Accepting request 1167542 from network

- add
  0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch:
  * Apply upstream fix on error handling when receiving BGP Prefix
    SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628)

- Migration of PAM settings to /usr/lib/pam.d.
  [+ 0001-disable-zmq-test.patch]
- enable verbose make rules
- Cleanup spec file

OBS-URL: https://build.opensuse.org/request/show/1167542
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/frr?expand=0&rev=30

0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch

@@ -0,0 +1,121 @@
+From 51679e4504546584d98673b76ed8e12a8bc74fe0 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 18:42:56 +0200
+Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
+ attribute
+References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
+
+
+Without this patch, we always set the BGP Prefix SID attribute flag without
+checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
+
+Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
+with malformed transitive flags and/or TLVs.
+
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+(cherry picked from commit ba6a8f1a31e1a88df2de69ea46068e8bd9b97138)
+---
+ bgpd/bgp_attr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 7144c4bfa73d..2e2845b8fa7e 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -1400,6 +1400,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ 	case BGP_ATTR_AS4_AGGREGATOR:
+ 	case BGP_ATTR_AGGREGATOR:
+ 	case BGP_ATTR_ATOMIC_AGGREGATE:
++	case BGP_ATTR_PREFIX_SID:
+ 		return BGP_ATTR_PARSE_PROCEED;
+ 
+ 	/* Core attributes, particularly ones which may influence route
+@@ -3146,8 +3147,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+ 	struct attr *const attr = args->attr;
+ 	enum bgp_attr_parse_ret ret;
+ 
+-	attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
+-
+ 	uint8_t type;
+ 	uint16_t length;
+ 	size_t headersz = sizeof(type) + sizeof(length);
+@@ -3197,6 +3196,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+ 		}
+ 	}
+ 
++	SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
++
+ 	return BGP_ATTR_PARSE_PROCEED;
+ }
+ 
+
+From 9240abccb564043c85180916b77cad5b194a49c9 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 19:08:38 +0200
+Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
+References: bsc#1222518 CVE-2024-31948 gh#FRRouting/frr#15628
+Upstream: submitted
+
+If we receive an attribute that is handled by bgp_attr_malformed(), use
+treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+(cherry picked from commit babb23b74855e23c987a63f8256d24e28c044d07)
+---
+ bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 2e2845b8fa7e..7570598a3d7f 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -1391,6 +1391,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ 			(args->startp - STREAM_DATA(BGP_INPUT(peer)))
+ 				+ args->total);
+ 
++	/* Partial optional attributes that are malformed should not cause
++	 * the whole session to be reset. Instead treat it as a withdrawal
++	 * of the routes, if possible.
++	 */
++	if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
++	    CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
++	    CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
++		return BGP_ATTR_PARSE_WITHDRAW;
++
+ 	switch (args->type) {
+ 	/* where an attribute is relatively inconsequential, e.g. it does not
+ 	 * affect route selection, and can be safely ignored, then any such
+@@ -1425,19 +1434,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+ 		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, subcode,
+ 					  notify_datap, length);
+ 		return BGP_ATTR_PARSE_ERROR;
++	default:
++		/* Unknown attributes, that are handled by this function
++		 * should be treated as withdraw, to prevent one more CVE
++		 * from being introduced.
++		 * RFC 7606 says:
++		 * The "treat-as-withdraw" approach is generally preferred
++		 * and the "session reset" approach is discouraged.
++		 */
++		flog_err(EC_BGP_ATTR_FLAG,
++			 "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
++			 lookup_msg(attr_str, args->type, NULL), args->type);
++		break;
+ 	}
+ 
+-	/* Partial optional attributes that are malformed should not cause
+-	 * the whole session to be reset. Instead treat it as a withdrawal
+-	 * of the routes, if possible.
+-	 */
+-	if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
+-	    && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
+-	    && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+-		return BGP_ATTR_PARSE_WITHDRAW;
+-
+-	/* default to reset */
+-	return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
++	return BGP_ATTR_PARSE_WITHDRAW;
+ }
+ 
+ /* Find out what is wrong with the path attribute flag bits and log the error.

frr.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 10 18:59:00 UTC 2024 - Clemens Famulla-Conrad <cfamullaconrad@suse.com>
+
+- add
+  0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch:
+  * Apply upstream fix on error handling when receiving BGP Prefix
+    SID attribute (bsc#1222518,CVE-2024-31948,gh#FRRouting/frr#15628)
+
 -------------------------------------------------------------------
 Thu Feb  8 06:55:28 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -84,7 +92,7 @@ Mon Apr  3 14:00:27 UTC 2023 - Marius Tomaschewski <mt@suse.com>
 -------------------------------------------------------------------
 Fri Jan 13 12:27:58 UTC 2023 - Stefan Schubert <schubi@suse.com>
 
-- Migration of PAM settings to /usr/lib/pam.d. 
+- Migration of PAM settings to /usr/lib/pam.d.
 
 -------------------------------------------------------------------
 Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <mt@suse.com>
@@ -246,7 +254,7 @@ Fri Jan  8 08:08:08 UTC 2021 - olaf@aepfle.de
 Tue Dec 22 10:54:56 UTC 2020 - Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com>
 
 - Disable ZeroMQ tests due to sporadic timeouts during package builds (bsc#1180217)
-  [+ 0001-disable-zmq-test.patch] 
+  [+ 0001-disable-zmq-test.patch]
 
 -------------------------------------------------------------------
 Wed Nov  4 19:17:10 UTC 2020 - Martin Hauke <mardnh@gmx.de>
@@ -285,7 +293,7 @@ Wed May  6 16:07:32 UTC 2020 - Martin Hauke <mardnh@gmx.de>
 -------------------------------------------------------------------
 Tue Apr  7 21:38:12 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
 
-- enable verbose make rules 
+- enable verbose make rules
 - enable grpc support. new subpackage libfrrgrpc_pb0, new BR:
   pkgconfig(grpc)
 - enable config rollbacks. new BR: pkgconfig(sqlite3)
@@ -362,7 +370,7 @@ Wed Jan 15 20:34:50 UTC 2020 - Martin Hauke <mardnh@gmx.de>
 -------------------------------------------------------------------
 Wed Jan 15 14:34:59 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
 
-- Cleanup spec file 
+- Cleanup spec file
 
 -------------------------------------------------------------------
 Sun Jan 12 09:40:39 UTC 2020 - Martin Hauke <mardnh@gmx.de>

frr.spec

@@ -57,6 +57,7 @@ Patch15:        0015-bgpd-Treat-EOR-as-withdrawn-to-avoid-unwanted-handli.patch
 Patch16:        0016-bgpd-Ignore-handling-NLRIs-if-we-received-MP_UNREACH.patch
 Patch17:        0017-bgpd-Fix-use-beyond-end-of-stream-of-labeled-unicast.patch
 Patch18:        0018-bgpd-Flowspec-overflow-issue.patch
+Patch19:        0019-bgpd-fix-error-handling-when-receiving-BGP-Prefix-SID-attribute.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7