diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | 0000-remove-babeld-and-ldpd.patch | 55 | ||||
| -rw-r--r-- | 0002-enable-openssl.patch | 78 | ||||
| -rw-r--r-- | 0003-disable-eigrp-crypto.patch | 252 | ||||
| -rw-r--r-- | 0004-fips-mode.patch | 115 | ||||
| -rw-r--r-- | 0005-CVE-2023-47235.patch | 110 | ||||
| -rw-r--r-- | 0006-CVE-2023-47234.patch | 95 | ||||
| -rw-r--r-- | 0007-CVE-2023-46752.patch | 76 | ||||
| -rw-r--r-- | 0008-CVE-2023-46753.patch | 60 | ||||
| -rw-r--r-- | frr-sysusers.conf | 4 | ||||
| -rw-r--r-- | frr-tmpfiles.conf | 1 | ||||
| -rw-r--r-- | frr.fc | 29 | ||||
| -rw-r--r-- | frr.if | 214 | ||||
| -rw-r--r-- | frr.spec | 452 | ||||
| -rw-r--r-- | frr.te | 127 | ||||
| -rw-r--r-- | remove-babeld-ldpd.sh | 16 | ||||
| -rw-r--r-- | sources | 1 |
17 files changed, 1686 insertions, 0 deletions
@@ -0,0 +1 @@ +/frr-8.5.3.tar.gz diff --git a/0000-remove-babeld-and-ldpd.patch b/0000-remove-babeld-and-ldpd.patch new file mode 100644 index 0000000..4fac02b --- /dev/null +++ b/0000-remove-babeld-and-ldpd.patch @@ -0,0 +1,55 @@ +diff --git a/Makefile.am b/Makefile.am +index 5be3264..33abc1d 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -130,8 +130,6 @@ include ospf6d/subdir.am + include ospfclient/subdir.am + include isisd/subdir.am + include nhrpd/subdir.am +-include ldpd/subdir.am +-include babeld/subdir.am + include eigrpd/subdir.am + include sharpd/subdir.am + include pimd/subdir.am +@@ -182,7 +180,6 @@ EXTRA_DIST += \ + snapcraft/defaults \ + snapcraft/helpers \ + snapcraft/snap \ +- babeld/Makefile \ + bgpd/Makefile \ + bgpd/rfp-example/librfp/Makefile \ + bgpd/rfp-example/rfptest/Makefile \ +@@ -193,7 +190,6 @@ EXTRA_DIST += \ + fpm/Makefile \ + grpc/Makefile \ + isisd/Makefile \ +- ldpd/Makefile \ + lib/Makefile \ + nhrpd/Makefile \ + ospf6d/Makefile \ +diff --git a/tools/etc/frr/daemons b/tools/etc/frr/daemons +index 8aa0887..c92dcca 100644 +--- a/tools/etc/frr/daemons ++++ b/tools/etc/frr/daemons +@@ -22,10 +22,8 @@ ripngd=no + isisd=no + pimd=no + pim6d=no +-ldpd=no + nhrpd=no + eigrpd=no +-babeld=no + sharpd=no + pbrd=no + bfdd=no +@@ -48,10 +46,8 @@ ripngd_options=" -A ::1" + isisd_options=" -A 127.0.0.1" + pimd_options=" -A 127.0.0.1" + pim6d_options=" -A ::1" +-ldpd_options=" -A 127.0.0.1" + nhrpd_options=" -A 127.0.0.1" + eigrpd_options=" -A 127.0.0.1" +-babeld_options=" -A 127.0.0.1" + sharpd_options=" -A 127.0.0.1" + pbrd_options=" -A 127.0.0.1" + staticd_options="-A 127.0.0.1" diff --git a/0002-enable-openssl.patch b/0002-enable-openssl.patch new file mode 100644 index 0000000..fa30a88 --- /dev/null +++ b/0002-enable-openssl.patch @@ -0,0 +1,78 @@ +diff --git a/lib/subdir.am b/lib/subdir.am +index 0b7af18..0533e24 100644 +--- a/lib/subdir.am ++++ b/lib/subdir.am +@@ -41,7 +41,6 @@ lib_libfrr_la_SOURCES = \ + lib/log.c \ + lib/log_filter.c \ + lib/log_vty.c \ +- lib/md5.c \ + lib/memory.c \ + lib/mlag.c \ + lib/module.c \ +@@ -64,7 +64,6 @@ lib_libfrr_la_SOURCES = \ + lib/routemap_northbound.c \ + lib/sbuf.c \ + lib/seqlock.c \ +- lib/sha256.c \ + lib/sigevent.c \ + lib/skiplist.c \ + lib/sockopt.c \ +@@ -170,7 +170,6 @@ pkginclude_HEADERS += \ + lib/link_state.h \ + lib/log.h \ + lib/log_vty.h \ +- lib/md5.h \ + lib/memory.h \ + lib/module.h \ + lib/monotime.h \ +@@ -191,7 +190,6 @@ pkginclude_HEADERS += \ + lib/route_opaque.h \ + lib/sbuf.h \ + lib/seqlock.h \ +- lib/sha256.h \ + lib/sigevent.h \ + lib/skiplist.h \ + lib/smux.h \ +diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c +index 1991666..2e4fe55 100644 +--- a/isisd/isis_lsp.c ++++ b/isisd/isis_lsp.c +@@ -35,7 +35,9 @@ + #include "hash.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "table.h" + #include "srcdest_table.h" + #include "lib_errors.h" +diff --git a/isisd/isis_pdu.c b/isisd/isis_pdu.c +index 9c63311..7cf594c 100644 +--- a/isisd/isis_pdu.c ++++ b/isisd/isis_pdu.c +@@ -33,7 +33,9 @@ + #include "prefix.h" + #include "if.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "lib_errors.h" + + #include "isisd/isis_constants.h" +diff --git a/isisd/isis_te.c b/isisd/isis_te.c +index 4ea6c2c..72ff0d2 100644 +--- a/isisd/isis_te.c ++++ b/isisd/isis_te.c +@@ -38,7 +38,9 @@ + #include "if.h" + #include "vrf.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "sockunion.h" + #include "network.h" + #include "sbuf.h" diff --git a/0003-disable-eigrp-crypto.patch b/0003-disable-eigrp-crypto.patch new file mode 100644 index 0000000..cd43569 --- /dev/null +++ b/0003-disable-eigrp-crypto.patch @@ -0,0 +1,252 @@ +diff --git a/eigrpd/eigrp_packet.c b/eigrpd/eigrp_packet.c +index bedaf15..8dc09bf 100644 +--- a/eigrpd/eigrp_packet.c ++++ b/eigrpd/eigrp_packet.c +@@ -40,8 +40,10 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" + #include "sha256.h" ++#endif + #include "lib_errors.h" + + #include "eigrpd/eigrp_structs.h" +@@ -95,8 +97,12 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + struct key *key = NULL; + struct keychain *keychain; + ++ + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + uint8_t *ibuf; + size_t backup_get, backup_end; + struct TLV_MD5_Authentication_Type *auth_TLV; +@@ -119,6 +125,9 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + return EIGRP_AUTH_TYPE_NONE; + } + ++#ifdef CRYPTO_OPENSSL ++//TBD when this is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -146,7 +155,7 @@ int eigrp_make_md5_digest(struct eigrp_interface *ei, struct stream *s, + } + + MD5Final(digest, &ctx); +- ++#endif + /* Append md5 digest to the end of the stream. */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_MD5_LEN); + +@@ -162,7 +171,10 @@ int eigrp_check_md5_digest(struct stream *s, + struct TLV_MD5_Authentication_Type *authTLV, + struct eigrp_neighbor *nbr, uint8_t flags) + { ++#ifdef CRYPTO_OPENSSL ++#elif CRYPTO_INTERNAL + MD5_CTX ctx; ++#endif + unsigned char digest[EIGRP_AUTH_TYPE_MD5_LEN]; + unsigned char orig[EIGRP_AUTH_TYPE_MD5_LEN]; + struct key *key = NULL; +@@ -203,6 +215,9 @@ int eigrp_check_md5_digest(struct stream *s, + return 0; + } + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + MD5Init(&ctx); + +@@ -230,6 +245,7 @@ int eigrp_check_md5_digest(struct stream *s, + } + + MD5Final(digest, &ctx); ++#endif + + /* compare the two */ + if (memcmp(orig, digest, EIGRP_AUTH_TYPE_MD5_LEN) != 0) { +@@ -254,7 +270,11 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + unsigned char digest[EIGRP_AUTH_TYPE_SHA256_LEN]; + unsigned char buffer[1 + PLAINTEXT_LENGTH + 45 + 1] = {0}; + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + HMAC_SHA256_CTX ctx; ++#endif + void *ibuf; + size_t backup_get, backup_end; + struct TLV_SHA256_Authentication_Type *auth_TLV; +@@ -283,6 +303,9 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + + inet_ntop(AF_INET, &ei->address.u.prefix4, source_ip, PREFIX_STRLEN); + ++#ifdef CRYPTO_OPENSSL ++ //TBD when eigrpd crypto is fixed in upstream ++#elif CRYPTO_INTERNAL + memset(&ctx, 0, sizeof(ctx)); + buffer[0] = '\n'; + memcpy(buffer + 1, key, strlen(key->string)); +@@ -291,7 +314,7 @@ int eigrp_make_sha256_digest(struct eigrp_interface *ei, struct stream *s, + 1 + strlen(key->string) + strlen(source_ip)); + HMAC__SHA256_Update(&ctx, ibuf, strlen(ibuf)); + HMAC__SHA256_Final(digest, &ctx); +- ++#endif + + /* Put hmac-sha256 digest to it's place */ + memcpy(auth_TLV->digest, digest, EIGRP_AUTH_TYPE_SHA256_LEN); +diff --git a/eigrpd/eigrp_filter.c b/eigrpd/eigrp_filter.c +index 93eed94..f1c7347 100644 +--- a/eigrpd/eigrp_filter.c ++++ b/eigrpd/eigrp_filter.c +@@ -47,7 +47,9 @@ + #include "if_rmap.h" + #include "plist.h" + #include "distribute.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "privs.h" + #include "vrf.h" +diff --git a/eigrpd/eigrp_hello.c b/eigrpd/eigrp_hello.c +index dacd5ca..b232cc5 100644 +--- a/eigrpd/eigrp_hello.c ++++ b/eigrpd/eigrp_hello.c +@@ -43,7 +43,9 @@ + #include "sockopt.h" + #include "checksum.h" + #include "vty.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + + #include "eigrpd/eigrp_structs.h" + #include "eigrpd/eigrpd.h" +diff --git a/eigrpd/eigrp_query.c b/eigrpd/eigrp_query.c +index 84dcf5e..a2575e3 100644 +--- a/eigrpd/eigrp_query.c ++++ b/eigrpd/eigrp_query.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_reply.c b/eigrpd/eigrp_reply.c +index ccf0496..2902365 100644 +--- a/eigrpd/eigrp_reply.c ++++ b/eigrpd/eigrp_reply.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "keychain.h" + #include "plist.h" +diff --git a/eigrpd/eigrp_siaquery.c b/eigrpd/eigrp_siaquery.c +index ff38325..09b9369 100644 +--- a/eigrpd/eigrp_siaquery.c ++++ b/eigrpd/eigrp_siaquery.c +@@ -38,7 +38,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_siareply.c b/eigrpd/eigrp_siareply.c +index d3dd123..f6a2bd6 100644 +--- a/eigrpd/eigrp_siareply.c ++++ b/eigrpd/eigrp_siareply.c +@@ -37,7 +37,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + + #include "eigrpd/eigrp_structs.h" +diff --git a/eigrpd/eigrp_snmp.c b/eigrpd/eigrp_snmp.c +index 21c9238..cfb8890 100644 +--- a/eigrpd/eigrp_snmp.c ++++ b/eigrpd/eigrp_snmp.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "keychain.h" + #include "smux.h" + +diff --git a/eigrpd/eigrp_update.c b/eigrpd/eigrp_update.c +index 8db4903..2a4f0bb 100644 +--- a/eigrpd/eigrp_update.c ++++ b/eigrpd/eigrp_update.c +@@ -42,7 +42,9 @@ + #include "log.h" + #include "sockopt.h" + #include "checksum.h" ++#ifdef CRYPTO_INTERNAL + #include "md5.h" ++#endif + #include "vty.h" + #include "plist.h" + #include "plist_int.h" +diff --git a/eigrpd/eigrp_cli.c b/eigrpd/eigrp_cli.c +index a93d4c8..b01e121 100644 +--- a/eigrpd/eigrp_cli.c ++++ b/eigrpd/eigrp_cli.c +@@ -25,6 +25,7 @@ + #include "lib/command.h" + #include "lib/log.h" + #include "lib/northbound_cli.h" ++#include "lib/libfrr.h" + + #include "eigrp_structs.h" + #include "eigrpd.h" +@@ -726,6 +726,20 @@ DEFPY( + "Keyed message digest\n" + "HMAC SHA256 algorithm \n") + { ++ //EIGRP authentication is currently broken in FRR ++ switch (frr_get_cli_mode()) { ++ case FRR_CLI_CLASSIC: ++ vty_out(vty, "%% Eigrp Authentication is disabled\n\n"); ++ break; ++ case FRR_CLI_TRANSACTIONAL: ++ vty_out(vty, ++ "%% Failed to edit candidate configuration - " ++ "Eigrp Authentication is disabled.\n\n"); ++ break; ++ } ++ ++ return CMD_WARNING_CONFIG_FAILED; ++ + char xpath[XPATH_MAXLEN], xpath_auth[XPATH_MAXLEN + 64]; + + snprintf(xpath, sizeof(xpath), "./frr-eigrpd:eigrp/instance[asn='%s']", diff --git a/0004-fips-mode.patch b/0004-fips-mode.patch new file mode 100644 index 0000000..deedf14 --- /dev/null +++ b/0004-fips-mode.patch @@ -0,0 +1,115 @@ +diff --git a/ospfd/ospf_vty.c b/ospfd/ospf_vty.c +index 631465f..e084ff3 100644 +--- a/ospfd/ospf_vty.c ++++ b/ospfd/ospf_vty.c +@@ -1136,6 +1136,11 @@ DEFUN (ospf_area_vlink, + + if (argv_find(argv, argc, "message-digest", &idx)) { + /* authentication message-digest */ ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + vl_config.auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + } else if (argv_find(argv, argc, "null", &idx)) { + /* "authentication null" */ +@@ -1993,6 +1998,15 @@ DEFUN (ospf_area_authentication_message_digest, + ? OSPF_AUTH_NULL + : OSPF_AUTH_CRYPTOGRAPHIC; + ++ if(area->auth_type == OSPF_AUTH_CRYPTOGRAPHIC) ++ { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ } ++ + return CMD_SUCCESS; + } + +@@ -6665,6 +6679,11 @@ DEFUN (ip_ospf_authentication_args, + + /* Handle message-digest authentication */ + if (argv[idx_encryption]->arg[0] == 'm') { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + SET_IF_PARAM(params, auth_type); + params->auth_type = OSPF_AUTH_CRYPTOGRAPHIC; + return CMD_SUCCESS; +@@ -6971,6 +6990,11 @@ DEFUN (ip_ospf_message_digest_key, + "The OSPF password (key)\n" + "Address of interface\n") + { ++ if(FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication is disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } + VTY_DECLVAR_CONTEXT(interface, ifp); + struct crypt_key *ck; + uint8_t key_id; +diff --git a/isisd/isis_circuit.c b/isisd/isis_circuit.c +index 81b4b39..cce33d9 100644 +--- a/isisd/isis_circuit.c ++++ b/isisd/isis_circuit.c +@@ -1318,6 +1318,10 @@ static int isis_circuit_passwd_set(struct isis_circuit *circuit, + return ferr_code_bug( + "circuit password too long (max 254 chars)"); + ++ //When in FIPS mode, the password never gets set in MD5 ++ if((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && FIPS_mode()) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + circuit->passwd.len = len; + strlcpy((char *)circuit->passwd.passwd, passwd, + sizeof(circuit->passwd.passwd)); +diff --git a/isisd/isisd.c b/isisd/isisd.c +index 419127c..a6c36af 100644 +--- a/isisd/isisd.c ++++ b/isisd/isisd.c +@@ -1638,6 +1638,10 @@ static int isis_area_passwd_set(struct isis_area *area, int level, + if (len > 254) + return -1; + ++ //When in FIPS mode, the password never get set in MD5 ++ if ((passwd_type == ISIS_PASSWD_TYPE_HMAC_MD5) && (FIPS_mode())) ++ return ferr_cfg_invalid("FIPS mode is enabled, md5 authentication is disabled"); ++ + modified.len = len; + strlcpy((char *)modified.passwd, passwd, + sizeof(modified.passwd)); +diff --git a/ripd/rip_cli.c b/ripd/rip_cli.c +index 5bb81ef..02a09ef 100644 +--- a/ripd/rip_cli.c ++++ b/ripd/rip_cli.c +@@ -796,6 +796,12 @@ DEFPY (ip_rip_authentication_mode, + value = "20"; + } + ++ if(strmatch(mode, "md5") && FIPS_mode()) ++ { ++ vty_out(vty, "FIPS mode is enabled, md5 authentication id disabled\n"); ++ return CMD_WARNING_CONFIG_FAILED; ++ } ++ + nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY, + strmatch(mode, "md5") ? "md5" : "plain-text"); + if (strmatch(mode, "md5")) +diff --git a/lib/zebra.h b/lib/zebra.h +index 53ae5b4..930307f 100644 +--- a/lib/zebra.h ++++ b/lib/zebra.h +@@ -114,6 +114,7 @@ + #ifdef CRYPTO_OPENSSL + #include <openssl/evp.h> + #include <openssl/hmac.h> ++#include <openssl/fips.h> + #endif + + #include "openbsd-tree.h" diff --git a/0005-CVE-2023-47235.patch b/0005-CVE-2023-47235.patch new file mode 100644 index 0000000..6d0504b --- /dev/null +++ b/0005-CVE-2023-47235.patch @@ -0,0 +1,110 @@ +From 71422bfe269e34b69d78f9fb02f30426f2fdef48 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Wed, 13 Dec 2023 16:59:46 +0100 +Subject: [PATCH] bgpd: Treat EOR as withdrawn to avoid unwanted handling of + malformed attrs + +Treat-as-withdraw, otherwise if we just ignore it, we will pass it to be +processed as a normal UPDATE without mandatory attributes, that could lead +to harmful behavior. In this case, a crash for route-maps with the configuration +such as: + +``` +router bgp 65001 + no bgp ebgp-requires-policy + neighbor 127.0.0.1 remote-as external + neighbor 127.0.0.1 passive + neighbor 127.0.0.1 ebgp-multihop + neighbor 127.0.0.1 disable-connected-check + neighbor 127.0.0.1 update-source 127.0.0.2 + neighbor 127.0.0.1 timers 3 90 + neighbor 127.0.0.1 timers connect 1 + ! + address-family ipv4 unicast + neighbor 127.0.0.1 addpath-tx-all-paths + neighbor 127.0.0.1 default-originate + neighbor 127.0.0.1 route-map RM_IN in + exit-address-family +exit +! +route-map RM_IN permit 10 + set as-path prepend 200 +exit +``` + +Send a malformed optional transitive attribute: + +``` +import socket +import time + +OPEN = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\x00\x62\x01\x04\xfd\xea\x00\x5a\x0a\x00\x00\x01\x45\x02" +b"\x06\x01\x04\x00\x01\x00\x01\x02\x02\x02\x00\x02\x02\x46\x00\x02" +b"\x06\x41\x04\x00\x00\xfd\xea\x02\x02\x06\x00\x02\x06\x45\x04\x00" +b"\x01\x01\x03\x02\x0e\x49\x0c\x0a\x64\x6f\x6e\x61\x74\x61\x73\x2d" +b"\x70\x63\x00\x02\x04\x40\x02\x00\x78\x02\x09\x47\x07\x00\x01\x01" +b"\x80\x00\x00\x00") + +KEEPALIVE = (b"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" +b"\xff\xff\xff\xff\xff\xff\x00\x13\x04") + +UPDATE = bytearray.fromhex("ffffffffffffffffffffffffffffffff002b0200000003c0ff00010100eb00ac100b0b001ad908ac100b0b") + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect(('127.0.0.2', 179)) +s.send(OPEN) +data = s.recv(1024) +s.send(KEEPALIVE) +data = s.recv(1024) +s.send(UPDATE) +data = s.recv(1024) +time.sleep(100) +s.close() +``` + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> + +(cherry picked from commit 6814f2e0138a6ea5e1f83bdd9085d9a77999900b) +--- + bgpd/bgp_attr.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index a121911..12a6953 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3079,9 +3079,12 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + uint8_t type = 0; + + /* BGP Graceful-Restart End-of-RIB for IPv4 unicast is signaled as an +- * empty UPDATE. */ ++ * empty UPDATE. Treat-as-withdraw, otherwise if we just ignore it, ++ * we will pass it to be processed as a normal UPDATE without mandatory ++ * attributes, that could lead to harmful behavior. ++ */ + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) +- return BGP_ATTR_PARSE_PROCEED; ++ return BGP_ATTR_PARSE_WITHDRAW; + + /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required + to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +@@ -3507,7 +3510,13 @@ done: + aspath_unintern(&as4_path); + + transit = bgp_attr_get_transit(attr); +- if (ret != BGP_ATTR_PARSE_ERROR) { ++ /* If we received an UPDATE with mandatory attributes, then ++ * the unrecognized transitive optional attribute of that ++ * path MUST be passed. Otherwise, it's an error, and from ++ * security perspective it might be very harmful if we continue ++ * here with the unrecognized attributes. ++ */ ++ if (ret == BGP_ATTR_PARSE_PROCEED) { + /* Finally intern unknown attribute. */ + if (transit) + bgp_attr_set_transit(attr, transit_intern(transit)); +-- +2.43.0 + diff --git a/0006-CVE-2023-47234.patch b/0006-CVE-2023-47234.patch new file mode 100644 index 0000000..39f1886 --- /dev/null +++ b/0006-CVE-2023-47234.patch @@ -0,0 +1,95 @@ +From 7fe95b24333cceb6cd04595694cd502fcd3666f6 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Wed, 13 Dec 2023 18:25:48 +0100 +Subject: [PATCH] bgpd: Ignore handling NLRIs if we received MP_UNREACH_NLRI + +If we receive MP_UNREACH_NLRI, we should stop handling remaining NLRIs if +no mandatory path attributes received. + +In other words, if MP_UNREACH_NLRI received, the remaining NLRIs should be handled +as a new data, but without mandatory attributes, it's a malformed packet. + +In normal case, this MUST not happen at all, but to avoid crashing bgpd, we MUST +handle that. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +Signed-off-by: Christian Breunig <christian@breunig.cc> + +(cherry picked from commit c37119df45bbf4ef713bc10475af2ee06e12f3bf) +--- + bgpd/bgp_attr.c | 19 ++++++++++--------- + bgpd/bgp_attr.h | 1 + + bgpd/bgp_packet.c | 7 ++++++- + 3 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 12a6953..8b02f2c 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3086,15 +3086,6 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) + return BGP_ATTR_PARSE_WITHDRAW; + +- /* "An UPDATE message that contains the MP_UNREACH_NLRI is not required +- to carry any other path attributes.", though if MP_REACH_NLRI or NLRI +- are present, it should. Check for any other attribute being present +- instead. +- */ +- if ((!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && +- CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI)))) +- return BGP_ATTR_PARSE_PROCEED; +- + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) + type = BGP_ATTR_ORIGIN; + +@@ -3113,6 +3104,16 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + && !CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_LOCAL_PREF))) + type = BGP_ATTR_LOCAL_PREF; + ++ /* An UPDATE message that contains the MP_UNREACH_NLRI is not required ++ * to carry any other path attributes. Though if MP_REACH_NLRI or NLRI ++ * are present, it should. Check for any other attribute being present ++ * instead. ++ */ ++ if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_REACH_NLRI)) && ++ CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_MP_UNREACH_NLRI))) ++ return type ? BGP_ATTR_PARSE_MISSING_MANDATORY ++ : BGP_ATTR_PARSE_PROCEED; ++ + /* If any of the well-known mandatory attributes are not present + * in an UPDATE message, then "treat-as-withdraw" MUST be used. + */ +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 06f350b..b9dfec9 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -379,6 +379,7 @@ enum bgp_attr_parse_ret { + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, + BGP_ATTR_PARSE_EOR = -4, ++ BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + + struct bpacket_attr_vec_arr; +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index a5f065a..cdf0734 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -1873,7 +1873,12 @@ static int bgp_update_receive(struct peer *peer, bgp_size_t size) + /* Network Layer Reachability Information. */ + update_len = end - stream_pnt(s); + +- if (update_len && attribute_len) { ++ /* If we received MP_UNREACH_NLRI attribute, but also NLRIs, then ++ * NLRIs should be handled as a new data. Though, if we received ++ * NLRIs without mandatory attributes, they should be ignored. ++ */ ++ if (update_len && attribute_len && ++ attr_parse_ret != BGP_ATTR_PARSE_MISSING_MANDATORY) { + /* Set NLRI portion to structure. */ + nlris[NLRI_UPDATE].afi = AFI_IP; + nlris[NLRI_UPDATE].safi = SAFI_UNICAST; +-- +2.43.0 + diff --git a/0007-CVE-2023-46752.patch b/0007-CVE-2023-46752.patch new file mode 100644 index 0000000..054853e --- /dev/null +++ b/0007-CVE-2023-46752.patch @@ -0,0 +1,76 @@ +From b08afc81c60607a4f736f418f2e3eb06087f1a35 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Fri, 20 Oct 2023 17:49:18 +0300 +Subject: [PATCH] bgpd: Handle MP_REACH_NLRI malformed packets with session + reset + +Avoid crashing bgpd. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +--- + bgpd/bgp_attr.c | 6 +----- + bgpd/bgp_attr.h | 1 - + bgpd/bgp_packet.c | 6 +----- + 3 files changed, 2 insertions(+), 11 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 6925aff727e2..e7bb42a5d989 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -2421,7 +2421,7 @@ int bgp_mp_reach_parse(struct bgp_attr_parser_args *args, + + mp_update->afi = afi; + mp_update->safi = safi; +- return BGP_ATTR_PARSE_EOR; ++ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_MAL_ATTR, 0); + } + + mp_update->afi = afi; +@@ -3759,10 +3759,6 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + goto done; + } + +- if (ret == BGP_ATTR_PARSE_EOR) { +- goto done; +- } +- + if (ret == BGP_ATTR_PARSE_ERROR) { + flog_warn(EC_BGP_ATTRIBUTE_PARSE_ERROR, + "%s: Attribute %s, parse error", peer->host, +diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h +index 961e5f122470..fc347e7a1b4b 100644 +--- a/bgpd/bgp_attr.h ++++ b/bgpd/bgp_attr.h +@@ -364,7 +364,6 @@ enum bgp_attr_parse_ret { + /* only used internally, send notify + convert to BGP_ATTR_PARSE_ERROR + */ + BGP_ATTR_PARSE_ERROR_NOTIFYPLS = -3, +- BGP_ATTR_PARSE_EOR = -4, + BGP_ATTR_PARSE_MISSING_MANDATORY = -5, + }; + +diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c +index b585591e2f69..5ecf343b6657 100644 +--- a/bgpd/bgp_packet.c ++++ b/bgpd/bgp_packet.c +@@ -2397,8 +2397,7 @@ static int bgp_update_receive(struct peer_connection *connection, + * Non-MP IPv4/Unicast EoR is a completely empty UPDATE + * and MP EoR should have only an empty MP_UNREACH + */ +- if ((!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) +- || (attr_parse_ret == BGP_ATTR_PARSE_EOR)) { ++ if (!update_len && !withdraw_len && nlris[NLRI_MP_UPDATE].length == 0) { + afi_t afi = 0; + safi_t safi; + struct graceful_restart_info *gr_info; +@@ -2419,9 +2418,6 @@ static int bgp_update_receive(struct peer_connection *connection, + && nlris[NLRI_MP_WITHDRAW].length == 0) { + afi = nlris[NLRI_MP_WITHDRAW].afi; + safi = nlris[NLRI_MP_WITHDRAW].safi; +- } else if (attr_parse_ret == BGP_ATTR_PARSE_EOR) { +- afi = nlris[NLRI_MP_UPDATE].afi; +- safi = nlris[NLRI_MP_UPDATE].safi; + } + + if (afi && peer->afc[afi][safi]) { diff --git a/0008-CVE-2023-46753.patch b/0008-CVE-2023-46753.patch new file mode 100644 index 0000000..f1f0611 --- /dev/null +++ b/0008-CVE-2023-46753.patch @@ -0,0 +1,60 @@ +From d8482bf011cb2b173e85b65b4bf3d5061250cdb9 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis <donatas@opensourcerouting.org> +Date: Mon, 23 Oct 2023 23:34:10 +0300 +Subject: [PATCH] bgpd: Check mandatory attributes more carefully for UPDATE + message + +If we send a crafted BGP UPDATE message without mandatory attributes, we do +not check if the length of the path attributes is zero or not. We only check +if attr->flag is at least set or not. Imagine we send only unknown transit +attribute, then attr->flag is always 0. Also, this is true only if graceful-restart +capability is received. + +Reported-by: Iggy Frankovic <iggyfran@amazon.com> +Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org> +--- + bgpd/bgp_attr.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c +index 26fd3de..bcc4424 100644 +--- a/bgpd/bgp_attr.c ++++ b/bgpd/bgp_attr.c +@@ -3400,7 +3400,8 @@ bgp_attr_unknown(struct bgp_attr_parser_args *args) + } + + /* Well-known attribute check. */ +-static int bgp_attr_check(struct peer *peer, struct attr *attr) ++static int bgp_attr_check(struct peer *peer, struct attr *attr, ++ bgp_size_t length) + { + uint8_t type = 0; + +@@ -3409,7 +3410,8 @@ static int bgp_attr_check(struct peer *peer, struct attr *attr) + * we will pass it to be processed as a normal UPDATE without mandatory + * attributes, that could lead to harmful behavior. + */ +- if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag) ++ if (CHECK_FLAG(peer->cap, PEER_CAP_RESTART_RCV) && !attr->flag && ++ !length) + return BGP_ATTR_PARSE_WITHDRAW; + + if (!CHECK_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_ORIGIN))) +@@ -3462,7 +3464,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + enum bgp_attr_parse_ret ret; + uint8_t flag = 0; + uint8_t type = 0; +- bgp_size_t length; ++ bgp_size_t length = 0; + uint8_t *startp, *endp; + uint8_t *attr_endp; + uint8_t seen[BGP_ATTR_BITMAP_SIZE]; +@@ -3785,7 +3787,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, + } + + /* Check all mandatory well-known attributes are present */ +- ret = bgp_attr_check(peer, attr); ++ ret = bgp_attr_check(peer, attr, length); + if (ret < 0) + goto done; + diff --git a/frr-sysusers.conf b/frr-sysusers.conf new file mode 100644 index 0000000..9632955 --- /dev/null +++ b/frr-sysusers.conf @@ -0,0 +1,4 @@ +#Type Name ID GECOS Home directory Shell +g frrvty - +u frr - "FRRouting routing suite" /var/run/frr /sbin/nologin +m frr frrvty diff --git a/frr-tmpfiles.conf b/frr-tmpfiles.conf new file mode 100644 index 0000000..c1613b2 --- /dev/null +++ b/frr-tmpfiles.conf @@ -0,0 +1 @@ +d /run/frr 0755 frr frr - @@ -0,0 +1,29 @@ +/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0) + +/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0) + +/etc/frr(/.*)? gen_context(system_u:object_r:frr_conf_t,s0) + +/var/log/frr(/.*)? gen_context(system_u:object_r:frr_log_t,s0) +/var/tmp/frr(/.*)? gen_context(system_u:object_r:frr_tmp_t,s0) + +/var/lock/subsys/bfdd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/bgpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/eigrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/fabricd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/isisd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/nhrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospf6d -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ospfd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pbrd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pimd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/ripngd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/staticd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/zebra -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/vrrpd -- gen_context(system_u:object_r:frr_lock_t,s0) +/var/lock/subsys/pathd -- gen_context(system_u:object_r:frr_lock_t,s0) + +/var/run/frr(/.*)? gen_context(system_u:object_r:frr_var_run_t,s0) + +/usr/bin/vtysh -- gen_context(system_u:object_r:frr_exec_t,s0) @@ -0,0 +1,214 @@ +## <summary>policy for frr</summary> + +######################################## +## <summary> +## Execute frr_exec_t in the frr domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`frr_domtrans',` + gen_require(` + type frr_t, frr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, frr_exec_t, frr_t) +') + +###################################### +## <summary> +## Execute frr in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`frr_exec',` + gen_require(` + type frr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, frr_exec_t) +') + +######################################## +## <summary> +## Read frr's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`frr_read_log',` + gen_require(` + type frr_log_t; + ') + + read_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## <summary> +## Append to frr log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`frr_append_log',` + gen_require(` + type frr_log_t; + ') + + append_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## <summary> +## Manage frr log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`frr_manage_log',` + gen_require(` + type frr_log_t; + ') + + manage_dirs_pattern($1, frr_log_t, frr_log_t) + manage_files_pattern($1, frr_log_t, frr_log_t) + manage_lnk_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## <summary> +## Read frr PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`frr_read_pid_files',` + gen_require(` + type frr_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, frr_var_run_t, frr_var_run_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an frr environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`frr_admin',` + gen_require(` + type frr_t; + type frr_log_t; + type frr_var_run_t; + ') + + allow $1 frr_t:process { signal_perms }; + ps_process_pattern($1, frr_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 frr_t:process ptrace; + ') + + admin_pattern($1, frr_log_t) + + files_search_pids($1) + admin_pattern($1, frr_var_run_t) + optional_policy(` + logging_search_logs($1) + ') + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +# +# Interface compatibility blocks +# +# The following definitions ensure compatibility with distribution policy +# versions that do not contain given interfaces (epel, or older Fedora +# releases). +# Each block tests for existence of given interface and defines it if needed. +# + +###################################### +## <summary> +## Watch ifconfig_var_run_t directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`sysnet_watch_ifconfig_run',` + interface(`sysnet_watch_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## <summary> +## Read ifconfig_var_run_t files and link files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +ifndef(`sysnet_read_ifconfig_run',` + interface(`sysnet_read_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') diff --git a/frr.spec b/frr.spec new file mode 100644 index 0000000..e9b8a38 --- /dev/null +++ b/frr.spec @@ -0,0 +1,452 @@ +%global frr_libdir %{_libexecdir}/frr + +%global _hardened_build 1 +%define _legacy_common_support 1 +%global selinuxtype targeted +%bcond_without selinux + +Name: frr +Version: 8.5.3 +Release: 4%{?checkout}%{?dist} +Summary: Routing daemon +License: GPLv2+ +URL: http://www.frrouting.org +Source0: https://github.com/FRRouting/frr/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: %{name}-tmpfiles.conf +Source2: frr-sysusers.conf +Source3: frr.fc +Source4: frr.te +Source5: frr.if +Source6: remove-babeld-ldpd.sh +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison >= 2.7 +BuildRequires: c-ares-devel +BuildRequires: flex +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: git-core +BuildRequires: groff +BuildRequires: json-c-devel +BuildRequires: libcap-devel +BuildRequires: libtool +BuildRequires: libyang-devel >= 2.0.0 +BuildRequires: make +BuildRequires: ncurses +BuildRequires: ncurses-devel +BuildRequires: net-snmp-devel +BuildRequires: pam-devel +BuildRequires: patch +BuildRequires: perl-XML-LibXML +BuildRequires: perl-generators +BuildRequires: python3-devel +BuildRequires: python3-pytest +BuildRequires: python3-sphinx +BuildRequires: readline-devel +BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros +BuildRequires: texinfo + +Requires: net-snmp +Requires: ncurses +Requires(post): systemd +Requires(post): /sbin/install-info +Requires(post): hostname +Requires(preun): systemd +Requires(preun): /sbin/install-info +Requires(postun): systemd + +%if 0%{?with_selinux} +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) +%endif + +Conflicts: quagga +Provides: routingdaemon = %{version}-%{release} + +Patch0000: 0000-remove-babeld-and-ldpd.patch +Patch0002: 0002-enable-openssl.patch +Patch0003: 0003-disable-eigrp-crypto.patch +Patch0004: 0004-fips-mode.patch +Patch0005: 0005-CVE-2023-47235.patch +Patch0006: 0006-CVE-2023-47234.patch +Patch0007: 0007-CVE-2023-46752.patch +Patch0008: 0008-CVE-2023-46753.patch + +%description +FRRouting is free software that manages TCP/IP based routing protocols. It takes +a multi-server and multi-threaded approach to resolve the current complexity +of the Internet. + +FRRouting supports BGP4, OSPFv2, OSPFv3, ISIS, RIP, RIPng, PIM, NHRP, PBR, EIGRP and BFD. + +FRRouting is a fork of Quagga. + +%if 0%{?with_selinux} +%package selinux +Summary: Selinux policy for FRR +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} + +%description selinux +SELinux policy modules for FRR package + +%endif + +%prep +%autosetup -S git +mkdir selinux +cp -p %{SOURCE3} %{SOURCE4} %{SOURCE5} selinux + +%build +autoreconf -ivf + +%configure \ + --sbindir=%{frr_libdir} \ + --sysconfdir=%{_sysconfdir}/frr \ + --libdir=%{_libdir}/frr \ + --libexecdir=%{_libexecdir}/frr \ + --localstatedir=%{_localstatedir}/run/frr \ + --enable-multipath=64 \ + --enable-vtysh=yes \ + --disable-ospfclient \ + --disable-ospfapi \ + --enable-snmp=agentx \ + --enable-user=frr \ + --enable-group=frr \ + --enable-vty-group=frrvty \ + --enable-rtadv \ + --disable-exampledir \ + --enable-systemd=yes \ + --enable-static=no \ + --disable-ldpd \ + --disable-babeld \ + --with-moduledir=%{_libdir}/frr/modules \ + --with-crypto=openssl \ + --enable-fpm + +%make_build MAKEINFO="makeinfo --no-split" PYTHON=%{__python3} + +pushd doc +make info +popd + +%if 0%{?with_selinux} +make -C selinux -f %{_datadir}/selinux/devel/Makefile %{name}.pp +bzip2 -9 selinux/%{name}.pp +%endif + +%install +mkdir -p %{buildroot}/etc/{frr,rc.d/init.d,sysconfig,logrotate.d,pam.d,default} \ + %{buildroot}/var/log/frr %{buildroot}%{_infodir} \ + %{buildroot}%{_unitdir} + +mkdir -p -m 0755 %{buildroot}%{_libdir}/frr +mkdir -p %{buildroot}%{_tmpfilesdir} + +%make_install + +# Remove this file, as it is uninstalled and causes errors when building on RH9 +rm -rf %{buildroot}/usr/share/info/dir + +install -p -m 644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -p -m 644 tools/etc/frr/daemons %{buildroot}/etc/frr/daemons +install -p -m 644 tools/frr.service %{buildroot}%{_unitdir}/frr.service +install -p -m 755 tools/frrinit.sh %{buildroot}%{frr_libdir}/frr +install -p -m 755 tools/frrcommon.sh %{buildroot}%{frr_libdir}/frrcommon.sh +install -p -m 755 tools/watchfrr.sh %{buildroot}%{frr_libdir}/watchfrr.sh + +install -p -m 644 redhat/frr.logrotate %{buildroot}/etc/logrotate.d/frr +install -p -m 644 redhat/frr.pam %{buildroot}/etc/pam.d/frr +install -d -m 775 %{buildroot}/run/frr + +install -p -D -m 0644 %{SOURCE2} ${RPM_BUILD_ROOT}/%{_sysusersdir}/frr.conf + +%if 0%{?with_selinux} +install -D -m 644 selinux/%{name}.pp.bz2 \ + %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +install -D -m 644 selinux/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if +%endif + +# Delete libtool archives +find %{buildroot} -type f -name "*.la" -delete -print + +#Upstream does not maintain a stable API, these headers from -devel subpackage are no longer needed +rm %{buildroot}%{_libdir}/frr/*.so +rm -r %{buildroot}%{_includedir}/frr/ + +%pre +%sysusers_create_compat %{SOURCE2} +exit 0 + +%post +%systemd_post frr.service + +if [ -f %{_infodir}/%{name}.inf* ]; then + install-info %{_infodir}/frr.info %{_infodir}/dir || : +fi + +# Create dummy files if they don't exist so basic functions can be used. +# Only create frr.conf when first installing, otherwise it can change +# the behavior of the package +if [ $1 -eq 1 ]; then + if [ ! -e %{_sysconfdir}/frr/frr.conf ]; then + echo "hostname `hostname`" > %{_sysconfdir}/frr/frr.conf + chown frr:frr %{_sysconfdir}/frr/frr.conf + chmod 640 %{_sysconfdir}/frr/frr.conf + fi +fi + +#still used by vtysh, this way no error is produced when using vtysh +if [ ! -e %{_sysconfdir}/frr/vtysh.conf ]; then + touch %{_sysconfdir}/frr/vtysh.conf + chmod 640 %{_sysconfdir}/frr/vtysh.conf + chown frr:frrvty %{_sysconfdir}/frr/vtysh.conf +fi + + +%postun +%systemd_postun_with_restart frr.service + +%preun +%systemd_preun frr.service + +#only when removing frr +if [ $1 -eq 0 ]; then + if [ -f %{_infodir}/%{name}.inf* ]; then + install-info --delete %{_infodir}/frr.info %{_infodir}/dir || : + fi +fi + +%if 0%{?with_selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} +#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade +if [ $1 == 2 ]; then + %{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null + %{_sbindir}/restorecon -R /var/run/frr &> /dev/null +fi + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} + %selinux_relabel_post -s %{selinuxtype} +fi +%endif + +%check +make check PYTHON=%{__python3} + +%files +%defattr(-,root,root) +%license COPYING +%doc doc/mpls +%dir %attr(750,frr,frr) %{_sysconfdir}/frr +%dir %attr(755,frr,frr) /var/log/frr +%dir %attr(755,frr,frr) /run/frr +%{_infodir}/*info* +%{_mandir}/man*/* +%dir %{frr_libdir}/ +%{frr_libdir}/* +%{_bindir}/* +%dir %{_libdir}/frr +%{_libdir}/frr/*.so.* +%dir %{_libdir}/frr/modules +%{_libdir}/frr/modules/* +%config(noreplace) %attr(644,root,root) /etc/logrotate.d/frr +%config(noreplace) %attr(644,frr,frr) /etc/frr/daemons +%config(noreplace) /etc/pam.d/frr +%{_unitdir}/*.service +%dir /usr/share/yang +/usr/share/yang/*.yang +%{_tmpfilesdir}/%{name}.conf +%{_sysusersdir}/frr.conf + +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.* +%{_datadir}/selinux/devel/include/distributed/%{name}.if +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%endif + +%changelog +* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-4 +- Resolves: RHEL-14825 - crafted BGP UPDATE message leading to a crash + +* Mon Feb 05 2024 Michal Ruprich <mruprich@redhat.com> - 8.5.3-3 +- Resolves: RHEL-14822 - mishandled malformed data leading to a crash + +* Mon Dec 18 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-2 +- Resolves: RHEL-15915 - crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message +- Resolves: RHEL-15918 - crash from malformed EOR-containing BGP UPDATE message + +* Thu Nov 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.5.3-1 +- Resolves: RHEL-15291 - Rebase FRR to version 8.5.3 in RHEL9 + +* Fri Oct 13 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-12 +- Resolves: RHEL-3541 - Incorrect handling of a error in parsing of an invalid section of a BGP update can de-peer a router + +* Thu Sep 21 2023 Carlos Goncalves <cgoncalves@redhat.com> - 8.3.1-11 +- Resolves: RHEL-2263 - bgpd: Do not explicitly print MAXTTL value for ebgp-multihop vty output + +* Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10 +- Related: #2216912 - adding sys_admin to capabilities + +* Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9 +- Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec + +* Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8 +- Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces + +* Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7 +- Resolves: #2168855 - BFD not working through VRF + +* Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6 +- Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function +- Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff +- Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff +- Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting + +* Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5 +- Resolves: #2147522 - It is not possible to run FRR as a non-root user + +* Thu Nov 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-4 +- Resolves: #2144500 - AVC error when reloading FRR with provided reload script + +* Wed Oct 19 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-3 +- Related: #2129743 - Adding missing rules for vtysh and other daemons + +* Mon Oct 17 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-2 +- Resolves: #2128738 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service + +* Thu Oct 13 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-1 +- Resolves: #2129731 - Rebase FRR to the latest version +- Resolves: #2129743 - Add targeted SELinux policy for FRR +- Resolves: #2127494 - BGP incorrectly withdraws routes on graceful restart capable routers + +* Tue Jun 14 2022 Michal Ruprich - 8.2.2-4 +- Resolves: #2095404 - frr use systemd-sysusers + +* Tue May 24 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-3 +- Resolves: #2081304 - Enhanced TMT testing for centos-stream + +* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-2 +- Resolves: #2069571 - the dynamic routing setup does not work any more + +* Mon May 02 2022 Michal Ruprich <mruprich@redhat.com> - 8.2.2-1 +- Resolves: #2069563 - Rebase frr to version 8.2.2 + +* Tue Nov 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-5 +- Resolves: #2023318 - Rebuilding for the new json-c library + +* Wed Sep 01 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-4 +- Resolves: #1997603 - ospfd not running with ospf opaque-lsa option used + +* Mon Aug 16 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-3 +- Related: #1990858 - Fixing prefix-list duplication check + +* Thu Aug 12 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-2 +- Related: #1990858 - Frr needs higher version of libyang + +* Tue Aug 10 2021 Michal Ruprich <mruprich@redhat.com> - 8.0-1 +- Resolves: #1990858 - Possible rebase of frr to version 8.0 + +* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 21 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6 +- Resolves: #1983967 - ospfd crashes in route_node_delete with assertion fail + +* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-5 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Fri Jun 04 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4 +- Resolves: #1958155 - Upgrading frr unconditionally creates /etc/frr/frr.conf, breaking existing configuration + +* Fri Apr 23 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3 +- Resolves: #1939456 - /etc/frr permissions are bogus +- Resolves: #1951303 - FTBFS in CentOS Stream + +* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 7.5.1-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Mar 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5.1-1 +- New version 7.5.1 +- Enabling grpc, adding hostname for post scriptlet +- Moving files to libexec due to selinux issues + +* Tue Feb 16 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-3 +- Fixing FTBS - icc options are confusing the new gcc + +* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 01 2021 Michal Ruprich <mruprich@redhat.com> - 7.5-1 +- New version 7.5 + +* Mon Sep 21 2020 Michal Ruprich <mruprich@redhat.com> - 7.4-1 +- New version 7.4 + +* Thu Aug 27 2020 Josef Řídký <jridky@redhat.com> - 7.3.1-4 +- Rebuilt for new net-snmp release + +* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jun 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3.1-1 +- New version 7.3.1 +- Fixes a couple of bugs(#1832259, #1835039, #1830815, #1830808, #1830806, #1830800, #1830798, #1814773) + +* Tue May 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-6 +- Removing texi2html, it is not available in Rawhide anymore + +* Mon May 18 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-5 +- Rebuild for new version of libyang + +* Tue Apr 21 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-4 +- Rebuild (json-c) + +* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-3 +- Update json-c-0.14 patch with a solution from upstream + +* Mon Apr 13 2020 Björn Esser <besser82@fedoraproject.org> - 7.3-2 +- Add support for upcoming json-c 0.14.0 + +* Wed Feb 19 2020 Michal Ruprich <mruprich@redhat.com> - 7.3-1 +- New version 7.3 + +* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Dec 16 2019 Michal Ruprich <mruprich@redhat.com> - 7.2-1 +- New version 7.2 + +* Tue Nov 12 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-5 +- Rebuilding for new version of libyang + +* Mon Oct 07 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-4 +- Adding noreplace to the /etc/frr/daemons file + +* Fri Sep 13 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-3 +- New way of finding python version during build +- Replacing crypto of all routing daemons with openssl +- Disabling EIGRP crypto because it is broken +- Disabling crypto in FIPS mode + +* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 25 2019 Michal Ruprich <mruprich@redhat.com> - 7.1-1 +- New version 7.1 + +* Wed Jun 19 2019 Michal Ruprich <mruprich@redhat.com> - 7.0-2 +- Initial build + @@ -0,0 +1,127 @@ +policy_module(frr, 1.0.0) + +######################################## +# +# Declarations +# + +type frr_t; +type frr_exec_t; +init_daemon_domain(frr_t, frr_exec_t) + +type frr_log_t; +logging_log_file(frr_log_t) + +type frr_tmp_t; +files_tmp_file(frr_tmp_t) + +type frr_lock_t; +files_lock_file(frr_lock_t) + +type frr_conf_t; +files_config_file(frr_conf_t) + +type frr_unit_file_t; +systemd_unit_file(frr_unit_file_t) + +type frr_var_run_t; +files_pid_file(frr_var_run_t) + +######################################## +# +# frr local policy +# +allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; +allow frr_t self:netlink_route_socket rw_netlink_socket_perms; +allow frr_t self:packet_socket create_socket_perms; +allow frr_t self:process { setcap setpgid }; +allow frr_t self:rawip_socket create_socket_perms; +allow frr_t self:tcp_socket { connect connected_stream_socket_perms }; +allow frr_t self:udp_socket create_socket_perms; +allow frr_t self:unix_stream_socket connectto; + +allow frr_t frr_conf_t:dir list_dir_perms; +manage_files_pattern(frr_t, frr_conf_t, frr_conf_t) +read_lnk_files_pattern(frr_t, frr_conf_t, frr_conf_t) + +manage_dirs_pattern(frr_t, frr_log_t, frr_log_t) +manage_files_pattern(frr_t, frr_log_t, frr_log_t) +manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t) +logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file }) + +allow frr_t frr_tmp_t:file map; +manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t) +manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t) +files_tmp_filetrans(frr_t, frr_tmp_t, { file dir }) + +manage_files_pattern(frr_t, frr_lock_t, frr_lock_t) +manage_lnk_files_pattern(frr_t, frr_lock_t, frr_lock_t) +files_lock_filetrans(frr_t, frr_lock_t, { file lnk_file }) + +manage_dirs_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_lnk_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +manage_sock_files_pattern(frr_t, frr_var_run_t, frr_var_run_t) +files_pid_filetrans(frr_t, frr_var_run_t, { dir file lnk_file }) + +allow frr_t frr_exec_t:dir search_dir_perms; +can_exec(frr_t, frr_exec_t) + +kernel_read_network_state(frr_t) +kernel_rw_net_sysctls(frr_t) +kernel_read_system_state(frr_t) + +auth_use_nsswitch(frr_t) + +corecmd_exec_bin(frr_t) + +corenet_tcp_bind_appswitch_emp_port(frr_t) +corenet_udp_bind_bfd_control_port(frr_t) +corenet_udp_bind_bfd_echo_port(frr_t) +corenet_tcp_bind_bgp_port(frr_t) +corenet_tcp_connect_bgp_port(frr_t) +corenet_udp_bind_all_unreserved_ports(frr_t); +corenet_tcp_bind_generic_port(frr_t) +corenet_tcp_bind_firepower_port(frr_t) +corenet_tcp_bind_priority_e_com_port(frr_t) +corenet_udp_bind_router_port(frr_t) +corenet_tcp_bind_qpasa_agent_port(frr_t) +corenet_tcp_bind_smntubootstrap_port(frr_t) +corenet_tcp_bind_versa_tek_port(frr_t) +corenet_tcp_bind_zebra_port(frr_t) + +domain_use_interactive_fds(frr_t) + +fs_read_nsfs_files(frr_t) + +sysnet_exec_ifconfig(frr_t) +sysnet_read_ifconfig_run(frr_t) +sysnet_watch_ifconfig_run(frr_t) + +ipsec_domtrans_mgmt(frr_t) + +userdom_read_admin_home_files(frr_t) + +init_signal(frr_t) +unconfined_server_signull(frr_t) +allow frr_t unconfined_service_t:process signal; + +optional_policy(` + logging_send_syslog_msg(frr_t) +') + +optional_policy(` + modutils_exec_kmod(frr_t) + modutils_getattr_module_deps(frr_t) + modutils_read_module_config(frr_t) + modutils_read_module_deps_files(frr_t) +') + +optional_policy(` + networkmanager_read_state(frr_t) +') + +optional_policy(` + userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr") + userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr") +') diff --git a/remove-babeld-ldpd.sh b/remove-babeld-ldpd.sh new file mode 100644 index 0000000..ae76a45 --- /dev/null +++ b/remove-babeld-ldpd.sh @@ -0,0 +1,16 @@ +#!/bin/sh +#this script is used to remove babled and ldpd from the tar sources +#Usage: sh remove-babeld-ldpd.sh <VERSION> +#Example: sh remove-babeld-ldpd.sh 7.3.1 - this is for frr-7.3.1.tar.gz file + +VERSION=$1 +TAR=frr-${VERSION}.tar.gz +DIR=frr-${VERSION} + +echo ${VERSION} +echo ${TAR} +echo ${DIR} + +tar -xzf ${TAR} +rm -rf ${DIR}/babeld ${DIR}/ldpd +tar -czf ${TAR} ${DIR} @@ -0,0 +1 @@ +f5aed1db70863722d6992150d36bc58c frr-8.5.3.tar.gz |