Sync from SUSE:ALP:Source:Standard:1.0 keepalived revision 9d29ec305d71275012b56df0af938c03

bsc-1228123.patch

@@ -0,0 +1,101 @@
+--- keepalived-2.2.8/keepalived/core/global_parser.c.orig	2024-08-13 18:02:02.156517132 +0200
++++ keepalived-2.2.8/keepalived/core/global_parser.c	2024-08-13 18:04:32.173727108 +0200
+@@ -1091,12 +1091,27 @@ vrrp_ipsets_handler(const vector_t *strv
+ {
+ 	size_t len;
+ 	char set_name[IPSET_MAXNAMELEN];
++	unsigned sn0, sn1;
++        const char **set_names[] = {
++                &global_data->vrrp_ipset_address,
++                &global_data->vrrp_ipset_address6,
++                &global_data->vrrp_ipset_address_iface6,
++                &global_data->vrrp_ipset_igmp,
++                &global_data->vrrp_ipset_mld,
++#ifdef _HAVE_VRRP_VMAC_
++                &global_data->vrrp_ipset_vmac_nd
++#endif
++				};
+ 
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address6);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_address_iface6);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_igmp);
+ 	FREE_CONST_PTR(global_data->vrrp_ipset_mld);
++#ifdef _HAVE_VRRP_VMAC_
++        FREE_CONST_PTR(global_data->vrrp_ipset_vmac_nd);
++#endif
++	global_data->using_ipsets = PARAMETER_UNSET;
+ 
+ 	if (vector_size(strvec) < 2) {
+ 		global_data->using_ipsets = false;
+@@ -1105,14 +1120,14 @@ vrrp_ipsets_handler(const vector_t *strv
+ 
+ 	if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
+ 		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
+-		return;
++		goto ipset_error;
+ 	}
+ 	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
+ 
+ 	if (vector_size(strvec) >= 3) {
+ 		if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
+-			return;
++			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
+ 	}
+@@ -1126,7 +1141,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 4) {
+ 		if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
+-			return;
++			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
+ 	}
+@@ -1144,7 +1159,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 5) {
+ 		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
+-			return;
++			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
+ 	}
+@@ -1158,7 +1173,7 @@ vrrp_ipsets_handler(const vector_t *strv
+ 	if (vector_size(strvec) >= 6) {
+ 		if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
+ 			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
+-			return;
++			goto ipset_error;
+ 		}
+ 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
+ 	}
+@@ -1169,6 +1184,26 @@ vrrp_ipsets_handler(const vector_t *strv
+ 		strcat(set_name, "_mld");
+ 		global_data->vrrp_ipset_mld = STRDUP(set_name);
+ 	}
++	/* Ensure all the set names are different */
++        for (sn0 = 0; sn0 < sizeof(set_names) / sizeof(set_names[0]) - 1; sn0++) {
++                for (sn1 = sn0 + 1; sn1 < sizeof(set_names) / sizeof(set_names[0]); sn1++) {
++                        if (!strcmp(*set_names[sn0], *set_names[sn1])) {
++                                report_config_error(CONFIG_GENERAL_ERROR, "vrrp_ipsets: set name %s used more than once", *set_names[sn0]);
++                                goto ipset_error;
++                        }
++                }
++        }
++	global_data->using_ipsets = true;
++	return;
++ipset_error:
++        FREE_CONST_PTR(global_data->vrrp_ipset_address);
++        FREE_CONST_PTR(global_data->vrrp_ipset_address6);
++        FREE_CONST_PTR(global_data->vrrp_ipset_address_iface6);
++        FREE_CONST_PTR(global_data->vrrp_ipset_igmp);
++        FREE_CONST_PTR(global_data->vrrp_ipset_mld);
++#ifdef _HAVE_VRRP_VMAC_
++        FREE_CONST_PTR(global_data->vrrp_ipset_vmac_nd);
++#endif
+ }
+ #endif
+ #elif defined _WITH_NFTABLES_

keepalived.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug 13 15:17:02 UTC 2024 - Peter Varkoly <varkoly@suse.com>
+
+- VUL-0: CVE-2024-41184: keepalived: integer overflow in vrrp_ipsets_handler
+  (bsc#1228123) Apply upstream patches:
+    bsc-1228123.patch
+
 -------------------------------------------------------------------
 Wed May 31 21:32:46 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
 

keepalived.spec

@@ -48,6 +48,7 @@ Source:         https://www.keepalived.org/software/%{name}-%{version}.tar.gz
 Source2:        keepalive-rpmlintrc
 Patch0:         keepalive-init.patch
 Patch1:         harden_keepalived.service.patch
+Patch2:         bsc-1228123.patch
 BuildRequires:  file-devel
 BuildRequires:  net-snmp-devel
 BuildRequires:  pkgconfig
@@ -98,6 +99,7 @@ resilient infrastructures.
 %patch0 -p1
 chmod 644 doc/samples/*
 %patch1 -p1
+%patch2 -p1
 
 %build
 export STRIP=true