From d2f38a85949c9631490f681c1dfaafbe9e35e939 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 10:20:44 +0000 Subject: [PATCH] import frr-7.5.1-7.el8 --- .frr.metadata | 1 + .gitignore | 1 + SOURCES/0012-graceful-restart.patch | 79 ++++++++++++++ SOURCES/0013-CVE-2022-37032.patch | 32 ++++++ SOURCES/frr.fc | 2 +- SOURCES/frr.if | 162 ---------------------------- SOURCES/frr.te | 7 +- SPECS/frr.spec | 24 ++++- 8 files changed, 139 insertions(+), 169 deletions(-) create mode 100644 SOURCES/0012-graceful-restart.patch create mode 100644 SOURCES/0013-CVE-2022-37032.patch delete mode 100644 SOURCES/frr.if diff --git a/.frr.metadata b/.frr.metadata index fe0c737..86591ca 100644 --- a/.frr.metadata +++ b/.frr.metadata @@ -1 +1,2 @@ dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz +e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if diff --git a/.gitignore b/.gitignore index c0a706d..6f9e306 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ SOURCES/frr-7.5.1.tar.gz +SOURCES/frr.if diff --git a/SOURCES/0012-graceful-restart.patch b/SOURCES/0012-graceful-restart.patch new file mode 100644 index 0000000..7e874cc --- /dev/null +++ b/SOURCES/0012-graceful-restart.patch @@ -0,0 +1,79 @@ +From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Tue, 27 Sep 2022 17:30:16 +0300 +Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting + +We might disable sending unconfig/shutdown notifications when +Graceful-Restart is enabled and negotiated. + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgpd.c | 35 ++++++++++++++++++++++++++--------- + 1 file changed, 26 insertions(+), 9 deletions(-) + +diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c +index 3d4ef7c..f8089c6 100644 +--- a/bgpd/bgpd.c ++++ b/bgpd/bgpd.c +@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as, + + void peer_notify_unconfig(struct peer *peer) + { ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping unconfig notification", ++ peer); ++ return; ++ } ++ + if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) + bgp_notify_send(peer, BGP_NOTIFY_CEASE, + BGP_NOTIFY_CEASE_PEER_UNCONFIG); + } + ++static void peer_notify_shutdown(struct peer *peer) ++{ ++ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) { ++ if (bgp_debug_neighbor_events(peer)) ++ zlog_debug( ++ "%pBP configured Graceful-Restart, skipping shutdown notification", ++ peer); ++ return; ++ } ++ ++ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) ++ bgp_notify_send(peer, BGP_NOTIFY_CEASE, ++ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); ++} ++ + void peer_group_notify_unconfig(struct peer_group *group) + { + struct peer *peer, *other; +@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp) + } + + /* Inform peers we're going down. */ +- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) { +- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status)) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN); +- } ++ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) ++ peer_notify_shutdown(peer); + + /* Delete static routes (networks). */ + bgp_static_delete(bgp); +@@ -7238,11 +7258,7 @@ void bgp_terminate(void) + + for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp)) + for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer)) +- if (peer->status == Established +- || peer->status == OpenSent +- || peer->status == OpenConfirm) +- bgp_notify_send(peer, BGP_NOTIFY_CEASE, +- BGP_NOTIFY_CEASE_PEER_UNCONFIG); ++ peer_notify_unconfig(peer); + + if (bm->process_main_queue) + work_queue_free_and_null(&bm->process_main_queue); diff --git a/SOURCES/0013-CVE-2022-37032.patch b/SOURCES/0013-CVE-2022-37032.patch new file mode 100644 index 0000000..4899c72 --- /dev/null +++ b/SOURCES/0013-CVE-2022-37032.patch @@ -0,0 +1,32 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e99..45752a8ab6d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc index acc5508..8cd3b3d 100644 --- a/SOURCES/frr.fc +++ b/SOURCES/frr.fc @@ -1,4 +1,4 @@ -/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0) +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) /usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) diff --git a/SOURCES/frr.if b/SOURCES/frr.if deleted file mode 100644 index d96499d..0000000 --- a/SOURCES/frr.if +++ /dev/null @@ -1,162 +0,0 @@ -## policy for frr - -######################################## -## -## Execute frr_exec_t in the frr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`frr_domtrans',` - gen_require(` - type frr_t, frr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, frr_exec_t, frr_t) -') - -###################################### -## -## Execute frr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`frr_exec',` - gen_require(` - type frr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, frr_exec_t) -') - -######################################## -## -## Read frr's log files. -## -## -## -## Domain allowed access. -## -## -## -# -interface(`frr_read_log',` - gen_require(` - type frr_log_t; - ') - - read_files_pattern($1, frr_log_t, frr_log_t) - optional_policy(` - logging_search_logs($1) - ') -') - -######################################## -## -## Append to frr log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`frr_append_log',` - gen_require(` - type frr_log_t; - ') - - append_files_pattern($1, frr_log_t, frr_log_t) - optional_policy(` - logging_search_logs($1) - ') -') - -######################################## -## -## Manage frr log files -## -## -## -## Domain allowed access. -## -## -# -interface(`frr_manage_log',` - gen_require(` - type frr_log_t; - ') - - manage_dirs_pattern($1, frr_log_t, frr_log_t) - manage_files_pattern($1, frr_log_t, frr_log_t) - manage_lnk_files_pattern($1, frr_log_t, frr_log_t) - optional_policy(` - logging_search_logs($1) - ') -') - -######################################## -## -## Read frr PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`frr_read_pid_files',` - gen_require(` - type frr_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, frr_var_run_t, frr_var_run_t) -') - -######################################## -## -## All of the rules required to administrate -## an frr environment -## -## -## -## Domain allowed access. -## -## -# -interface(`frr_admin',` - gen_require(` - type frr_t; - type frr_log_t; - type frr_var_run_t; - ') - - allow $1 frr_t:process { signal_perms }; - ps_process_pattern($1, frr_t) - - tunable_policy(`deny_ptrace',`',` - allow $1 frr_t:process ptrace; - ') - - admin_pattern($1, frr_log_t) - - files_search_pids($1) - admin_pattern($1, frr_var_run_t) - optional_policy(` - logging_search_logs($1) - ') - optional_policy(` - systemd_passwd_agent_exec($1) - systemd_read_fifo_file_passwd_run($1) - ') -') diff --git a/SOURCES/frr.te b/SOURCES/frr.te index fadfa8f..e41b75d 100644 --- a/SOURCES/frr.te +++ b/SOURCES/frr.te @@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t) # # frr local policy # -allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid }; +allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; allow frr_t self:packet_socket create; allow frr_t self:process { setcap setpgid }; @@ -68,7 +68,7 @@ allow frr_t frr_exec_t:dir search_dir_perms; can_exec(frr_t, frr_exec_t) kernel_read_network_state(frr_t) -kernel_read_net_sysctls(frr_t) +kernel_rw_net_sysctls(frr_t) kernel_read_system_state(frr_t) auth_use_nsswitch(frr_t) @@ -79,6 +79,7 @@ corenet_tcp_bind_appswitch_emp_port(frr_t) corenet_udp_bind_bfd_control_port(frr_t) corenet_udp_bind_bfd_echo_port(frr_t) corenet_tcp_bind_bgp_port(frr_t) +corenet_tcp_connect_bgp_port(frr_t) corenet_udp_bind_all_unreserved_ports(frr_t); corenet_tcp_bind_generic_port(frr_t) corenet_tcp_bind_firepower_port(frr_t) @@ -92,6 +93,7 @@ corenet_tcp_bind_zebra_port(frr_t) domain_use_interactive_fds(frr_t) fs_read_nsfs_files(frr_t) +fs_search_cgroup_dirs(frr_t) sysnet_exec_ifconfig(frr_t) @@ -118,4 +120,5 @@ optional_policy(` optional_policy(` userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") + userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") ') diff --git a/SPECS/frr.spec b/SPECS/frr.spec index f2f0adf..647ee27 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 7.5.1 -Release: 3%{?checkout}%{?dist} +Release: 7%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -34,7 +34,7 @@ Requires: iproute Requires: initscripts %if 0%{?with_selinux} -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %endif Provides: routingdaemon = %{version}-%{release} @@ -51,6 +51,8 @@ Patch0008: 0008-designated-router.patch Patch0009: 0009-routemap.patch Patch0010: 0010-moving-executables.patch Patch0011: 0011-reload-bfd-profile.patch +Patch0012: 0012-graceful-restart.patch +Patch0013: 0013-CVE-2022-37032.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -215,8 +217,10 @@ fi %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} #/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade -%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null -%{_sbindir}/restorecon -R /var/run/frr &> /dev/null +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi %postun selinux if [ $1 -eq 0 ]; then @@ -269,6 +273,18 @@ make check PYTHON=%{__python3} %endif %changelog +* Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 +- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + +* Tue Nov 29 2022 Michal Ruprich - 7.5.1-6 +- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context + +* Mon Nov 14 2022 Michal Ruprich - 7.5.1-5 +- Resolves: #2127140 - Frr is unable to push routes to the system routing table + +* Mon Nov 14 2022 Michal Ruprich - 7.5.1-4 +- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers + * Thu Aug 25 2022 Michal Ruprich - 7.5.1-3 - Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile