Sync from SUSE:ALP:Source:Standard:1.0 keepalived revision 9d29ec305d71275012b56df0af938c03

2024-10-16 15:56:28 +02:00 · 2024-10-16 15:56:28 +02:00 · fd0ab65984
commit fd0ab65984
parent 78294bd7bc
3 changed files with 110 additions and 0 deletions
--- a/bsc-1228123.patch
+++ b/bsc-1228123.patch
@ -0,0 +1,101 @@
+--- keepalived-2.2.8/keepalived/core/global_parser.c.orig	2024-08-13 18:02:02.156517132 +0200
+++ keepalived-2.2.8/keepalived/core/global_parser.c	2024-08-13 18:04:32.173727108 +0200
+@@ -1091,12 +1091,27 @@ vrrp_ipsets_handler(const vector_t *strv
+ {
+ 	size_t len;
+ 	char set_name[IPSET_MAXNAMELEN];
+	unsigned sn0, sn1;
+        const char **set_names[] = {
+                &global_data->vrrp_ipset_address,
+                &global_data->vrrp_ipset_address6,
+                &global_data->vrrp_ipset_address_iface6,
+                &global_data->vrrp_ipset_igmp,
+                &global_data->vrrp_ipset_mld,
+#ifdef _HAVE_VRRP_VMAC_
+                &global_data->vrrp_ipset_vmac_nd
+#endif
+				};
+ 
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address6);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address_iface6);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_igmp);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_mld);
+#ifdef _HAVE_VRRP_VMAC_
+        FREE_CONST_PTR(global_data->vrrp_ipset_vmac_nd);
+#endif
+	global_data->using_ipsets = PARAMETER_UNSET;
+ 
+ 	if (vector_size(strvec) < 2) {
+ 		global_data->using_ipsets = false;
+@@ -1105,14 +1120,14 @@ vrrp_ipsets_handler(const vector_t *strv
+ 
+ 	if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
+ 		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
+-		return;
+		goto ipset_error;
+ 	}
+ 	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
+ 
+ 	if (vector_size(strvec) >= 3) {
+ 		if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
+-			return;
+			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
+ 	}
+@@ -1126,7 +1141,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 4) {
+ 		if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
+-			return;
+			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
+ 	}
+@@ -1144,7 +1159,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 5) {
+ 		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
+-			return;
+			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
+ 	}
+@@ -1158,7 +1173,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 6) {
+ 		if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
+-			return;
+			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
+ 	}
+@@ -1169,6 +1184,26 @@ vrrp_ipsets_handler(const vector_t *strv
+ 		strcat(set_name, "_mld");
+ 		global_data->vrrp_ipset_mld = STRDUP(set_name);
+ 	}
+	/* Ensure all the set names are different */
+        for (sn0 = 0; sn0 < sizeof(set_names) / sizeof(set_names[0]) - 1; sn0++) {
+                for (sn1 = sn0 + 1; sn1 < sizeof(set_names) / sizeof(set_names[0]); sn1++) {
+                        if (!strcmp(*set_names[sn0], *set_names[sn1])) {
+                                report_config_error(CONFIG_GENERAL_ERROR, "vrrp_ipsets: set name %s used more than once", *set_names[sn0]);
+                                goto ipset_error;
+                        }
+                }
+        }
+	global_data->using_ipsets = true;
+	return;
+ipset_error:
+        FREE_CONST_PTR(global_data->vrrp_ipset_address);
+        FREE_CONST_PTR(global_data->vrrp_ipset_address6);
+        FREE_CONST_PTR(global_data->vrrp_ipset_address_iface6);
+        FREE_CONST_PTR(global_data->vrrp_ipset_igmp);
+        FREE_CONST_PTR(global_data->vrrp_ipset_mld);
+#ifdef _HAVE_VRRP_VMAC_
+        FREE_CONST_PTR(global_data->vrrp_ipset_vmac_nd);
+#endif
+ }
+ #endif
+ #elif defined _WITH_NFTABLES_
--- a/keepalived.changes
+++ b/keepalived.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug 13 15:17:02 UTC 2024 - Peter Varkoly <varkoly@suse.com>
+
+- VUL-0: CVE-2024-41184: keepalived: integer overflow in vrrp_ipsets_handler
+  (bsc#1228123) Apply upstream patches:
+    bsc-1228123.patch
+
 -------------------------------------------------------------------
 Wed May 31 21:32:46 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>

--- a/keepalived.spec
+++ b/keepalived.spec
@ -48,6 +48,7 @@ Source:         https://www.keepalived.org/software/%{name}-%{version}.tar.gz
 Source2:        keepalive-rpmlintrc
 Patch0:         keepalive-init.patch
 Patch1:         harden_keepalived.service.patch
+Patch2:         bsc-1228123.patch
 BuildRequires:  file-devel
 BuildRequires:  net-snmp-devel
 BuildRequires:  pkgconfig
@ -98,6 +99,7 @@ resilient infrastructures.
 %patch0 -p1
 chmod 644 doc/samples/*
 %patch1 -p1
+%patch2 -p1

 %build
 export STRIP=true