9e..68ae7b91d22d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lldpd (1.0.12-1+deb11u1) bullseye; urgency=high
+
+  * d/patches: sonmp: fix heap overflow when reading SONMP packets.
+    CVE-2021-43612
+  * d/patches: client: do not set VLAN tag if client did not set it
+
+ -- Vincent Bernat <bernat@debian.org>  Sun, 14 Nov 2021 15:41:59 +0100
+
 lldpd (1.0.12-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
new file mode 100644
index 000000000000..1f65986ae27e
--- /dev/null
+++ b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
@@ -0,0 +1,27 @@
+From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Wed, 29 Sep 2021 12:02:15 +0200
+Subject: [PATCH] client: do not set VLAN tag if client did not set it
+
+This fixes a bug where frames could be tagged with VLAN 0 after client
+configuration.
+---
+ src/daemon/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index b4a08aae80a8..0d0f3ea37a19 100644
+--- a/src/daemon/client.c
++++ b/src/daemon/client.c
+@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg,
+ 		port->p_disable_rx = port->p_disable_tx = 1;
+ 		break;
+ 	}
+-	if (set->vlan_tx_enabled >= -1) {
++	if (set->vlan_tx_enabled > -1) {
+ 		port->p_vlan_tx_enabled = set->vlan_tx_enabled;
+ 		port->p_vlan_tx_tag = set->vlan_tx_tag;
+ 	}
+-- 
+2.33.1
+
diff --git a/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
new file mode 100644
index 000000000000..c06689987c34
--- /dev/null
+++ b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
@@ -0,0 +1,93 @@
+From 73d42680fce8598324364dbb31b9bc3b8320adf7 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+CVE-2021-43612
+---
+ NEWS                         |  2 ++
+ src/daemon/protocols/sonmp.c |  2 +-
+ src/daemon/protocols/sonmp.h |  2 +-
+ tests/check_sonmp.c          | 10 +++++-----
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index 41dcf6aa412d..f8f12469e28a 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+ 
+ 	length = s;
+ 	pos = (u_int8_t*)frame;
+-	if (length < SONMP_SIZE) {
++	if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ 		log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ 		goto malformed;
+ 	}
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106dae63..ff7a720f0b5d 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+ 
+ struct sonmp_chassis {
+ 	int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208fffc1..b25f0e2fbb88 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet 
+     Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+     Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+-    Length: 22
++    Length: 19
+ Logical-Link Control
+     DSAP: SNAP (0xaa)
+     IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	*/
+ 	char pkt1[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+ 	char pkt2[] = {
+ 		0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+-		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++		0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 		0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 		0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 		0x01 };
+@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ 	chassis.c_id_len = ETHER_ADDR_LEN;
+ 	TAILQ_INIT(&chassis.c_mgmt);
+ 	addr = inet_addr("172.17.142.37");
+-	mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4, 
++	mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
+ 				&addr, sizeof(in_addr_t), 0);
+ 	if (mgmt == NULL)
+ 		ck_abort();
+-- 
+2.33.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 66ab5767af9a..f3ba6553bd59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
 0001-build-put-ZSH-completion-in-vendor-completions.patch
+0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
+0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
-- 
2.33.1

Reply to:

Follow-Ups:
- Bug#999673: bullseye-pu: package lldpd/1.0.11-1
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Bug#999668: bullseye-pu: package jwm/2.3.7-5+deb11u1
Next by Date: Re: New proposed-updates diff: libapache2-mod-rivet 3.2.1-1
Previous by thread: Processed: jwm 2.3.7-5+deb11u1 flagged for acceptance
Next by thread: Bug#999673: bullseye-pu: package lldpd/1.0.11-1
Index(es):
- Date
- Thread