diff --git a/SOURCES/0013-CVE-2022-37032.patch b/SOURCES/0013-CVE-2022-37032.patch new file mode 100644 index 0000000..4899c72 --- /dev/null +++ b/SOURCES/0013-CVE-2022-37032.patch @@ -0,0 +1,32 @@ +From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001 +From: Donald Sharp +Date: Thu, 21 Jul 2022 08:11:58 -0400 +Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is + expected + +Ensure that if the capability length specified is enough data. + +Signed-off-by: Donald Sharp +--- + bgpd/bgp_packet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index dbf6c0b2e99..45752a8ab6d 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, + "%s CAPABILITY has action: %d, code: %u, length %u", + peer->host, action, hdr->code, hdr->length); + ++ if (hdr->length < sizeof(struct capability_mp_data)) { ++ zlog_info( ++ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d", ++ peer, sizeof(struct capability_mp_data), ++ hdr->length); ++ return BGP_Stop; ++ } ++ + /* Capability length check. */ + if ((pnt + hdr->length + 3) > end) { + zlog_info("%s Capability length error", peer->host); diff --git a/SOURCES/frr.fc b/SOURCES/frr.fc index acc5508..8cd3b3d 100644 --- a/SOURCES/frr.fc +++ b/SOURCES/frr.fc @@ -1,4 +1,4 @@ -/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0) +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) /usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) diff --git a/SOURCES/frr.te b/SOURCES/frr.te index 1dac7e4..e41b75d 100644 --- a/SOURCES/frr.te +++ b/SOURCES/frr.te @@ -93,6 +93,7 @@ corenet_tcp_bind_zebra_port(frr_t) domain_use_interactive_fds(frr_t) fs_read_nsfs_files(frr_t) +fs_search_cgroup_dirs(frr_t) sysnet_exec_ifconfig(frr_t) @@ -119,4 +120,5 @@ optional_policy(` optional_policy(` userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") + userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") ') diff --git a/SPECS/frr.spec b/SPECS/frr.spec index 6d9231e..647ee27 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 7.5.1 -Release: 5%{?checkout}%{?dist} +Release: 7%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -52,6 +52,7 @@ Patch0009: 0009-routemap.patch Patch0010: 0010-moving-executables.patch Patch0011: 0011-reload-bfd-profile.patch Patch0012: 0012-graceful-restart.patch +Patch0013: 0013-CVE-2022-37032.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -216,8 +217,10 @@ fi %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 %selinux_relabel_post -s %{selinuxtype} #/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade -%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null -%{_sbindir}/restorecon -R /var/run/frr &> /dev/null +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi %postun selinux if [ $1 -eq 0 ]; then @@ -270,6 +273,12 @@ make check PYTHON=%{__python3} %endif %changelog +* Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 +- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + +* Tue Nov 29 2022 Michal Ruprich - 7.5.1-6 +- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context + * Mon Nov 14 2022 Michal Ruprich - 7.5.1-5 - Resolves: #2127140 - Frr is unable to push routes to the system routing table