On 1/14/21 10:38 PM, Salvatore Bonaccorso wrote: > Source: openvswitch > Version: 2.15.0~git20210104.def6eb1ea+dfsg1-3 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2 > Control: found -1 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12 > > Hi, > > The following vulnerability was published for openvswitch. > > CVE-2020-27827[0]: > | lldp: avoid memory leak from bad packets > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-27827 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27827 > [1] > https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html > [2] > https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0 > > Regards, > Salvatore
Hi Salvatore, Thanks for the bug report. Please find, attached, the debdiff to fix the CVE in Buster. Note that Unstable/Sid has already been patched. Please allow me to upload this to buster-security. Cheers, Thomas Goirand (zigo)
diff -Nru openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog --- openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog 2019-09-19 14:40:49.000000000 +0200 +++ openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/changelog 2021-01-15 08:27:23.000000000 +0100 @@ -1,3 +1,12 @@ +openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u3) buster-security; urgency=medium + + * CVE-2020-27827: denial of service attacks in which crafted LLDP packets + could cause memory to be lost when allocating data to handle specific + optional TLVs. Applied upstream patch: lldp: do not leak memory on multiple + instances of TLVs (Closes: #980132). + + -- Thomas Goirand <z...@debian.org> Fri, 15 Jan 2021 08:27:23 +0100 + openvswitch (2.10.0+2018.08.28+git.8ca7c82b7d+ds1-12+deb10u2) buster; urgency=medium * Fixed debian/ifupdown.sh typo: ovs_vsctl -> ovs-vsctl. diff -Nru openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/CVE-2020-27827_lldp_do_not_leak_memory_on_multiple_instances_of_TLVs.patch openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/CVE-2020-27827_lldp_do_not_leak_memory_on_multiple_instances_of_TLVs.patch --- openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/CVE-2020-27827_lldp_do_not_leak_memory_on_multiple_instances_of_TLVs.patch 1970-01-01 01:00:00.000000000 +0100 +++ openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/CVE-2020-27827_lldp_do_not_leak_memory_on_multiple_instances_of_TLVs.patch 2021-01-15 08:27:23.000000000 +0100 @@ -0,0 +1,38 @@ +Description: CVE-2020-27827: lldp: do not leak memory on multiple instances of TLVs + lldp: avoid memory leak from bad packets + . + A packet that contains multiple instances of certain TLVs will cause + lldpd to continually allocate memory and leak the old memory. As an + example, multiple instances of system name TLV will cause old values + to be dropped by the decoding routine. + . + Reported-at: https://github.com/openvswitch/ovs/pull/337 + Reported-by: Jonas Rudloff <jonas.t.rudl...@gmail.com> + Signed-off-by: Aaron Conole <acon...@redhat.com> +Author: Aaron Conole <acon...@redhat.com> +Date: Wed, 13 Jan 2021 10:47:19 -0500 +Vulnerability: CVE-2020-27827 +Signed-off-by: Aaron Conole <acon...@redhat.com> +Signed-off-by: Ilya Maximets <i.maxim...@ovn.org> +Origin: upstream, https://github.com/openvswitch/ovs/commit/78e712c0b1dacc2f12d2a03d98f083d8672867f0.patch +Bug-Debian: https://bugs.debian.org/bug=980132 +Last-Update: 2021-01-15 + +Index: openvswitch/lib/lldp/lldp.c +=================================================================== +--- openvswitch.orig/lib/lldp/lldp.c ++++ openvswitch/lib/lldp/lldp.c +@@ -464,10 +464,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED + b = xzalloc(tlv_size + 1); + PEEK_BYTES(b, tlv_size); + if (tlv_type == LLDP_TLV_PORT_DESCR) { ++ free(port->p_descr); + port->p_descr = b; + } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) { ++ free(chassis->c_name); + chassis->c_name = b; + } else { ++ free(chassis->c_descr); + chassis->c_descr = b; + } + break; diff -Nru openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/series openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/series --- openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/series 2019-09-19 14:40:49.000000000 +0200 +++ openvswitch-2.10.0+2018.08.28+git.8ca7c82b7d+ds1/debian/patches/series 2021-01-15 08:27:23.000000000 +0100 @@ -11,3 +11,4 @@ remove-yet-another-mips-failing-test.patch remove-non-deterministic-tests.patch Fix_vswitchd_abort_when_a_port_is_added_and_the_controller_is_down.patch +CVE-2020-27827_lldp_do_not_leak_memory_on_multiple_instances_of_TLVs.patch
