From 2a65fe0475117ebde8fe5de97207971afc1d99a82b57dba266553c5508633379 Mon Sep 17 00:00:00 2001
From: Markos Chandras <hwoarang@silverarrow.org>
Date: Mon, 5 Jun 2017 12:31:26 +0000
Subject: [PATCH] Accepting request 501114 from home:markoschandras:network

- Install firewalld OVN files with chmod 644 instead of 755 (4a54614120ea)
- Use python-six instead of python2-six dependency to cover distributions
  which are not using the python-singlespec packaging specification yet (bsc#1041110)
- Add upstream patch to fix a buffer overread vulnerability (cve-2017-9214) (bsc#1040543)
  * 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch

OBS-URL: https://build.opensuse.org/request/show/501114
OBS-URL: https://build.opensuse.org/package/show/network/openvswitch?expand=0&rev=114
---
 ...fer-overread-in-ofputil_pull_queue_g.patch | 33 +++++++++++++++++++
 openvswitch.changes                           |  9 +++++
 openvswitch.spec                              | 11 +++++--
 3 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch

diff --git a/0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch b/0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch
new file mode 100644
index 0000000..a8bdb38
--- /dev/null
+++ b/0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch
@@ -0,0 +1,33 @@
+From 7b7b186a8d40fc6f287cef2582702181da74bdc3 Mon Sep 17 00:00:00 2001
+From: Ben Pfaff <blp@ovn.org>
+Date: Sat, 20 May 2017 16:38:24 -0700
+Subject: [PATCH] ofp-util: Fix buffer overread in
+ ofputil_pull_queue_get_config_reply10().
+
+msg->size isn't the relevant measurement here because we're only supposed
+to read 'len' bytes.  Reading more than that causes 'len' to underflow to a
+large number at the end of the loop.
+
+Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp@ovn.org>
+Acked-by: Greg Rose <gvrose8192@gmail.com>
+---
+ lib/ofp-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ofp-util.c b/lib/ofp-util.c
+index db27abf8b..a6dd5dbdd 100644
+--- a/lib/ofp-util.c
++++ b/lib/ofp-util.c
+@@ -2598,7 +2598,7 @@ ofputil_pull_queue_get_config_reply10(struct ofpbuf *msg,
+ 
+         hdr = ofpbuf_at_assert(msg, 0, sizeof *hdr);
+         prop_len = ntohs(hdr->len);
+-        if (prop_len < sizeof *hdr || prop_len > msg->size || prop_len % 8) {
++        if (prop_len < sizeof *hdr || prop_len > len || prop_len % 8) {
+             return OFPERR_OFPBRC_BAD_LEN;
+         }
+ 
+-- 
+2.12.2
+
diff --git a/openvswitch.changes b/openvswitch.changes
index edc5c4b..55f54c9 100644
--- a/openvswitch.changes
+++ b/openvswitch.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Sat May 27 08:39:25 UTC 2017 - mchandras@suse.de
+
+- Install firewalld OVN files with chmod 644 instead of 755 (4a54614120ea)
+- Use python-six instead of python2-six dependency to cover distributions
+  which are not using the python-singlespec packaging specification yet (bsc#1041110)
+- Add upstream patch to fix a buffer overread vulnerability (cve-2017-9214) (bsc#1040543)
+  * 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch
+
 -------------------------------------------------------------------
 Tue Feb 28 09:24:48 UTC 2017 - mchandras@suse.de
 
diff --git a/openvswitch.spec b/openvswitch.spec
index f7ff4f3..182c146 100644
--- a/openvswitch.spec
+++ b/openvswitch.spec
@@ -42,6 +42,10 @@ Url:            http://openvswitch.org/
 Source0:        http://openvswitch.org/releases/openvswitch-%{version}.tar.gz
 Source1:        preamble
 Source89:       Module.supported.updates
+# PATCh-FIX-UPSTREAM 0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch
+# Upstream fix (present in 2.7 branch) to fix CVE-2017-9214
+# See https://nvd.nist.gov/vuln/detail/CVE-2017-9214
+Patch1:         0001-ofp-util-Fix-buffer-overread-in-ofputil_pull_queue_g.patch
 Patch99:        0001-utilities-Add-script-to-support-DPDK-option-migratio.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -237,7 +241,7 @@ License:        Python-2.0
 Group:          Productivity/Networking/System
 Requires:       openvswitch-common = %{version}
 Requires:       python
-Requires:       python2-six
+Requires:       python-six
 
 %description -n python-openvswitch
 This package contains the full Python bindings for Open vSwitch database.
@@ -274,6 +278,7 @@ Open vSwitch is a full-featured software-based Ethernet switch.
 
 %prep
 %setup -q -n openvswitch-%{version}
+%patch1 -p1
 %patch99 -p1
 
 %build
@@ -373,9 +378,9 @@ install -m 644 vswitchd/vswitch.ovsschema \
 
 # firewalld
 install -d %{buildroot}%{_prefix}/lib/firewalld/services/
-install rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
+install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-central-firewall-service.xml \
         %{buildroot}%{_prefix}/lib/firewalld/services/ovn-central-firewall-service.xml
-install rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \
+install -p -m 0644 rhel/usr_lib_firewalld_services_ovn-host-firewall-service.xml \
         %{buildroot}%{_prefix}/lib/firewalld/services/ovn-host-firewall-service.xml
 
 # Copy documentation. The git archive builds also contain non rst files