Bug#999673: bullseye-pu: package lldpd/1.0.11-1
❦ 27 November 2021 17:43 GMT, Adam D. Barratt:
>> > Package: release.debian.org
>> > Severity: normal
>> > Tags: bullseye
>> > User: release.debian.org@packages.debian.org
>> > Usertags: pu
>> [...]
>>
>> I did the upload to bullseye as I think the change is not
>> controversial.
>
> What you've uploaded to bullseye is *not* what you proposed in this
> request, however.
>
> The debdiff attached to this bug report amounts to "4 files changed,
> 130 insertions(+)", the uploaded package is "39 files changed, 561
> insertions(+), 221 deletions(-)" and includes a new upstream release.
Ugh. Very sorry about that!
Here is the appropriate diff. How can I sort out my bad upload? Bumping
the version number? I hold uploading anything else until you approve.
>From a5a413c1f44bb0a063fc9ca4cf56ae7137f53f3d Mon Sep 17 00:00:00 2001
From: Vincent Bernat <bernat@debian.org>
Date: Sun, 14 Nov 2021 15:42:12 +0100
Subject: [PATCH] Tentative security update for Bullseye
---
debian/changelog | 8 ++
...et-VLAN-tag-if-client-did-not-set-it.patch | 27 ++++++
...-overflow-when-reading-SONMP-packets.patch | 93 +++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 130 insertions(+)
create mode 100644 debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
create mode 100644 debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
diff --git a/debian/changelog b/debian/changelog
index 4fc8b730cc52..6da569249198 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lldpd (1.0.11-1+deb11u1) bullseye; urgency=high
+
+ * d/patches: sonmp: fix heap overflow when reading SONMP packets.
+ CVE-2021-43612
+ * d/patches: client: do not set VLAN tag if client did not set it
+
+ -- Vincent Bernat <bernat@debian.org> Sat, 27 Nov 2021 23:30:43 +0100
+
lldpd (1.0.11-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
new file mode 100644
index 000000000000..1f65986ae27e
--- /dev/null
+++ b/debian/patches/0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
@@ -0,0 +1,27 @@
+From 261afbe371ab316a4bf710338f6d9183a01e083f Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Wed, 29 Sep 2021 12:02:15 +0200
+Subject: [PATCH] client: do not set VLAN tag if client did not set it
+
+This fixes a bug where frames could be tagged with VLAN 0 after client
+configuration.
+---
+ src/daemon/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index b4a08aae80a8..0d0f3ea37a19 100644
+--- a/src/daemon/client.c
++++ b/src/daemon/client.c
+@@ -390,7 +390,7 @@ _client_handle_set_port(struct lldpd *cfg,
+ port->p_disable_rx = port->p_disable_tx = 1;
+ break;
+ }
+- if (set->vlan_tx_enabled >= -1) {
++ if (set->vlan_tx_enabled > -1) {
+ port->p_vlan_tx_enabled = set->vlan_tx_enabled;
+ port->p_vlan_tx_tag = set->vlan_tx_tag;
+ }
+--
+2.33.1
+
diff --git a/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
new file mode 100644
index 000000000000..c06689987c34
--- /dev/null
+++ b/debian/patches/0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
@@ -0,0 +1,93 @@
+From 73d42680fce8598324364dbb31b9bc3b8320adf7 Mon Sep 17 00:00:00 2001
+From: Vincent Bernat <vincent@bernat.ch>
+Date: Sun, 19 Sep 2021 21:18:47 +0200
+Subject: [PATCH] sonmp: fix heap overflow when reading SONMP packets
+
+By sending short SONMP packets, an attacker can make the decoder crash
+by reading too much data on the heap. SONMP packets are fixed in size,
+just ensure we get the enough bytes to contain a SONMP packet.
+
+CVE-2021-43612
+---
+ NEWS | 2 ++
+ src/daemon/protocols/sonmp.c | 2 +-
+ src/daemon/protocols/sonmp.h | 2 +-
+ tests/check_sonmp.c | 10 +++++-----
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index 41dcf6aa412d..f8f12469e28a 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -311,7 +311,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s,
+
+ length = s;
+ pos = (u_int8_t*)frame;
+- if (length < SONMP_SIZE) {
++ if (length < SONMP_SIZE + 2*ETHER_ADDR_LEN + sizeof(u_int16_t)) {
+ log_warnx("sonmp", "too short SONMP frame received on %s", hardware->h_ifname);
+ goto malformed;
+ }
+diff --git a/src/daemon/protocols/sonmp.h b/src/daemon/protocols/sonmp.h
+index 0e60106dae63..ff7a720f0b5d 100644
+--- a/src/daemon/protocols/sonmp.h
++++ b/src/daemon/protocols/sonmp.h
+@@ -24,7 +24,7 @@
+ #define LLC_ORG_NORTEL { 0x00, 0x00, 0x81 }
+ #define LLC_PID_SONMP_HELLO 0x01a2
+ #define LLC_PID_SONMP_FLATNET 0x01a1
+-#define SONMP_SIZE (2*ETHER_ADDR_LEN + sizeof(u_int16_t) + 8)
++#define SONMP_SIZE 19
+
+ struct sonmp_chassis {
+ int type;
+diff --git a/tests/check_sonmp.c b/tests/check_sonmp.c
+index 8c7a208fffc1..b25f0e2fbb88 100644
+--- a/tests/check_sonmp.c
++++ b/tests/check_sonmp.c
+@@ -33,7 +33,7 @@ START_TEST (test_send_sonmp)
+ IEEE 802.3 Ethernet
+ Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:00)
+ Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+- Length: 22
++ Length: 19
+ Logical-Link Control
+ DSAP: SNAP (0xaa)
+ IG Bit: Individual
+@@ -55,7 +55,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ IEEE 802.3 Ethernet
+ Destination: Bay-Networks-(Synoptics)-autodiscovery (01:00:81:00:01:01)
+ Source: 5e:10:8e:e7:84:ad (5e:10:8e:e7:84:ad)
+- Length: 22
++ Length: 19
+ Logical-Link Control
+ DSAP: SNAP (0xaa)
+ IG Bit: Individual
+@@ -76,13 +76,13 @@ Nortel Networks / SynOptics Network Management Protocol
+ */
+ char pkt1[] = {
+ 0x01, 0x00, 0x81, 0x00, 0x01, 0x00, 0x5e, 0x10,
+- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 0x03, 0x00, 0x00, 0x81, 0x01, 0xa2, 0xac, 0x11,
+ 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 0x01 };
+ char pkt2[] = {
+ 0x01, 0x00, 0x81, 0x00, 0x01, 0x01, 0x5e, 0x10,
+- 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x16, 0xaa, 0xaa,
++ 0x8e, 0xe7, 0x84, 0xad, 0x00, 0x13, 0xaa, 0xaa,
+ 0x03, 0x00, 0x00, 0x81, 0x01, 0xa1, 0xac, 0x11,
+ 0x8e, 0x25, 0x00, 0x00, 0x04, 0x01, 0x0c, 0x03,
+ 0x01 };
+@@ -99,7 +99,7 @@ Nortel Networks / SynOptics Network Management Protocol
+ chassis.c_id_len = ETHER_ADDR_LEN;
+ TAILQ_INIT(&chassis.c_mgmt);
+ addr = inet_addr("172.17.142.37");
+- mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
++ mgmt = lldpd_alloc_mgmt(LLDPD_AF_IPV4,
+ &addr, sizeof(in_addr_t), 0);
+ if (mgmt == NULL)
+ ck_abort();
+--
+2.33.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 66ab5767af9a..f3ba6553bd59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
0001-build-put-ZSH-completion-in-vendor-completions.patch
+0001-sonmp-fix-heap-overflow-when-reading-SONMP-packets.patch
+0001-client-do-not-set-VLAN-tag-if-client-did-not-set-it.patch
--
2.34.0
--
Watch out for off-by-one errors.
- The Elements of Programming Style (Kernighan & Plauger)
Reply to: