diff --git a/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch b/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch new file mode 100644 index 0000000..4ffec8b --- /dev/null +++ b/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch @@ -0,0 +1,137 @@ +From ec23a125054566b67b6db3a27c6d2127355b1470 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Wed, 29 Apr 2020 18:18:28 +0200 +Subject: [PATCH 1/1] n-dhcp4: don't fail dispatch in case of receive errors + +Currently any error encountered in n_dhcp4_c_connection_dispatch_io() +causes a dispatch failure and interrupts the library state +machine. The recvmsg() on the socket can fail for different reasons; +one of these is for example that the UDP request previously sent got a +ICMP port-unreachable response. This can be reproduced in the +following way: + + ip netns add ns1 + ip link add veth0 type veth peer name veth1 + ip link set veth1 netns ns1 + ip link set veth0 up + + cat > dhcpd.conf < fail + +The client should consider such errors non fatal and keep running. + +https://bugzilla.redhat.com/show_bug.cgi?id=1829178 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/486 +(cherry picked from commit c5d1d4c498c50dfc7d2d18b213a117dd1199f1de) +(cherry picked from commit bee01292f886dcff7114dc421983f1d50f1939b0) +(cherry picked from commit f2fdb6710f92d8621667e84485b82a9b712228c7) +--- + shared/n-dhcp4/src/n-dhcp4-c-connection.c | 29 ++++++++++++++++------- + shared/n-dhcp4/src/n-dhcp4-c-probe.c | 1 + + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/shared/n-dhcp4/src/n-dhcp4-c-connection.c b/shared/n-dhcp4/src/n-dhcp4-c-connection.c +index a5c8ea66fe9d..30514e286d32 100644 +--- a/shared/n-dhcp4/src/n-dhcp4-c-connection.c ++++ b/shared/n-dhcp4/src/n-dhcp4-c-connection.c +@@ -1136,6 +1136,13 @@ int n_dhcp4_c_connection_dispatch_timer(NDhcp4CConnection *connection, + return 0; + } + ++/* ++ * Returns: ++ * 0 on success ++ * N_DHCP4_E_MALFORMED if a malformed packet was received ++ * N_DHCP4_E_UNEXPECTED if the packet received contains unexpected data ++ * N_DHCP4_E_AGAIN if there was another error (non fatal for the client) ++ */ + int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection, + NDhcp4Incoming **messagep) { + _c_cleanup_(n_dhcp4_incoming_freep) NDhcp4Incoming *message = NULL; +@@ -1150,10 +1157,11 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection, + connection->scratch_buffer, + sizeof(connection->scratch_buffer), + &message); +- if (r) ++ if (!r) ++ break; ++ else if (r == N_DHCP4_E_MALFORMED) + return r; +- +- break; ++ return N_DHCP4_E_AGAIN; + case N_DHCP4_C_CONNECTION_STATE_DRAINING: + r = n_dhcp4_c_socket_packet_recv(connection->fd_packet, + connection->scratch_buffer, +@@ -1161,8 +1169,10 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection, + &message); + if (!r) + break; +- else if (r != N_DHCP4_E_AGAIN) ++ else if (r == N_DHCP4_E_MALFORMED) + return r; ++ else if (r != N_DHCP4_E_AGAIN) ++ return N_DHCP4_E_AGAIN; + + /* + * The UDP socket is open and the packet socket has been shut down +@@ -1180,18 +1190,21 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection, + connection->scratch_buffer, + sizeof(connection->scratch_buffer), + &message); +- if (r) ++ if (!r) ++ break; ++ else if (r == N_DHCP4_E_MALFORMED) + return r; +- +- break; ++ return N_DHCP4_E_AGAIN; + default: + abort(); + return -ENOTRECOVERABLE; + } + + r = n_dhcp4_c_connection_verify_incoming(connection, message, &type); +- if (r) ++ if (r == N_DHCP4_E_MALFORMED || r == N_DHCP4_E_UNEXPECTED) + return r; ++ else if (r != 0) ++ return N_DHCP4_E_AGAIN; + + if (type == N_DHCP4_MESSAGE_OFFER || type == N_DHCP4_MESSAGE_ACK) { + n_dhcp4_c_log(connection->client_config, LOG_INFO, +diff --git a/shared/n-dhcp4/src/n-dhcp4-c-probe.c b/shared/n-dhcp4/src/n-dhcp4-c-probe.c +index e4477a7c7472..5e97129834d1 100644 +--- a/shared/n-dhcp4/src/n-dhcp4-c-probe.c ++++ b/shared/n-dhcp4/src/n-dhcp4-c-probe.c +@@ -1242,6 +1242,7 @@ int n_dhcp4_client_probe_dispatch_io(NDhcp4ClientProbe *probe, uint32_t events) + return 0; + } + ++ abort(); + return r; + } + +-- +2.26.2 + diff --git a/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch b/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch new file mode 100644 index 0000000..22f4f1d --- /dev/null +++ b/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch @@ -0,0 +1,54 @@ +From 0da5e2e48c617f13e4583d72c2c5a72e4b6e299c Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 26 May 2020 15:26:04 +0200 +Subject: [PATCH 1/1] ifcfg-rh: fix handling "802-1x.{phase2-,}ca-path" in + ifcfg-rh settings plugin + +https://bugzilla.redhat.com/show_bug.cgi?id=1840210 +https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448 +(cherry picked from commit b6b6639c7c8fa667b8fcbc310b65d88124fdc260) +(cherry picked from commit 67f1da27fe95fbe09999a953558a0b3e4dcfdd69) +(cherry picked from commit 7a20dd4dbbd51081b598f4d42254190a03271471) +--- + src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 8 ++++++++ + src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 5 +++++ + 2 files changed, 13 insertions(+) + +diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +index e01f7344cdfe..9cb21f92ac5b 100644 +--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c ++++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c +@@ -3626,6 +3626,14 @@ next: + timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0); + g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL); + ++ nm_clear_g_free (&value); ++ v = svGetValueStr (ifcfg, "IEEE_8021X_CA_PATH", &value); ++ g_object_set (s_8021x, NM_SETTING_802_1X_CA_PATH, v, NULL); ++ ++ nm_clear_g_free (&value); ++ v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", &value); ++ g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_CA_PATH, v, NULL); ++ + g_object_set (s_8021x, + NM_SETTING_802_1X_OPTIONAL, + svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE), +diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +index 90a1a2b8f6f9..3afdb2acd14d 100644 +--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c ++++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c +@@ -530,6 +530,11 @@ write_8021x_setting (NMConnection *connection, + "IEEE_8021X_OPTIONAL", + nm_setting_802_1x_get_optional (s_8021x)); + ++ svSetValue (ifcfg, "IEEE_8021X_CA_PATH", ++ nm_setting_802_1x_get_ca_path (s_8021x)); ++ svSetValue (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", ++ nm_setting_802_1x_get_phase2_ca_path (s_8021x)); ++ + if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error)) + return FALSE; + +-- +2.26.2 + diff --git a/SPECS/NetworkManager.spec b/SPECS/NetworkManager.spec index 292ace9..2de4ffb 100644 --- a/SPECS/NetworkManager.spec +++ b/SPECS/NetworkManager.spec @@ -7,7 +7,7 @@ %global epoch_version 1 %global rpm_version 1.22.8 %global real_version 1.22.8 -%global release_version 4 +%global release_version 5 %global snapshot %{nil} %global git_sha %{nil} @@ -152,6 +152,8 @@ Patch1003: 1003-dhcp-keep-trying-after-send-failure-rh1806516.patch Patch1004: 1004-ovs-fail-enslavement-if-no-bridge-rh1797696.patch Patch1005: 1005-fix-leak-device-state-files-rh1810153.patch Patch1006: 1006-dhcp-nettools-clear-source-rh1810188.patch +Patch1007: 1007-dhcp-nettools-handle-io-failure-rh1843357.patch +Patch1008: 1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch # The pregenerated docs contain default values and paths that depend # on the configure options when creating the source tarball. @@ -1075,6 +1077,10 @@ fi %changelog +* Wed Jun 3 2020 Thomas Haller - 1:1.22.8-5 +- dhcp: fix handling IO error in nettools DHCPv4 client (rh #1843357) +- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1843360, CVE-2020-10754) + * Fri Mar 6 2020 Thomas Haller - 1:1.22.8-4 - core: fix leaking device state files in /run (rh #1810153) - dhcp: fix crash in nettools client when leaking GSource (rh #1810188)