From 98a7671cad6b21212809951b05f482001fba3e18 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 5 Dec 2023 14:24:10 +0800 Subject: [PATCH 1/4] update to frr-7.5.1-13.src.rpm Signed-off-by: Zhao Hang --- 0014-bfd-profile-crash.patch | 117 ++++++++++++++++++++++++++++++ 0015-max-ttl-reload.patch | 93 ++++++++++++++++++++++++ CVE-2023-20593.patch | 134 ----------------------------------- frr.if | 44 ++++++++++++ frr.spec | 46 ++++++------ frr.te | 7 +- 6 files changed, 280 insertions(+), 161 deletions(-) create mode 100644 0014-bfd-profile-crash.patch create mode 100644 0015-max-ttl-reload.patch delete mode 100644 CVE-2023-20593.patch diff --git a/0014-bfd-profile-crash.patch b/0014-bfd-profile-crash.patch new file mode 100644 index 0000000..cc263ff --- /dev/null +++ b/0014-bfd-profile-crash.patch @@ -0,0 +1,117 @@ +From 4b793d1eb35ab5794db12725a28fcdb4fef23af7 Mon Sep 17 00:00:00 2001 +From: Igor Ryzhov +Date: Thu, 1 Apr 2021 15:29:18 +0300 +Subject: [PATCH] bfdd: remove profiles when removing bfd node + +Fixes #8379. + +Signed-off-by: Igor Ryzhov +--- + bfdd/bfd.c | 8 ++++++++ + bfdd/bfd.h | 1 + + bfdd/bfdd_nb_config.c | 1 + + 3 files changed, 10 insertions(+) + +diff --git a/bfdd/bfd.c b/bfdd/bfd.c +index c966efd8ea71..cf292a836354 100644 +--- a/bfdd/bfd.c ++++ b/bfdd/bfd.c +@@ -1889,6 +1889,14 @@ void bfd_sessions_remove_manual(void) + hash_iterate(bfd_key_hash, _bfd_session_remove_manual, NULL); + } + ++void bfd_profiles_remove(void) ++{ ++ struct bfd_profile *bp; ++ ++ while ((bp = TAILQ_FIRST(&bplist)) != NULL) ++ bfd_profile_free(bp); ++} ++ + /* + * Profile related hash functions. + */ +diff --git a/bfdd/bfd.h b/bfdd/bfd.h +index af3f92d6a8f8..9ee1da728717 100644 +--- a/bfdd/bfd.h ++++ b/bfdd/bfd.h +@@ -596,6 +596,7 @@ void bfd_session_free(struct bfd_session *bs); + const struct bfd_session *bfd_session_next(const struct bfd_session *bs, + bool mhop); + void bfd_sessions_remove_manual(void); ++void bfd_profiles_remove(void); + + /** + * Set the BFD session echo state. +diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c +index 0046bc625b45..77f8cbd09c07 100644 +--- a/bfdd/bfdd_nb_config.c ++++ b/bfdd/bfdd_nb_config.c +@@ -203,6 +203,7 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) + + case NB_EV_APPLY: + bfd_sessions_remove_manual(); ++ bfd_profiles_remove(); + break; + + case NB_EV_ABORT: +diff --git a/bfdd/bfdd_nb_config.c b/bfdd/bfdd_nb_config.c +index 77f8cbd09c07..4030e2eefa50 100644 +--- a/bfdd/bfdd_nb_config.c ++++ b/bfdd/bfdd_nb_config.c +@@ -186,7 +186,15 @@ static int bfd_session_destroy(enum nb_event event, + */ + int bfdd_bfd_create(struct nb_cb_create_args *args) + { +- /* NOTHING */ ++ if (args->event != NB_EV_APPLY) ++ return NB_OK; ++ ++ /* ++ * Set any non-NULL value to be able to call ++ * nb_running_unset_entry in bfdd_bfd_destroy. ++ */ ++ nb_running_set_entry(args->dnode, (void *)0x1); ++ + return NB_OK; + } + +@@ -202,6 +210,12 @@ int bfdd_bfd_destroy(struct nb_cb_destroy_args *args) + return NB_OK; + + case NB_EV_APPLY: ++ /* ++ * We need to call this to unset pointers from ++ * the child nodes - sessions and profiles. ++ */ ++ nb_running_unset_entry(args->dnode); ++ + bfd_sessions_remove_manual(); + bfd_profiles_remove(); + break; +diff --git a/bfdd/bfdd_cli.c b/bfdd/bfdd_cli.c +index b64e36b36a44..5a844e56e121 100644 +--- a/bfdd/bfdd_cli.c ++++ b/bfdd/bfdd_cli.c +@@ -486,7 +486,7 @@ void bfd_cli_show_echo_interval(struct vty *vty, struct lyd_node *dnode, + * Profile commands. + */ + DEFPY_YANG_NOSH(bfd_profile, bfd_profile_cmd, +- "profile WORD$name", ++ "profile BFDPROF$name", + BFD_PROFILE_STR + BFD_PROFILE_NAME_STR) + { +diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c +index 74f13e1a44e8..cf1811bb1f2f 100644 +--- a/vtysh/vtysh.c ++++ b/vtysh/vtysh.c +@@ -1959,7 +1959,7 @@ DEFUNSH(VTYSH_BFDD, bfd_peer_enter, bfd_peer_enter_cmd, + } + + DEFUNSH(VTYSH_BFDD, bfd_profile_enter, bfd_profile_enter_cmd, +- "profile WORD", ++ "profile BFDPROF", + BFD_PROFILE_STR + BFD_PROFILE_NAME_STR) + { diff --git a/0015-max-ttl-reload.patch b/0015-max-ttl-reload.patch new file mode 100644 index 0000000..e68a221 --- /dev/null +++ b/0015-max-ttl-reload.patch @@ -0,0 +1,93 @@ +From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 21 Aug 2023 00:01:42 +0300 +Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop + vty output + +1. Create /etc/frr/frr.conf +``` +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +line vty +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop +``` + +2. Start FRR +`# systemctl start frr +` +3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225) + +``` +Building configuration... + +Current configuration: +! +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +! +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop 255 +! +line vty +! +end +``` +4. Copy initial frr.conf to frr.conf.new (no changes) +`# cp /etc/frr/frr.conf /root/frr.conf.new +` +5. Run frr-reload.sh: + +``` +$ /usr/lib/frr/frr-reload.py --test /root/frr.conf.new +2023-08-20 20:15:48,050 INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)" +2023-08-20 20:15:48,050 INFO: Loading Config object from file /root/frr.conf.new +2023-08-20 20:15:48,124 INFO: Loading Config object from vtysh show running + +Lines To Delete +=============== +router bgp 4250001000 + no neighbor 192.168.122.207 ebgp-multihop 255 + +Lines To Add +============ +router bgp 4250001000 + neighbor 192.168.122.207 ebgp-multihop +``` + +Closes https://github.com/FRRouting/frr/issues/14242 + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_vty.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c +index be0fe4283747..c9a9255f3392 100644 +--- a/bgpd/bgp_vty.c ++++ b/bgpd/bgp_vty.c +@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp, + && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED + && peer->ttl == MAXTTL)) { + if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) { +- vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr, +- peer->ttl); ++ if (peer->ttl != MAXTTL) ++ vty_out(vty, " neighbor %s ebgp-multihop %d\n", ++ addr, peer->ttl); ++ else ++ vty_out(vty, " neighbor %s ebgp-multihop\n", ++ addr); + } + } + diff --git a/CVE-2023-20593.patch b/CVE-2023-20593.patch deleted file mode 100644 index 4a8db69..0000000 --- a/CVE-2023-20593.patch +++ /dev/null @@ -1,134 +0,0 @@ -From a3337f1bd534d1d2b47b149a14418c5d93d341e3 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Thu, 13 Jul 2023 22:32:03 +0300 -Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation - attribute - -Before this path we used session reset method, which is discouraged by rfc7606. - -Handle this as rfc requires. - -Signed-off-by: Donatas Abraitis -Signed-off-by: Christian Breunig - -(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186) ---- - bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- - 1 file changed, 25 insertions(+), 36 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index f5e54267d..4bc28fe23 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1225,6 +1225,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_LARGE_COMMUNITIES: - case BGP_ATTR_ORIGINATOR_ID: - case BGP_ATTR_CLUSTER_LIST: -+ case BGP_ATTR_ENCAP: - return BGP_ATTR_PARSE_WITHDRAW; - case BGP_ATTR_MP_REACH_NLRI: - case BGP_ATTR_MP_UNREACH_NLRI: -@@ -2320,26 +2321,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) - } - - /* Parse Tunnel Encap attribute in an UPDATE */ --static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ -- bgp_size_t length, /* IN: attr's length field */ -- struct attr *attr, /* IN: caller already allocated */ -- uint8_t flag, /* IN: attr's flags field */ -- uint8_t *startp) -+static int bgp_attr_encap(struct bgp_attr_parser_args *args) - { -- bgp_size_t total; - uint16_t tunneltype = 0; -- -- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); -+ struct peer *const peer = args->peer; -+ struct attr *const attr = args->attr; -+ bgp_size_t length = args->length; -+ uint8_t type = args->type; -+ uint8_t flag = args->flags; - - if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) - || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { -- zlog_info( -- "Tunnel Encap attribute flag isn't optional and transitive %d", -- flag); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", -+ flag); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - if (BGP_ATTR_ENCAP == type) { -@@ -2347,12 +2343,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - uint16_t tlv_length; - - if (length < 4) { -- zlog_info( -+ zlog_err( - "Tunnel Encap attribute not long enough to contain outer T,L"); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - tunneltype = stream_getw(BGP_INPUT(peer)); - tlv_length = stream_getw(BGP_INPUT(peer)); -@@ -2382,13 +2377,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - } - - if (sublength > length) { -- zlog_info( -- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -- sublength, length); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -+ sublength, length); -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - /* alloc and copy sub-tlv */ -@@ -2434,13 +2427,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - - if (length) { - /* spurious leftover data */ -- zlog_info( -- "Tunnel Encap attribute length is bad: %d leftover octets", -- length); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", -+ length); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - return 0; -@@ -3128,8 +3118,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, - case BGP_ATTR_VNC: - #endif - case BGP_ATTR_ENCAP: -- ret = bgp_attr_encap(type, peer, length, attr, flag, -- startp); -+ ret = bgp_attr_encap(&attr_args); - break; - case BGP_ATTR_PREFIX_SID: - ret = bgp_attr_prefix_sid(&attr_args); --- -2.19.2 - diff --git a/frr.if b/frr.if index d96499d..b580159 100644 --- a/frr.if +++ b/frr.if @@ -160,3 +160,47 @@ interface(`frr_admin',` systemd_read_fifo_file_passwd_run($1) ') ') + +######################################## +## +## Read ifconfig_var_run_t files and link files +## +## +## +## Domain allowed access. +## +## +# +ifndef(`sysnet_read_ifconfig_run',` + interface(`sysnet_read_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## +## Read unconfined_t files and dirs +## +## +## +## Domain allowed access. +## +## +# +ifndef(`unconfined_read_files',` + interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:file read_file_perms; + allow $1 unconfined_t:dir list_dir_perms; + ') +') diff --git a/frr.spec b/frr.spec index f10edd3..a1d1c55 100644 --- a/frr.spec +++ b/frr.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.2 %global frrversion 7.5.1 %global frr_libdir /usr/libexec/frr @@ -8,7 +7,7 @@ Name: frr Version: 7.5.1 -Release: 8%{?checkout}%{anolis_release}%{?dist} +Release: 13%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -33,21 +32,17 @@ Requires(preun): systemd /sbin/install-info Requires(postun): systemd Requires: iproute Requires: initscripts -Requires: glibc %if 0%{?with_selinux} Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %endif Provides: routingdaemon = %{version}-%{release} -Provides: /usr/bin/mtracebis Obsoletes: frr-sysvinit quagga frr-contrib Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0001: 0001-use-python3.patch -%ifnarch loongarch64 Patch0002: 0002-enable-openssl.patch -%endif Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch Patch0006: 0006-CVE-2020-12831.patch @@ -58,8 +53,8 @@ Patch0010: 0010-moving-executables.patch Patch0011: 0011-reload-bfd-profile.patch Patch0012: 0012-graceful-restart.patch Patch0013: 0013-CVE-2022-37032.patch -# https://github.com/FRRouting/frr/commit/a3337f1bd534d1d2b47b149a14418c5d93d341e3 -Patch0014: CVE-2023-20593.patch +Patch0014: 0014-bfd-profile-crash.patch +Patch0015: 0015-max-ttl-reload.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -84,14 +79,6 @@ SELinux policy modules for FRR package %endif -%package doc -Summary: Documents for %{name} -BuildArch: noarch -Requires: %{name} = %{version}-%{release} - -%description doc -Doc pages for %{name}. - %prep %autosetup -S git #SELinux @@ -259,6 +246,7 @@ make check PYTHON=%{__python3} %doc ospf6d/ospf6d.conf.sample %doc ripngd/ripngd.conf.sample %doc pimd/pimd.conf.sample +%doc doc/mpls %dir %attr(740,frr,frr) %{_sysconfdir}/frr %dir %attr(755,frr,frr) /var/log/frr %dir %attr(755,frr,frr) /run/frr @@ -286,19 +274,24 @@ make check PYTHON=%{__python3} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %endif -%files doc -%doc doc/mpls - %changelog -* Tue Dec 12 2023 Wenlong Zhang - 7.5.1-8.0.2 -- Add loongarch64 for frr +* Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 +- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration + +* Wed Aug 23 2023 Michal Ruprich - 7.5.1-12 +- Resolves: #2216911 - Adding missing sys_admin SELinux call + +* Mon Aug 21 2023 Michal Ruprich - 7.5.1-11 +- Related: #2216911 - Adding unconfined_t type to access namespaces -* Thu Sep 28 2023 Chang Gao - 7.5.1-8.0.1 -- Fix CVE-2023-20593 +* Thu Aug 17 2023 Michal Ruprich - 7.5.1-10 +- Related: #2226803 - Adding patch -* Fri May 26 2023 DengXiewei - 7.5.1-7.0.1 -- Add doc sub package -- Remove loongarch64 arch (wb-zh951434@alibaba-inc.com) +* Wed Aug 16 2023 Michal Ruprich - 7.5.1-9 +- Resolves: #2226803 - BFD crash in FRR running in MetalLB + +* Fri Aug 11 2023 Michal Ruprich - 7.5.1-8 +- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces * Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 - Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service @@ -386,3 +379,4 @@ make check PYTHON=%{__python3} * Wed May 29 2019 Michal Ruprich - 7.0-1 - Resolves: #1657029 - Add FRR as a replacement of Quagga in RHEL 8 + diff --git a/frr.te b/frr.te index e41b75d..a1c8bee 100644 --- a/frr.te +++ b/frr.te @@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t) # # frr local policy # -allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; +allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; allow frr_t self:packet_socket create; allow frr_t self:process { setcap setpgid }; @@ -96,6 +96,7 @@ fs_read_nsfs_files(frr_t) fs_search_cgroup_dirs(frr_t) sysnet_exec_ifconfig(frr_t) +sysnet_read_ifconfig_run(frr_t) userdom_read_admin_home_files(frr_t) @@ -107,6 +108,10 @@ optional_policy(` logging_send_syslog_msg(frr_t) ') +optional_policy(` + unconfined_read_files(frr_t) +') + optional_policy(` modutils_exec_kmod(frr_t) modutils_getattr_module_deps(frr_t) -- Gitee From 88dcbd324f3300119f249251a24f7c075aee22c1 Mon Sep 17 00:00:00 2001 From: DengXiewei Date: Sun, 17 Jul 2022 15:37:56 +0800 Subject: [PATCH 2/4] Add doc sub package Signed-off-by: DengXiewei --- frr.spec | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/frr.spec b/frr.spec index a1d1c55..158ee13 100644 --- a/frr.spec +++ b/frr.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global frrversion 7.5.1 %global frr_libdir /usr/libexec/frr @@ -7,7 +8,7 @@ Name: frr Version: 7.5.1 -Release: 13%{?checkout}%{?dist} +Release: 13%{?checkout}%{anolis_release}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -32,12 +33,14 @@ Requires(preun): systemd /sbin/install-info Requires(postun): systemd Requires: iproute Requires: initscripts +Requires: glibc %if 0%{?with_selinux} Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %endif Provides: routingdaemon = %{version}-%{release} +Provides: /usr/bin/mtracebis Obsoletes: frr-sysvinit quagga frr-contrib Patch0000: 0000-remove-babeld-and-ldpd.patch @@ -79,6 +82,14 @@ SELinux policy modules for FRR package %endif +%package doc +Summary: Documents for %{name} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} + +%description doc +Doc pages for %{name}. + %prep %autosetup -S git #SELinux @@ -246,7 +257,6 @@ make check PYTHON=%{__python3} %doc ospf6d/ospf6d.conf.sample %doc ripngd/ripngd.conf.sample %doc pimd/pimd.conf.sample -%doc doc/mpls %dir %attr(740,frr,frr) %{_sysconfdir}/frr %dir %attr(755,frr,frr) /var/log/frr %dir %attr(755,frr,frr) /run/frr @@ -274,7 +284,13 @@ make check PYTHON=%{__python3} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %endif +%files doc +%doc doc/mpls + %changelog +* Mon Dec 11 2023 DengXiewei - 7.5.1-13.0.1 +- Add doc sub package + * Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 - Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration -- Gitee From 153401ee90f3629776e97feefdc259e2ab0e881f Mon Sep 17 00:00:00 2001 From: "taifu.gc" Date: Thu, 28 Sep 2023 12:27:31 +0800 Subject: [PATCH 3/4] Fix CVE-2023-20593 --- CVE-2023-20593.patch | 134 +++++++++++++++++++++++++++++++++++++++++++ frr.spec | 3 + 2 files changed, 137 insertions(+) create mode 100644 CVE-2023-20593.patch diff --git a/CVE-2023-20593.patch b/CVE-2023-20593.patch new file mode 100644 index 0000000..4a8db69 --- /dev/null +++ b/CVE-2023-20593.patch @@ -0,0 +1,134 @@ +From a3337f1bd534d1d2b47b149a14418c5d93d341e3 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Thu, 13 Jul 2023 22:32:03 +0300 +Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation + attribute + +Before this path we used session reset method, which is discouraged by rfc7606. + +Handle this as rfc requires. + +Signed-off-by: Donatas Abraitis +Signed-off-by: Christian Breunig + +(cherry picked from commit bcb6b58d9530173df41d3a3cbc4c600ee0b4b186) +--- + bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- + 1 file changed, 25 insertions(+), 36 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index f5e54267d..4bc28fe23 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -1225,6 +1225,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, + case BGP_ATTR_LARGE_COMMUNITIES: + case BGP_ATTR_ORIGINATOR_ID: + case BGP_ATTR_CLUSTER_LIST: ++ case BGP_ATTR_ENCAP: + return BGP_ATTR_PARSE_WITHDRAW; + case BGP_ATTR_MP_REACH_NLRI: + case BGP_ATTR_MP_UNREACH_NLRI: +@@ -2320,26 +2321,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) + } + + /* Parse Tunnel Encap attribute in an UPDATE */ +-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ +- bgp_size_t length, /* IN: attr's length field */ +- struct attr *attr, /* IN: caller already allocated */ +- uint8_t flag, /* IN: attr's flags field */ +- uint8_t *startp) ++static int bgp_attr_encap(struct bgp_attr_parser_args *args) + { +- bgp_size_t total; + uint16_t tunneltype = 0; +- +- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); ++ struct peer *const peer = args->peer; ++ struct attr *const attr = args->attr; ++ bgp_size_t length = args->length; ++ uint8_t type = args->type; ++ uint8_t flag = args->flags; + + if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) + || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { +- zlog_info( +- "Tunnel Encap attribute flag isn't optional and transitive %d", +- flag); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", ++ flag); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + if (BGP_ATTR_ENCAP == type) { +@@ -2347,12 +2343,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + uint16_t tlv_length; + + if (length < 4) { +- zlog_info( ++ zlog_err( + "Tunnel Encap attribute not long enough to contain outer T,L"); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + tunneltype = stream_getw(BGP_INPUT(peer)); + tlv_length = stream_getw(BGP_INPUT(peer)); +@@ -2382,13 +2377,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + } + + if (sublength > length) { +- zlog_info( +- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", +- sublength, length); +- bgp_notify_send_with_data( +- peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", ++ sublength, length); ++ return bgp_attr_malformed(args, ++ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + /* alloc and copy sub-tlv */ +@@ -2434,13 +2427,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ + + if (length) { + /* spurious leftover data */ +- zlog_info( +- "Tunnel Encap attribute length is bad: %d leftover octets", +- length); +- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, +- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, +- startp, total); +- return -1; ++ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", ++ length); ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, ++ args->total); + } + + return 0; +@@ -3128,8 +3118,7 @@ bgp_attr_parse_ret_t bgp_attr_parse(struct peer *peer, struct attr *attr, + case BGP_ATTR_VNC: + #endif + case BGP_ATTR_ENCAP: +- ret = bgp_attr_encap(type, peer, length, attr, flag, +- startp); ++ ret = bgp_attr_encap(&attr_args); + break; + case BGP_ATTR_PREFIX_SID: + ret = bgp_attr_prefix_sid(&attr_args); +-- +2.19.2 + diff --git a/frr.spec b/frr.spec index 158ee13..e0314e5 100644 --- a/frr.spec +++ b/frr.spec @@ -58,6 +58,8 @@ Patch0012: 0012-graceful-restart.patch Patch0013: 0013-CVE-2022-37032.patch Patch0014: 0014-bfd-profile-crash.patch Patch0015: 0015-max-ttl-reload.patch +# https://github.com/FRRouting/frr/commit/a3337f1bd534d1d2b47b149a14418c5d93d341e3 +Patch1000: CVE-2023-20593.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -290,6 +292,7 @@ make check PYTHON=%{__python3} %changelog * Mon Dec 11 2023 DengXiewei - 7.5.1-13.0.1 - Add doc sub package +- Fix CVE-2023-20593 (Chang Gao) * Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 - Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration -- Gitee From 6183e4c3af75acb090de6b931a1245a6860135a0 Mon Sep 17 00:00:00 2001 From: Wenlong Zhang Date: Thu, 28 Dec 2023 09:18:44 +0000 Subject: [PATCH 4/4] fix build error for loongarch64 --- frr.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/frr.spec b/frr.spec index e0314e5..ed6d80f 100644 --- a/frr.spec +++ b/frr.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 %global frrversion 7.5.1 %global frr_libdir /usr/libexec/frr @@ -45,7 +45,9 @@ Obsoletes: frr-sysvinit quagga frr-contrib Patch0000: 0000-remove-babeld-and-ldpd.patch Patch0001: 0001-use-python3.patch +%ifnarch loongarch64 Patch0002: 0002-enable-openssl.patch +%endif Patch0003: 0003-disable-eigrp-crypto.patch Patch0004: 0004-fips-mode.patch Patch0006: 0006-CVE-2020-12831.patch @@ -290,6 +292,8 @@ make check PYTHON=%{__python3} %doc doc/mpls %changelog +* Thu Dec 28 2023 Wenlong Zhang - 7.5.1-13.0.2 +- fix build error for loongarch64 * Mon Dec 11 2023 DengXiewei - 7.5.1-13.0.1 - Add doc sub package - Fix CVE-2023-20593 (Chang Gao) -- Gitee