Message ID | 20240815173155.19658-1-peter.marko@siemens.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,kirkstone,scarthgap] libndp: Patch CVE-2024-5564 | expand |
Gentle ping for kirkstone branch which took new updates today after a month and this was missed -----Original Message----- From: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Sent: Thursday, August 15, 2024 19:32 To: openembedded-devel@lists.openembedded.org Cc: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Subject: [meta-oe][kirkstone][scarthgap][PATCH] libndp: Patch CVE-2024-5564 From: Peter Marko <peter.marko@siemens.com> Pick https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> --- .../libndp/libndp/CVE-2024-5564.patch | 48 +++++++++++++++++++ .../recipes-connectivity/libndp/libndp_1.8.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch diff --git a/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch new file mode 100644 index 0000000000..fe7ce41b87 --- /dev/null +++ b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch @@ -0,0 +1,48 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin <evverx@gmail.com> +Suggested-by: Felix Maurer <fmaurer@redhat.com> +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Signed-off-by: Jiri Pirko <jiri@nvidia.com> + +CVE: CVE-2024-5564 +Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb index 4d4d3e51cd..70d6abec1b 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb @@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ + file://CVE-2024-5564.patch \ " # tag for v1.8 SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"
Hello, is there any problem with this patch in kirkstone branch? Peter -----Original Message----- From: Marko, Peter (ADV D EU SK BFS1) Sent: Monday, August 26, 2024 11:25 To: openembedded-devel@lists.openembedded.org; Armin Kuster <akuster808@gmail.com> Subject: RE: [meta-oe][kirkstone][scarthgap][PATCH] libndp: Patch CVE-2024-5564 Gentle ping for kirkstone branch which took new updates today after a month and this was missed -----Original Message----- From: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Sent: Thursday, August 15, 2024 19:32 To: openembedded-devel@lists.openembedded.org Cc: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Subject: [meta-oe][kirkstone][scarthgap][PATCH] libndp: Patch CVE-2024-5564 From: Peter Marko <peter.marko@siemens.com> Pick https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> --- .../libndp/libndp/CVE-2024-5564.patch | 48 +++++++++++++++++++ .../recipes-connectivity/libndp/libndp_1.8.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch diff --git a/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch new file mode 100644 index 0000000000..fe7ce41b87 --- /dev/null +++ b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch @@ -0,0 +1,48 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin <evverx@gmail.com> +Suggested-by: Felix Maurer <fmaurer@redhat.com> +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Signed-off-by: Jiri Pirko <jiri@nvidia.com> + +CVE: CVE-2024-5564 +Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb index 4d4d3e51cd..70d6abec1b 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb @@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ + file://CVE-2024-5564.patch \ " # tag for v1.8 SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"
diff --git a/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch new file mode 100644 index 0000000000..fe7ce41b87 --- /dev/null +++ b/meta-oe/recipes-connectivity/libndp/libndp/CVE-2024-5564.patch @@ -0,0 +1,48 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu <liuhangbin@gmail.com> +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin <evverx@gmail.com> +Suggested-by: Felix Maurer <fmaurer@redhat.com> +Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> +Signed-off-by: Jiri Pirko <jiri@nvidia.com> + +CVE: CVE-2024-5564 +Upstream-Status: Backport [https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb index 4d4d3e51cd..70d6abec1b 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.8.bb @@ -4,6 +4,7 @@ LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ + file://CVE-2024-5564.patch \ " # tag for v1.8 SRCREV = "009ce9cd9b950ffa1f4f94c9436027b936850d0c"