Accepting request 958103 from network

OBS-URL: https://build.opensuse.org/request/show/958103
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/frr?expand=0&rev=18

0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch

@@ -0,0 +1,52 @@
+From 50044ec7fe129e0a74d3a679dd29fe17ce30e6bf Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 3 Feb 2022 12:01:31 -0500
+Upstream: yes
+References: bsc#1196503,CVE-2022-26127
+Subject: [PATCH] babeld: fix #10487 by adding a check on packet length
+
+The body length of a packet should satisfy the condition:
+packetlen >= bodylen + 4. Otherwise, heap overflows may happen.
+
+Signed-off-by: whichbug <whichbug@github.com>
+
+diff --git a/babeld/message.c b/babeld/message.c
+index 5c2e29d8b..3a29b6a60 100644
+--- a/babeld/message.c
++++ b/babeld/message.c
+@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
+ static int
+ babel_packet_examin(const unsigned char *packet, int packetlen)
+ {
+-    unsigned i = 0, bodylen;
++    int i = 0, bodylen;
+     const unsigned char *message;
+     unsigned char type, len;
+ 
+     if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
+         return 1;
+     DO_NTOHS(bodylen, packet + 2);
++    if(bodylen + 4 > packetlen) {
++        debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
++                 bodylen, packetlen);
++        return 1;
++    }
+     while (i < bodylen){
+         message = packet + 4 + i;
+         type = message[0];
+@@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
+ 
+     DO_NTOHS(bodylen, packet + 2);
+ 
+-    if(bodylen + 4 > packetlen) {
+-        flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
+-                 bodylen, packetlen);
+-        bodylen = packetlen - 4;
+-    }
+-
+     i = 0;
+     while(i < bodylen) {
+         message = packet + 4 + i;
+-- 
+2.34.1
+

0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch

@@ -0,0 +1,95 @@
+From c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 Mon Sep 17 00:00:00 2001
+From: qingkaishi <qingkaishi@gmail.com>
+Date: Fri, 4 Feb 2022 16:41:11 -0500
+Upstream: yes
+References: bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129
+Subject: [PATCH] babeld: fix #10502 #10503 by repairing the checks on length
+
+This patch repairs the checking conditions on length in four functions:
+babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv
+
+Signed-off-by: qingkaishi <qingkaishi@gmail.com>
+
+diff --git a/babeld/message.c b/babeld/message.c
+index 5c2e29d8b..053538700 100644
+--- a/babeld/message.c
++++ b/babeld/message.c
+@@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
+             continue;
+         }
+ 
+-        if(i + 1 > alen) {
++        if(i + 1 >= alen) {
+             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
+             return;
+         }
+         len = a[i + 1];
+-        if(i + len > alen) {
++        if(i + len + 2 > alen) {
+             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
+             return;
+         }
+@@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
+     int type, len, i = 0, ret = 0;
+ 
+     while(i < alen) {
+-        type = a[0];
++        type = a[i];
+         if(type == SUBTLV_PAD1) {
+             i++;
+             continue;
+         }
+ 
+-        if(i + 1 > alen) {
++        if(i + 1 >= alen) {
+             flog_err(EC_BABEL_PACKET,
+ 		      "Received truncated sub-TLV on Hello message.");
+             return -1;
+         }
+         len = a[i + 1];
+-        if(i + len > alen) {
++        if(i + len + 2 > alen) {
+             flog_err(EC_BABEL_PACKET,
+ 		      "Received truncated sub-TLV on Hello message.");
+             return -1;
+@@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
+     int type, len, i = 0, ret = 0;
+ 
+     while(i < alen) {
+-        type = a[0];
++        type = a[i];
+         if(type == SUBTLV_PAD1) {
+             i++;
+             continue;
+         }
+ 
+-        if(i + 1 > alen) {
++        if(i + 1 >= alen) {
+             flog_err(EC_BABEL_PACKET,
+ 		      "Received truncated sub-TLV on IHU message.");
+             return -1;
+         }
+         len = a[i + 1];
+-        if(i + len > alen) {
++        if(i + len + 2 > alen) {
+             flog_err(EC_BABEL_PACKET,
+ 		      "Received truncated sub-TLV on IHU message.");
+             return -1;
+@@ -302,12 +302,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
+             i++;
+             continue;
+         }
+-        if(i + 1 > bodylen) {
++        if(i + 2 > bodylen) {
+             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
+             return 1;
+         }
+         len = message[1];
+-        if(i + len > bodylen) {
++        if(i + len + 2 > bodylen) {
+             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
+             return 1;
+         }
+-- 
+2.34.1
+

0006-isisd-fix-10505-using-base64-encoding.patch

@@ -0,0 +1,456 @@
+From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
+From: whichbug <whichbug@github.com>
+Date: Thu, 10 Feb 2022 22:49:41 -0500
+Upstream: yes
+References: bsc#1196506,CVE-2022-26126
+Subject: [PATCH] isisd: fix #10505 using base64 encoding
+
+Using base64 instead of the raw string to encode
+the binary data.
+
+Signed-off-by: whichbug <whichbug@github.com>
+
+diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
+index f219632ac..fd7b1b315 100644
+--- a/isisd/isis_nb_notifications.c
++++ b/isisd/isis_nb_notifications.c
+@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
+@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
+@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
+@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, reason);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
+@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
+ 	notif_prep_instance_hdr(xpath, area, "default", arguments);
+ 	notif_prepr_iface_hdr(xpath, circuit, arguments);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
+@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
+@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
+ 	data = yang_data_new_uint8(xpath_arg, version);
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 
+ 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
+@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
+ 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
+ 	listnode_add(arguments, data);
+ 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
+-	data = yang_data_new(xpath_arg, raw_pdu);
++	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
+ 	listnode_add(arguments, data);
+ 	/* ignore offset and tlv_type which cannot be set properly */
+ 
+diff --git a/lib/base64.c b/lib/base64.c
+new file mode 100644
+index 000000000..e3f238969
+--- /dev/null
++++ b/lib/base64.c
+@@ -0,0 +1,193 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#include "base64.h"
++
++static const int CHARS_PER_LINE = 72;
++static const char *ENCODING =
++	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
++
++void base64_init_encodestate(struct base64_encodestate *state_in)
++{
++	state_in->step = step_A;
++	state_in->result = 0;
++	state_in->stepcount = 0;
++}
++
++char base64_encode_value(char value_in)
++{
++	if (value_in > 63)
++		return '=';
++	return ENCODING[(int)value_in];
++}
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in)
++{
++	const char *plainchar = plaintext_in;
++	const char *const plaintextend = plaintext_in + length_in;
++	char *codechar = code_out;
++	char result;
++	char fragment;
++
++	result = state_in->result;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_A:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_A;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result = (fragment & 0x0fc) >> 2;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x003) << 4;
++				/* fall through */
++			case step_B:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_B;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0f0) >> 4;
++				*codechar++ = base64_encode_value(result);
++				result = (fragment & 0x00f) << 2;
++				/* fall through */
++			case step_C:
++				if (plainchar == plaintextend) {
++					state_in->result = result;
++					state_in->step = step_C;
++					return codechar - code_out;
++				}
++				fragment = *plainchar++;
++				result |= (fragment & 0x0c0) >> 6;
++				*codechar++ = base64_encode_value(result);
++				result  = (fragment & 0x03f) >> 0;
++				*codechar++ = base64_encode_value(result);
++
++				++(state_in->stepcount);
++				if (state_in->stepcount == CHARS_PER_LINE/4) {
++					*codechar++ = '\n';
++					state_in->stepcount = 0;
++				}
++		}
++	}
++	/* control should not reach here */
++	return codechar - code_out;
++}
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
++{
++	char *codechar = code_out;
++
++	switch (state_in->step) {
++	case step_B:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		*codechar++ = '=';
++		break;
++	case step_C:
++		*codechar++ = base64_encode_value(state_in->result);
++		*codechar++ = '=';
++		break;
++	case step_A:
++		break;
++	}
++	*codechar++ = '\n';
++
++	return codechar - code_out;
++}
++
++
++signed char base64_decode_value(signed char value_in)
++{
++	static const signed char decoding[] = {
++		62, -1, -1, -1, 63, 52, 53, 54,
++		55, 56, 57, 58, 59, 60, 61, -1,
++		-1, -1, -2, -1, -1, -1, 0, 1,
++		2,  3, 4, 5, 6, 7, 8, 9,
++		10, 11, 12, 13, 14, 15, 16, 17,
++		18, 19, 20, 21, 22, 23, 24, 25,
++		-1, -1, -1, -1, -1, -1, 26, 27,
++		28, 29, 30, 31, 32, 33, 34, 35,
++		36, 37, 38, 39, 40, 41, 42, 43,
++		44, 45, 46, 47, 48, 49, 50, 51
++	};
++	value_in -= 43;
++	if (value_in < 0 || value_in >= 80)
++		return -1;
++	return decoding[(int)value_in];
++}
++
++void base64_init_decodestate(struct base64_decodestate *state_in)
++{
++	state_in->step = step_a;
++	state_in->plainchar = 0;
++}
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in)
++{
++	const char *codec = code_in;
++	char *plainc = plaintext_out;
++	signed char fragmt;
++
++	*plainc = state_in->plainchar;
++
++	switch (state_in->step) {
++		while (1) {
++			case step_a:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_a;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc = (fragmt & 0x03f) << 2;
++				/* fall through */
++			case step_b:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_b;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x030) >> 4;
++				*plainc = (fragmt & 0x00f) << 4;
++				/* fall through */
++			case step_c:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_c;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++ |= (fragmt & 0x03c) >> 2;
++				*plainc = (fragmt & 0x003) << 6;
++				/* fall through */
++			case step_d:
++				do {
++					if (codec == code_in+length_in) {
++						state_in->step = step_d;
++						state_in->plainchar = *plainc;
++						return plainc - plaintext_out;
++					}
++					fragmt = base64_decode_value(*codec++);
++				} while (fragmt < 0);
++				*plainc++   |= (fragmt & 0x03f);
++		}
++	}
++	/* control should not reach here */
++	return plainc - plaintext_out;
++}
+diff --git a/lib/base64.h b/lib/base64.h
+new file mode 100644
+index 000000000..3dc1559aa
+--- /dev/null
++++ b/lib/base64.h
+@@ -0,0 +1,45 @@
++/*
++ * This is part of the libb64 project, and has been placed in the public domain.
++ * For details, see http://sourceforge.net/projects/libb64
++ */
++
++#ifndef _BASE64_H_
++#define _BASE64_H_
++
++enum base64_encodestep {
++	step_A, step_B, step_C
++};
++
++struct base64_encodestate {
++	enum base64_encodestep step;
++	char result;
++	int stepcount;
++};
++
++void base64_init_encodestate(struct base64_encodestate *state_in);
++
++char base64_encode_value(char value_in);
++
++int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
++			struct base64_encodestate *state_in);
++
++int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
++
++
++enum base64_decodestep {
++	step_a, step_b, step_c, step_d
++};
++
++struct base64_decodestate {
++	enum base64_decodestep step;
++	char plainchar;
++};
++
++void base64_init_decodestate(struct base64_decodestate *state_in);
++
++signed char base64_decode_value(signed char value_in);
++
++int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
++			struct base64_decodestate *state_in);
++
++#endif /* _BASE64_H_ */
+diff --git a/lib/subdir.am b/lib/subdir.am
+index 648ab7f14..f8f82f276 100644
+--- a/lib/subdir.am
++++ b/lib/subdir.am
+@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
+ lib_libfrr_la_SOURCES = \
+ 	lib/agg_table.c \
+ 	lib/atomlist.c \
++	lib/base64.c \
+ 	lib/bfd.c \
+ 	lib/buffer.c \
+ 	lib/checksum.c \
+@@ -177,6 +178,7 @@ clippy_scan += \
+ pkginclude_HEADERS += \
+ 	lib/agg_table.h \
+ 	lib/atomlist.h \
++	lib/base64.h \
+ 	lib/bfd.h \
+ 	lib/bitfield.h \
+ 	lib/buffer.h \
+diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
+index 85aa003db..bee76c6e0 100644
+--- a/lib/yang_wrappers.c
++++ b/lib/yang_wrappers.c
+@@ -19,6 +19,7 @@
+ 
+ #include <zebra.h>
+ 
++#include "base64.h"
+ #include "log.h"
+ #include "lib_errors.h"
+ #include "northbound.h"
+@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
+ 			  xpath);
+ }
+ 
++/*
++ * Primitive type: binary.
++ */
++struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
++				       size_t len)
++{
++	char *value_str;
++	struct base64_encodestate s;
++	int cnt;
++	char *c;
++	struct yang_data *data;
++
++	value_str = (char *)malloc(len * 2);
++	base64_init_encodestate(&s);
++	cnt = base64_encode_block(value, len, value_str, &s);
++	c = value_str + cnt;
++	cnt = base64_encode_blockend(c, &s);
++	c += cnt;
++	*c = 0;
++	data = yang_data_new(xpath, value_str);
++	free(value_str);
++	return data;
++}
++
++size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++				 const struct lyd_node *dnode,
++				 const char *xpath_fmt, ...)
++{
++	const char *canon;
++	size_t cannon_len;
++	size_t decode_len;
++	size_t ret_len;
++	size_t cnt;
++	char *value_str;
++	struct base64_decodestate s;
++
++	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
++	cannon_len = strlen(canon);
++	decode_len = cannon_len;
++	value_str = (char *)malloc(decode_len);
++	base64_init_decodestate(&s);
++	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
++
++	ret_len = size > cnt ? cnt : size;
++	memcpy(buf, value_str, ret_len);
++	if (size < cnt) {
++		char xpath[XPATH_MAXLEN];
++
++		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
++		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
++			  "%s: value was truncated [xpath %s]", __func__,
++			  xpath);
++	}
++	free(value_str);
++	return ret_len;
++}
++
++
+ /*
+  * Primitive type: empty.
+  */
+diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
+index d781dfb1e..56b314876 100644
+--- a/lib/yang_wrappers.h
++++ b/lib/yang_wrappers.h
+@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
+ extern void yang_get_default_string_buf(char *buf, size_t size,
+ 					const char *xpath_fmt, ...);
+ 
++/* binary */
++extern struct yang_data *yang_data_new_binary(const char *xpath,
++					      const char *value, size_t len);
++extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
++					const struct lyd_node *dnode,
++					const char *xpath_fmt, ...);
++
+ /* empty */
+ extern struct yang_data *yang_data_new_empty(const char *xpath);
+ extern bool yang_dnode_get_empty(const struct lyd_node *dnode,
+-- 
+2.34.1
+

frr.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Mon Feb 28 11:05:48 UTC 2022 - Marius Tomaschewski <mt@suse.com>
+
+- Apply fix for a buffer overflow in isisd due to the use of strdup
+  with a non-zero-terminated binary string (bsc#1196506,CVE-2022-26126)
+  [+ 0006-isisd-fix-10505-using-base64-encoding.patch]
+- Apply fix for a buffer overflow in isisd due to wrong checks on
+  the input packet length (bsc#1196505,CVE-2022-26125) with workaround
+  for the GIT binary patch to tests/isisd/test_fuzz_isis_tlv_tests.h.gz
+  [+ 0005-isisd-fix-router-capability-TLV-parsing-issues.patch]
+- Apply fix for a buffer overflow in babeld due to wrong checks on
+  the input packet length in the packet_examin and subtlv parsing
+  (bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129)
+  [+ 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch]
+- Apply fix for a heap buffer overflow in babeld due to missing check
+  on the input packet length (bsc#1196503,CVE-2022-26127)
+  [+ 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch]
+
 -------------------------------------------------------------------
 Thu Dec  9 08:40:11 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 

frr.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package frr
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) 2019-2021, Martin Hauke <mardnh@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
@@ -43,6 +43,10 @@ Source:         https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.
 Source1:        %{name}-tmpfiles.d
 Patch1:         0001-disable-zmq-test.patch
 Patch2:         harden_frr.service.patch
+Patch3:         0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
+Patch4:         0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
+Patch5:         0005-isisd-fix-router-capability-TLV-parsing-issues.patch
+Patch6:         0006-isisd-fix-10505-using-base64-encoding.patch
 BuildRequires:  %{python_module Sphinx}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module pytest}
@@ -79,7 +83,7 @@ BuildRequires:  pkgconfig(sqlite3)
 Requires(post): %{install_info_prereq}
 Requires(pre):  %{install_info_prereq}
 Requires(pre):  shadow
-Requires(preun): %{install_info_prereq}
+Requires(preun):%{install_info_prereq}
 Recommends:     logrotate
 Conflicts:      quagga
 Provides:       zebra = %{version}
@@ -183,6 +187,12 @@ developing OSPF-API and frr applications.
 %setup -q -n %{name}-%{name}-%{version}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
+gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz
+%patch5 -p1
+gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
+%patch6 -p1
 
 %build
 # GCC LTO objects must be "fat" to avoid assembly errors