Accepting request 1035289 from home:mtomaschewski:branches:network

- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
  file to vendor specific directory /usr/etc/logrotate.d and added
  saving of user changed configuration files in /etc and restoring
  them while an RPM update.
- Declare root as sufficient also in the pam account verification;
  without vtysh use causes to log a pam frr:account warnings
  (https://github.com/FRRouting/frr/pull/12308)
  [+ 0005-root-ok-in-account-frr.pam.patch]
- Applied fix removing a not needed backslash causing to log a warning
  (https://github.com/FRRouting/frr/pull/12307)
  [+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
  from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
  https://github.com/FRRouting/frr/pull/12157).
  [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
- Removed obsolete patches provided in the 8.4 source archive:
  [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
   - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
   - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
   - 0006-isisd-fix-10505-using-base64-encoding.patch,
   - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
   - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
- Update to version 8.4, see https://frrouting.org/release/8.4/
  * New BGP command (neighbor PEER soo) to configure SoO to prevent
    routing loops and suboptimal routing on dual-homed sites.
  * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
    because previously we allowed using martian next-hops when debug is
    turned on.
  * Implement BGP Prefix Origin Validation State Extended Community rfc8097
  *  Implement Route Leak Prevention and Detection Using Roles in UPDATE

OBS-URL: https://build.opensuse.org/request/show/1035289
OBS-URL: https://build.opensuse.org/package/show/network/frr?expand=0&rev=43

0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch

@@ -1,52 +0,0 @@
-From 50044ec7fe129e0a74d3a679dd29fe17ce30e6bf Mon Sep 17 00:00:00 2001
-From: whichbug <whichbug@github.com>
-Date: Thu, 3 Feb 2022 12:01:31 -0500
-Upstream: yes
-References: bsc#1196503,CVE-2022-26127
-Subject: [PATCH] babeld: fix #10487 by adding a check on packet length
-
-The body length of a packet should satisfy the condition:
-packetlen >= bodylen + 4. Otherwise, heap overflows may happen.
-
-Signed-off-by: whichbug <whichbug@github.com>
-
-diff --git a/babeld/message.c b/babeld/message.c
-index 5c2e29d8b..3a29b6a60 100644
---- a/babeld/message.c
-+++ b/babeld/message.c
-@@ -288,13 +288,18 @@ channels_len(unsigned char *channels)
- static int
- babel_packet_examin(const unsigned char *packet, int packetlen)
- {
--    unsigned i = 0, bodylen;
-+    int i = 0, bodylen;
-     const unsigned char *message;
-     unsigned char type, len;
- 
-     if(packetlen < 4 || packet[0] != 42 || packet[1] != 2)
-         return 1;
-     DO_NTOHS(bodylen, packet + 2);
-+    if(bodylen + 4 > packetlen) {
-+        debugf(BABEL_DEBUG_COMMON, "Received truncated packet (%d + 4 > %d).",
-+                 bodylen, packetlen);
-+        return 1;
-+    }
-     while (i < bodylen){
-         message = packet + 4 + i;
-         type = message[0];
-@@ -366,12 +371,6 @@ parse_packet(const unsigned char *from, struct interface *ifp,
- 
-     DO_NTOHS(bodylen, packet + 2);
- 
--    if(bodylen + 4 > packetlen) {
--        flog_err(EC_BABEL_PACKET, "Received truncated packet (%d + 4 > %d).",
--                 bodylen, packetlen);
--        bodylen = packetlen - 4;
--    }
--
-     i = 0;
-     while(i < bodylen) {
-         message = packet + 4 + i;
--- 
-2.34.1
-

0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch

@@ -0,0 +1,93 @@
+From 401053f3ccc7be3a6a976f6f7f1674bdeb3c983e Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Thu, 20 Oct 2022 09:10:22 +0300
+References: bsc#1204124,CVE-2022-42917,https://github.com/FRRouting/frr/pull/12157
+Upstream: submitted
+Subject: [PATCH] tools: Run as FRR_USER `install/chown` commands to avoid race
+ conditions
+
+This is due to CVE-2022-42917: https://bugzilla.suse.com/show_bug.cgi?id=1204124
+
+install/chown is in most cases (as I tested) is enough, but still, can be racy.
+
+Tested on Linux/OpenBSD/NetBSD/FreeBSD, seems a unified way to do this.
+
+For Linux `runuser` can be used, but *BSD do not have this command.
+
+Proof of concept:
+
+```
+% sudo su - frr
+[sudo] password for donatas:
+su: warning: cannot change directory to /nonexistent: No such file or directory
+frr@donatas-laptop:/home/donatas$ cd /etc/frr/
+frr@donatas-laptop:/etc/frr$ rm -f zebra.conf; inotifywait -e CREATE .; rm -f zebra.conf; ln -s /etc/shadow zebra.conf
+Setting up watches.
+Watches established.
+./ CREATE zebra.conf
+frr@donatas-laptop:/etc/frr$ ls -la zebra.conf
+lrwxrwxrwx 1 frr frr 11 spal.  20 09:25 zebra.conf -> /etc/shadow
+frr@donatas-laptop:/etc/frr$ cat zebra.conf
+cat: zebra.conf: Permission denied
+frr@donatas-laptop:/etc/frr$
+```
+
+On the other terminal do:
+
+```
+/usr/lib/frr/frrinit.sh restart
+```
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+
+diff --git a/tools/frr.in b/tools/frr.in
+index e9f1122834..5f3f425a1e 100755
+--- a/tools/frr.in
++++ b/tools/frr.in
+@@ -96,10 +96,10 @@ check_daemon()
+ 		# check for config file
+ 		if [ -n "$2" ]; then
+ 			if [ ! -r "$C_PATH/$1-$2.conf" ]; then
+-				install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1-$2.conf"
++				su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1-$2.conf\""
+ 			fi
+ 		elif [ ! -r "$C_PATH/$1.conf" ]; then
+-			install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$C_PATH/$1.conf"
++			su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$C_PATH/$1.conf\""
+ 		fi
+ 	fi
+ 	return 0
+@@ -524,7 +524,7 @@ convert_daemon_prios
+ 
+ if [ ! -d $V_PATH ]; then
+ 	echo "Creating $V_PATH"
+-	install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
++	su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
+ 	chmod gu+x "${V_PATH}"
+ fi
+ 
+diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
+index 61f1abb378..4d5d688d57 100755
+--- a/tools/frrcommon.sh.in
++++ b/tools/frrcommon.sh.in
+@@ -143,7 +143,7 @@ daemon_prep() {
+ 
+ 	cfg="$C_PATH/$daemon${inst:+-$inst}.conf"
+ 	if [ ! -r "$cfg" ]; then
+-		install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" /dev/null "$cfg"
++		su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" /dev/null \"$cfg\""
+ 	fi
+ 	return 0
+ }
+@@ -161,7 +161,7 @@ daemon_start() {
+ 	[ "$MAX_FDS" != "" ] && ulimit -n "$MAX_FDS" > /dev/null 2> /dev/null
+ 	daemon_prep "$daemon" "$inst" || return 1
+ 	if test ! -d "$V_PATH"; then
+-		install -g "$FRR_GROUP" -o "$FRR_USER" -m "$FRR_CONFIG_MODE" -d "$V_PATH"
++		su - "${FRR_USER}" -c "install -g \"$FRR_GROUP\" -o \"$FRR_USER\" -m \"$FRR_CONFIG_MODE\" -d \"$V_PATH\""
+ 		chmod gu+x "${V_PATH}"
+ 	fi
+ 
+-- 
+2.35.3
+

0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch

@@ -1,95 +0,0 @@
-From c3793352a8d76d2eee1edc38a9a16c1c8a6573f4 Mon Sep 17 00:00:00 2001
-From: qingkaishi <qingkaishi@gmail.com>
-Date: Fri, 4 Feb 2022 16:41:11 -0500
-Upstream: yes
-References: bsc#1196504,bsc#1196507,CVE-2022-26128,CVE-2022-26129
-Subject: [PATCH] babeld: fix #10502 #10503 by repairing the checks on length
-
-This patch repairs the checking conditions on length in four functions:
-babel_packet_examin, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv
-
-Signed-off-by: qingkaishi <qingkaishi@gmail.com>
-
-diff --git a/babeld/message.c b/babeld/message.c
-index 5c2e29d8b..053538700 100644
---- a/babeld/message.c
-+++ b/babeld/message.c
-@@ -140,12 +140,12 @@ parse_update_subtlv(const unsigned char *a, int alen,
-             continue;
-         }
- 
--        if(i + 1 > alen) {
-+        if(i + 1 >= alen) {
-             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
-             return;
-         }
-         len = a[i + 1];
--        if(i + len > alen) {
-+        if(i + len + 2 > alen) {
-             flog_err(EC_BABEL_PACKET, "Received truncated attributes.");
-             return;
-         }
-@@ -182,19 +182,19 @@ parse_hello_subtlv(const unsigned char *a, int alen,
-     int type, len, i = 0, ret = 0;
- 
-     while(i < alen) {
--        type = a[0];
-+        type = a[i];
-         if(type == SUBTLV_PAD1) {
-             i++;
-             continue;
-         }
- 
--        if(i + 1 > alen) {
-+        if(i + 1 >= alen) {
-             flog_err(EC_BABEL_PACKET,
- 		      "Received truncated sub-TLV on Hello message.");
-             return -1;
-         }
-         len = a[i + 1];
--        if(i + len > alen) {
-+        if(i + len + 2 > alen) {
-             flog_err(EC_BABEL_PACKET,
- 		      "Received truncated sub-TLV on Hello message.");
-             return -1;
-@@ -228,19 +228,19 @@ parse_ihu_subtlv(const unsigned char *a, int alen,
-     int type, len, i = 0, ret = 0;
- 
-     while(i < alen) {
--        type = a[0];
-+        type = a[i];
-         if(type == SUBTLV_PAD1) {
-             i++;
-             continue;
-         }
- 
--        if(i + 1 > alen) {
-+        if(i + 1 >= alen) {
-             flog_err(EC_BABEL_PACKET,
- 		      "Received truncated sub-TLV on IHU message.");
-             return -1;
-         }
-         len = a[i + 1];
--        if(i + len > alen) {
-+        if(i + len + 2 > alen) {
-             flog_err(EC_BABEL_PACKET,
- 		      "Received truncated sub-TLV on IHU message.");
-             return -1;
-@@ -302,12 +302,12 @@ babel_packet_examin(const unsigned char *packet, int packetlen)
-             i++;
-             continue;
-         }
--        if(i + 1 > bodylen) {
-+        if(i + 2 > bodylen) {
-             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
-             return 1;
-         }
-         len = message[1];
--        if(i + len > bodylen) {
-+        if(i + len + 2 > bodylen) {
-             debugf(BABEL_DEBUG_COMMON,"Received truncated message.");
-             return 1;
-         }
--- 
-2.34.1
-

0004-tools-remove-backslash-from-declare-check-regex.patch

@@ -0,0 +1,29 @@
+From 3474b220e036497e6bbe23428645217c275f9f87 Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski <mt@suse.com>
+Date: Fri, 11 Nov 2022 12:26:04 +0100
+References: https://github.com/FRRouting/frr/pull/12307
+Upstream: submitted
+Subject: [PATCH] tools: remove backslash from declare check regex
+
+The backslash in `grep -q '^declare \-a'` is not needed and
+causes `grep: warning: stray \ before -` warning in grep-3.8.
+---
+ tools/frrcommon.sh.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
+index 61f1abb378..3c16c27c6d 100755
+--- a/tools/frrcommon.sh.in
++++ b/tools/frrcommon.sh.in
+@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
+ 	load_old_config "/etc/sysconfig/frr"
+ fi
+ 
+-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then
++if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then
+ 	log_warning_msg "watchfrr_options contains a bash array value." \
+ 		"The configured value is intentionally ignored since it is likely wrong." \
+ 		"Please remove or fix the setting."
+-- 
+2.35.3
+

0005-root-ok-in-account-frr.pam.patch

@@ -0,0 +1,33 @@
+From cb467471b31cd653e758bc3f82fffe7c44654796 Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski <mt@suse.com>
+Date: Fri, 11 Nov 2022 14:50:12 +0100
+References: https://github.com/FRRouting/frr/pull/12308
+Upstream: submitted
+Subject: [PATCH] pam: declare root as sufficient frr pam account
+
+https://github.com/FRRouting/frr/pull/11465 enabled account verification,
+but the pam config declares rootok as sufficient in authentication only
+and not in account verification, what causes warning in the log:
+
+vtysh[3747]: pam_warn(frr:account): function=[pam_sm_acct_mgmt]
+             flags=0 service=[frr] terminal=[<unknown>] user=[root]
+	     ruser=[<unknown>] rhost=[<unknown>]
+---
+ redhat/frr.pam | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/redhat/frr.pam b/redhat/frr.pam
+index 5cef5d9d74..17a62f1999 100644
+--- a/redhat/frr.pam
++++ b/redhat/frr.pam
+@@ -5,6 +5,7 @@
+ # Only allow root (and possibly wheel) to use this because enable access
+ # is unrestricted.
+ auth       sufficient   pam_rootok.so
++account    sufficient   pam_rootok.so
+ 
+ # Uncomment the following line to implicitly trust users in the "wheel" group.
+ #auth       sufficient   pam_wheel.so trust use_uid
+-- 
+2.35.3
+

0006-isisd-fix-10505-using-base64-encoding.patch

@@ -1,456 +0,0 @@
-From ac3133450de12ba86c051265fc0f1b12bc57b40c Mon Sep 17 00:00:00 2001
-From: whichbug <whichbug@github.com>
-Date: Thu, 10 Feb 2022 22:49:41 -0500
-Upstream: yes
-References: bsc#1196506,CVE-2022-26126
-Subject: [PATCH] isisd: fix #10505 using base64 encoding
-
-Using base64 instead of the raw string to encode
-the binary data.
-
-Signed-off-by: whichbug <whichbug@github.com>
-
-diff --git a/isisd/isis_nb_notifications.c b/isisd/isis_nb_notifications.c
-index f219632ac..fd7b1b315 100644
---- a/isisd/isis_nb_notifications.c
-+++ b/isisd/isis_nb_notifications.c
-@@ -245,7 +245,7 @@ void isis_notif_max_area_addr_mismatch(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, max_area_addrs);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_max_area_addr_mismatch, circuit, max_area_addrs,
-@@ -270,7 +270,7 @@ void isis_notif_authentication_type_failure(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_authentication_type_failure, circuit, raw_pdu,
-@@ -294,7 +294,7 @@ void isis_notif_authentication_failure(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_authentication_failure, circuit, raw_pdu,
-@@ -361,7 +361,7 @@ void isis_notif_reject_adjacency(const struct isis_circuit *circuit,
- 	data = yang_data_new_string(xpath_arg, reason);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_reject_adjacency, circuit, raw_pdu, raw_pdu_len);
-@@ -384,7 +384,7 @@ void isis_notif_area_mismatch(const struct isis_circuit *circuit,
- 	notif_prep_instance_hdr(xpath, area, "default", arguments);
- 	notif_prepr_iface_hdr(xpath, circuit, arguments);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_area_mismatch, circuit, raw_pdu, raw_pdu_len);
-@@ -467,7 +467,7 @@ void isis_notif_id_len_mismatch(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, rcv_id_len);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_id_len_mismatch, circuit, rcv_id_len, raw_pdu,
-@@ -495,7 +495,7 @@ void isis_notif_version_skew(const struct isis_circuit *circuit,
- 	data = yang_data_new_uint8(xpath_arg, version);
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 
- 	hook_call(isis_hook_version_skew, circuit, version, raw_pdu,
-@@ -525,7 +525,7 @@ void isis_notif_lsp_error(const struct isis_circuit *circuit,
- 	data = yang_data_new_string(xpath_arg, rawlspid_print(lsp_id));
- 	listnode_add(arguments, data);
- 	snprintf(xpath_arg, sizeof(xpath_arg), "%s/raw-pdu", xpath);
--	data = yang_data_new(xpath_arg, raw_pdu);
-+	data = yang_data_new_binary(xpath_arg, raw_pdu, raw_pdu_len);
- 	listnode_add(arguments, data);
- 	/* ignore offset and tlv_type which cannot be set properly */
- 
-diff --git a/lib/base64.c b/lib/base64.c
-new file mode 100644
-index 000000000..e3f238969
---- /dev/null
-+++ b/lib/base64.c
-@@ -0,0 +1,193 @@
-+/*
-+ * This is part of the libb64 project, and has been placed in the public domain.
-+ * For details, see http://sourceforge.net/projects/libb64
-+ */
-+
-+#include "base64.h"
-+
-+static const int CHARS_PER_LINE = 72;
-+static const char *ENCODING =
-+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-+
-+void base64_init_encodestate(struct base64_encodestate *state_in)
-+{
-+	state_in->step = step_A;
-+	state_in->result = 0;
-+	state_in->stepcount = 0;
-+}
-+
-+char base64_encode_value(char value_in)
-+{
-+	if (value_in > 63)
-+		return '=';
-+	return ENCODING[(int)value_in];
-+}
-+
-+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
-+			struct base64_encodestate *state_in)
-+{
-+	const char *plainchar = plaintext_in;
-+	const char *const plaintextend = plaintext_in + length_in;
-+	char *codechar = code_out;
-+	char result;
-+	char fragment;
-+
-+	result = state_in->result;
-+
-+	switch (state_in->step) {
-+		while (1) {
-+			case step_A:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_A;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result = (fragment & 0x0fc) >> 2;
-+				*codechar++ = base64_encode_value(result);
-+				result = (fragment & 0x003) << 4;
-+				/* fall through */
-+			case step_B:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_B;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result |= (fragment & 0x0f0) >> 4;
-+				*codechar++ = base64_encode_value(result);
-+				result = (fragment & 0x00f) << 2;
-+				/* fall through */
-+			case step_C:
-+				if (plainchar == plaintextend) {
-+					state_in->result = result;
-+					state_in->step = step_C;
-+					return codechar - code_out;
-+				}
-+				fragment = *plainchar++;
-+				result |= (fragment & 0x0c0) >> 6;
-+				*codechar++ = base64_encode_value(result);
-+				result  = (fragment & 0x03f) >> 0;
-+				*codechar++ = base64_encode_value(result);
-+
-+				++(state_in->stepcount);
-+				if (state_in->stepcount == CHARS_PER_LINE/4) {
-+					*codechar++ = '\n';
-+					state_in->stepcount = 0;
-+				}
-+		}
-+	}
-+	/* control should not reach here */
-+	return codechar - code_out;
-+}
-+
-+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in)
-+{
-+	char *codechar = code_out;
-+
-+	switch (state_in->step) {
-+	case step_B:
-+		*codechar++ = base64_encode_value(state_in->result);
-+		*codechar++ = '=';
-+		*codechar++ = '=';
-+		break;
-+	case step_C:
-+		*codechar++ = base64_encode_value(state_in->result);
-+		*codechar++ = '=';
-+		break;
-+	case step_A:
-+		break;
-+	}
-+	*codechar++ = '\n';
-+
-+	return codechar - code_out;
-+}
-+
-+
-+signed char base64_decode_value(signed char value_in)
-+{
-+	static const signed char decoding[] = {
-+		62, -1, -1, -1, 63, 52, 53, 54,
-+		55, 56, 57, 58, 59, 60, 61, -1,
-+		-1, -1, -2, -1, -1, -1, 0, 1,
-+		2,  3, 4, 5, 6, 7, 8, 9,
-+		10, 11, 12, 13, 14, 15, 16, 17,
-+		18, 19, 20, 21, 22, 23, 24, 25,
-+		-1, -1, -1, -1, -1, -1, 26, 27,
-+		28, 29, 30, 31, 32, 33, 34, 35,
-+		36, 37, 38, 39, 40, 41, 42, 43,
-+		44, 45, 46, 47, 48, 49, 50, 51
-+	};
-+	value_in -= 43;
-+	if (value_in < 0 || value_in >= 80)
-+		return -1;
-+	return decoding[(int)value_in];
-+}
-+
-+void base64_init_decodestate(struct base64_decodestate *state_in)
-+{
-+	state_in->step = step_a;
-+	state_in->plainchar = 0;
-+}
-+
-+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
-+			struct base64_decodestate *state_in)
-+{
-+	const char *codec = code_in;
-+	char *plainc = plaintext_out;
-+	signed char fragmt;
-+
-+	*plainc = state_in->plainchar;
-+
-+	switch (state_in->step) {
-+		while (1) {
-+			case step_a:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_a;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc = (fragmt & 0x03f) << 2;
-+				/* fall through */
-+			case step_b:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_b;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++ |= (fragmt & 0x030) >> 4;
-+				*plainc = (fragmt & 0x00f) << 4;
-+				/* fall through */
-+			case step_c:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_c;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++ |= (fragmt & 0x03c) >> 2;
-+				*plainc = (fragmt & 0x003) << 6;
-+				/* fall through */
-+			case step_d:
-+				do {
-+					if (codec == code_in+length_in) {
-+						state_in->step = step_d;
-+						state_in->plainchar = *plainc;
-+						return plainc - plaintext_out;
-+					}
-+					fragmt = base64_decode_value(*codec++);
-+				} while (fragmt < 0);
-+				*plainc++   |= (fragmt & 0x03f);
-+		}
-+	}
-+	/* control should not reach here */
-+	return plainc - plaintext_out;
-+}
-diff --git a/lib/base64.h b/lib/base64.h
-new file mode 100644
-index 000000000..3dc1559aa
---- /dev/null
-+++ b/lib/base64.h
-@@ -0,0 +1,45 @@
-+/*
-+ * This is part of the libb64 project, and has been placed in the public domain.
-+ * For details, see http://sourceforge.net/projects/libb64
-+ */
-+
-+#ifndef _BASE64_H_
-+#define _BASE64_H_
-+
-+enum base64_encodestep {
-+	step_A, step_B, step_C
-+};
-+
-+struct base64_encodestate {
-+	enum base64_encodestep step;
-+	char result;
-+	int stepcount;
-+};
-+
-+void base64_init_encodestate(struct base64_encodestate *state_in);
-+
-+char base64_encode_value(char value_in);
-+
-+int base64_encode_block(const char *plaintext_in, int length_in, char *code_out,
-+			struct base64_encodestate *state_in);
-+
-+int base64_encode_blockend(char *code_out, struct base64_encodestate *state_in);
-+
-+
-+enum base64_decodestep {
-+	step_a, step_b, step_c, step_d
-+};
-+
-+struct base64_decodestate {
-+	enum base64_decodestep step;
-+	char plainchar;
-+};
-+
-+void base64_init_decodestate(struct base64_decodestate *state_in);
-+
-+signed char base64_decode_value(signed char value_in);
-+
-+int base64_decode_block(const char *code_in, int length_in, char *plaintext_out,
-+			struct base64_decodestate *state_in);
-+
-+#endif /* _BASE64_H_ */
-diff --git a/lib/subdir.am b/lib/subdir.am
-index 648ab7f14..f8f82f276 100644
---- a/lib/subdir.am
-+++ b/lib/subdir.am
-@@ -8,6 +8,7 @@ lib_libfrr_la_LIBADD = $(LIBCAP) $(UNWIND_LIBS) $(LIBYANG_LIBS) $(LUA_LIB) $(UST
- lib_libfrr_la_SOURCES = \
- 	lib/agg_table.c \
- 	lib/atomlist.c \
-+	lib/base64.c \
- 	lib/bfd.c \
- 	lib/buffer.c \
- 	lib/checksum.c \
-@@ -177,6 +178,7 @@ clippy_scan += \
- pkginclude_HEADERS += \
- 	lib/agg_table.h \
- 	lib/atomlist.h \
-+	lib/base64.h \
- 	lib/bfd.h \
- 	lib/bitfield.h \
- 	lib/buffer.h \
-diff --git a/lib/yang_wrappers.c b/lib/yang_wrappers.c
-index 85aa003db..bee76c6e0 100644
---- a/lib/yang_wrappers.c
-+++ b/lib/yang_wrappers.c
-@@ -19,6 +19,7 @@
- 
- #include <zebra.h>
- 
-+#include "base64.h"
- #include "log.h"
- #include "lib_errors.h"
- #include "northbound.h"
-@@ -676,6 +677,64 @@ void yang_get_default_string_buf(char *buf, size_t size, const char *xpath_fmt,
- 			  xpath);
- }
- 
-+/*
-+ * Primitive type: binary.
-+ */
-+struct yang_data *yang_data_new_binary(const char *xpath, const char *value,
-+				       size_t len)
-+{
-+	char *value_str;
-+	struct base64_encodestate s;
-+	int cnt;
-+	char *c;
-+	struct yang_data *data;
-+
-+	value_str = (char *)malloc(len * 2);
-+	base64_init_encodestate(&s);
-+	cnt = base64_encode_block(value, len, value_str, &s);
-+	c = value_str + cnt;
-+	cnt = base64_encode_blockend(c, &s);
-+	c += cnt;
-+	*c = 0;
-+	data = yang_data_new(xpath, value_str);
-+	free(value_str);
-+	return data;
-+}
-+
-+size_t yang_dnode_get_binary_buf(char *buf, size_t size,
-+				 const struct lyd_node *dnode,
-+				 const char *xpath_fmt, ...)
-+{
-+	const char *canon;
-+	size_t cannon_len;
-+	size_t decode_len;
-+	size_t ret_len;
-+	size_t cnt;
-+	char *value_str;
-+	struct base64_decodestate s;
-+
-+	canon = YANG_DNODE_XPATH_GET_CANON(dnode, xpath_fmt);
-+	cannon_len = strlen(canon);
-+	decode_len = cannon_len;
-+	value_str = (char *)malloc(decode_len);
-+	base64_init_decodestate(&s);
-+	cnt = base64_decode_block(canon, cannon_len, value_str, &s);
-+
-+	ret_len = size > cnt ? cnt : size;
-+	memcpy(buf, value_str, ret_len);
-+	if (size < cnt) {
-+		char xpath[XPATH_MAXLEN];
-+
-+		yang_dnode_get_path(dnode, xpath, sizeof(xpath));
-+		flog_warn(EC_LIB_YANG_DATA_TRUNCATED,
-+			  "%s: value was truncated [xpath %s]", __func__,
-+			  xpath);
-+	}
-+	free(value_str);
-+	return ret_len;
-+}
-+
-+
- /*
-  * Primitive type: empty.
-  */
-diff --git a/lib/yang_wrappers.h b/lib/yang_wrappers.h
-index d781dfb1e..56b314876 100644
---- a/lib/yang_wrappers.h
-+++ b/lib/yang_wrappers.h
-@@ -118,6 +118,13 @@ extern const char *yang_get_default_string(const char *xpath_fmt, ...);
- extern void yang_get_default_string_buf(char *buf, size_t size,
- 					const char *xpath_fmt, ...);
- 
-+/* binary */
-+extern struct yang_data *yang_data_new_binary(const char *xpath,
-+					      const char *value, size_t len);
-+extern size_t yang_dnode_get_binary_buf(char *buf, size_t size,
-+					const struct lyd_node *dnode,
-+					const char *xpath_fmt, ...);
-+
- /* empty */
- extern struct yang_data *yang_data_new_empty(const char *xpath);
- extern bool yang_dnode_get_empty(const struct lyd_node *dnode,
--- 
-2.34.1
-

0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch

@@ -1,34 +0,0 @@
-From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Thu, 21 Jul 2022 08:11:58 -0400
-Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
- expected
-References: bsc#1202023,CVE-2022-37032
-Upstream: yes
-
-Ensure that if the capability length specified is enough data.
-
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
-
-diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
-index dbf6c0b2e9..45752a8ab6 100644
---- a/bgpd/bgp_packet.c
-+++ b/bgpd/bgp_packet.c
-@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
- 				"%s CAPABILITY has action: %d, code: %u, length %u",
- 				peer->host, action, hdr->code, hdr->length);
- 
-+		if (hdr->length < sizeof(struct capability_mp_data)) {
-+			zlog_info(
-+				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
-+				peer, sizeof(struct capability_mp_data),
-+				hdr->length);
-+			return BGP_Stop;
-+		}
-+
- 		/* Capability length check. */
- 		if ((pnt + hdr->length + 3) > end) {
- 			zlog_info("%s Capability length error", peer->host);
--- 
-2.35.3
-

0008-isisd-Ensure-rcap-is-freed-in-error-case.patch

@@ -1,41 +0,0 @@
-From 49efc80d342d8e8373c8af040580bd7940808730 Mon Sep 17 00:00:00 2001
-From: Donald Sharp <sharpd@nvidia.com>
-Date: Wed, 20 Jul 2022 16:49:09 -0400
-Subject: [PATCH] isisd: Ensure rcap is freed in error case
-References: bsc#1202022
-Upstream: yes
-
-unpack_tlv_router_cap allocates memory that in the error
-case is not being freed.
-
-Signed-off-by: Donald Sharp <sharpd@nvidia.com>
-
-diff --git a/isisd/isis_tlvs.c b/isisd/isis_tlvs.c
-index 11be3c3a71..b3c3fd4b0b 100644
---- a/isisd/isis_tlvs.c
-+++ b/isisd/isis_tlvs.c
-@@ -3580,9 +3580,9 @@ static int pack_tlv_router_cap(const struct isis_router_cap *router_cap,
- }
- 
- static int unpack_tlv_router_cap(enum isis_tlv_context context,
--				       uint8_t tlv_type, uint8_t tlv_len,
--				       struct stream *s, struct sbuf *log,
--				       void *dest, int indent)
-+				 uint8_t tlv_type, uint8_t tlv_len,
-+				 struct stream *s, struct sbuf *log, void *dest,
-+				 int indent)
- {
- 	struct isis_tlvs *tlvs = dest;
- 	struct isis_router_cap *rcap;
-@@ -3627,7 +3627,7 @@ static int unpack_tlv_router_cap(enum isis_tlv_context context,
- 				log, indent,
- 				"WARNING: Router Capability subTLV length too large compared to expected size\n");
- 			stream_forward_getp(s, STREAM_READABLE(s));
--
-+			XFREE(MTYPE_ISIS_TLV, rcap);
- 			return 0;
- 		}
- 
--- 
-2.35.3
-

frr-8.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9d82c11b304ab89a30627fcbb4150f51e639f473f8563976e14101e796240599
-size 8514995

frr-8.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4fe5dccf6d41218c3012c2b09c85c4cd65a96299ab400e487191515232f0ee8a
+size 9883194

frr.changes

@@ -1,3 +1,62 @@
+-------------------------------------------------------------------
+Fri Nov 11 13:04:52 UTC 2022 - Marius Tomaschewski <mt@suse.com>
+
+- Migration to /usr/etc: Conditionally moved /etc/logrotate.d/frr
+  file to vendor specific directory /usr/etc/logrotate.d and added
+  saving of user changed configuration files in /etc and restoring
+  them while an RPM update.
+- Declare root as sufficient also in the pam account verification;
+  without vtysh use causes to log a pam frr:account warnings
+  (https://github.com/FRRouting/frr/pull/12308)
+  [+ 0005-root-ok-in-account-frr.pam.patch]
+- Applied fix removing a not needed backslash causing to log a warning
+  (https://github.com/FRRouting/frr/pull/12307)
+  [+ 0004-tools-remove-backslash-from-declare-check-regex.patch]
+- Applied upstream fixes for frrinit.sh to avoid a privilege escalation
+  from frr to root in frr config creation (bsc#1204124,CVE-2022-42917,
+  https://github.com/FRRouting/frr/pull/12157).
+  [+ 0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch]
+- Removed obsolete patches provided in the 8.4 source archive:
+  [- 0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch,
+   - 0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch,
+   - 0005-isisd-fix-router-capability-TLV-parsing-issues.patch,
+   - 0006-isisd-fix-10505-using-base64-encoding.patch,
+   - 0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch,
+   - 0008-isisd-Ensure-rcap-is-freed-in-error-case.patch]
+- Update to version 8.4, see https://frrouting.org/release/8.4/
+  * New BGP command (neighbor PEER soo) to configure SoO to prevent
+    routing loops and suboptimal routing on dual-homed sites.
+  * Command debug bgp allow-martian replaced to bgp allow-martian-nexthop
+    because previously we allowed using martian next-hops when debug is
+    turned on.
+  * Implement BGP Prefix Origin Validation State Extended Community rfc8097
+  *  Implement Route Leak Prevention and Detection Using Roles in UPDATE
+     and OPEN Messages rfc9234
+  * BMP L3VPN support
+  * PIMv6 support
+  * MLD support
+  * New command to enable using reserved IPv4 ranges as normal addresses
+    for BGP next-hops, interface addresses, etc.
+  * As usual, lots of bugs and memory leaks were fixed \m/
+    such as a fix for a possible use-after-free due to a race
+    condition related to bgp_notify_send_with_data() and
+    bgp_process_packet() in bgp_packet.c. This could lead to
+    Remote Code Execution or Information Disclosure by sending
+    crafted BGP packets (CVE-2022-37035,bsc#1202085).
+- Update to version 8.3, see https://frrouting.org/release/8.3/
+  * Notification Message support for BGP Graceful Restart
+  * BGP Cease Notification Subcode For BFD
+  * Send Hold Timer for BGP
+  * RFC5424 syslog support
+  * PIM passive command
+- Update to version 8.2.2, see https://frrouting.org/release/8.2.2/
+  * BGP Long-lived graceful restart capability
+  * BGP Extended Optional Parameters Length for BGP OPEN Message
+  * BGP Extended BGP Administrative Shutdown Communication
+  * IS-IS Link State Traffic Engineering support
+  * OSPFv3 Support for NSSA Type-7 address ranges
+  * PBR VLAN actions support
+
 -------------------------------------------------------------------
 Mon Sep  5 11:48:25 UTC 2022 - Marius Tomaschewski <mt@suse.com>
 

frr.spec

@@ -30,23 +30,20 @@
 %define frr_daemondir %{_prefix}/lib/frr
 
 Name:           frr
-Version:        8.1
+Version:        8.4
 Release:        0
 Summary:        FRRouting Routing daemon
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Networking/System
 URL:            https://www.frrouting.org
 #Git-Clone:     https://github.com/FRRouting/frr.git
-Source:         https://github.com/FRRouting/frr/archive/%{name}-%{version}.tar.gz
+Source:         https://github.com/FRRouting/frr/archive/refs/tags/%{name}-%{version}.tar.gz
 Source1:        %{name}-tmpfiles.d
 Patch1:         0001-disable-zmq-test.patch
 Patch2:         harden_frr.service.patch
-Patch3:         0003-babeld-fix-10487-by-adding-a-check-on-packet-length.patch
+Patch3:         0003-tools-Run-as-FRR_USER-install-chown-commands-to-avoi.patch
-Patch4:         0004-babeld-fix-10502-10503-by-repairing-the-checks-on-le.patch
+Patch4:         0004-tools-remove-backslash-from-declare-check-regex.patch
-Patch5:         0005-isisd-fix-router-capability-TLV-parsing-issues.patch
+Patch5:         0005-root-ok-in-account-frr.pam.patch
-Patch6:         0006-isisd-fix-10505-using-base64-encoding.patch
-Patch7:         0007-bgpd-Make-sure-hdr-length-is-at-a-minimum-of-what-is.patch
-Patch8:         0008-isisd-Ensure-rcap-is-freed-in-error-case.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bison >= 2.7
@@ -189,12 +186,7 @@ developing OSPF-API and frr applications.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-gzip -d tests/isisd/test_fuzz_isis_tlv_tests.h.gz
 %patch5 -p1
-gzip -9 tests/isisd/test_fuzz_isis_tlv_tests.h
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
 
 %build
 # GCC LTO objects must be "fat" to avoid assembly errors
@@ -284,7 +276,11 @@ install -D -m 0644 tools%{_sysconfdir}/frr/daemons %{buildroot}%{_sysconfdir}/fr
 sed -i -e 's/^\(bgpd_options=\)\(.*\)\(".*\)/\1\2 -M rpki\3/' %{buildroot}%{_sysconfdir}/frr/daemons
 
 install -D -m 0644 redhat/frr.pam %{buildroot}%{_sysconfdir}/pam.d/frr
+%if 0%{?suse_version} > 1500
+install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_distconfdir}/logrotate.d/frr
+%else
 install -D -m 0644 redhat/frr.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/frr
+%endif
 
 install -d -m 0750 %{buildroot}%{rundir}
 install -d -m 0750 %{buildroot}%{_localstatedir}/log/frr
@@ -317,6 +313,20 @@ getent group %{frrvty_group} >/dev/null || groupadd -r %{frrvty_group}
 getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_group} -d %{frr_home} -s /sbin/nologin -c "FRRouting suite" %{frr_user}
 
 %service_add_pre %{name}.service
+%if 0%{?suse_version} > 1500
+# Prepare for migration to /usr/etc; save any old .rpmsave
+for i in logrotate.d/frr ; do
+   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+done
+%endif
+
+%posttrans
+%if 0%{?suse_version} > 1500
+# Migration to /usr/etc, restore just created .rpmsave
+for i in logrotate.d/frr ; do
+   test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+done
+%endif
 
 %post
 %service_add_post %{name}.service
@@ -366,7 +376,11 @@ getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_g
 %config(noreplace) %attr(640,%{frr_user},%{frrvty_group}) %{_sysconfdir}/%{name}/vtysh.conf
 %config(noreplace) %%attr(640,%{frr_user},%{frr_group}) %{_sysconfdir}/%{name}/daemons
 %config(noreplace) %{_sysconfdir}/pam.d/frr
+%if 0%{?suse_version} > 1500
+%{_distconfdir}/logrotate.d/frr
+%else
 %config(noreplace) %{_sysconfdir}/logrotate.d/frr
+%endif
 %{_infodir}/frr.info%{?ext_info}
 %{_mandir}/man?/*
 %{_docdir}/%{name}/html
@@ -389,11 +403,13 @@ getent passwd %{frr_user} >/dev/null || useradd -r -g %{frr_group} -G %{frrvty_g
 %{frr_daemondir}/frr
 %{frr_daemondir}/frr-reload
 %{frr_daemondir}/frr-reload.py
+%{frr_daemondir}/frr_babeltrace.py
 %{frr_daemondir}/frrcommon.sh
 %{frr_daemondir}/frrinit.sh
 %{frr_daemondir}/isisd
 %{frr_daemondir}/ldpd
 %{frr_daemondir}/nhrpd
+%{frr_daemondir}/ospfclient.py
 %{frr_daemondir}/ospf6d
 %{frr_daemondir}/ospfd
 %{frr_daemondir}/pathd