Update openvswitch to rev 69 via SR 1109539

https://build.opensuse.org/request/show/1109539 by user dpitchumani + anag+factory Description: - Added fix for CVE-2023-3152, openvswitch : service monitor MAC flow is not rate limited Actions: - submit network/openvswitch => openSUSE:Factory/openvswitch Changes: - Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited - Added patch, CVE-2023-3152.patch
bmwiedemann · Sep 7, 2023 · 399fa5e · 399fa5e
1 parent f9e365c
commit 399fa5e
Show file tree

Hide file tree

Showing 5 changed files with 148 additions and 0 deletions.
diff --git a/packages/o/openvswitch/.files b/packages/o/openvswitch/.files
diff --git a/packages/o/openvswitch/.rev b/packages/o/openvswitch/.rev
@@ -803,4 +803,21 @@
     <comment></comment>
     <requestid>1087788</requestid>
   </revision>
+  <revision rev="69" vrev="15">
+    <srcmd5>4e324eedb8b5197296446e3914f05199</srcmd5>
+    <version>unknown</version>
+    <time>1694113942</time>
+    <user>anag+factory</user>
+    <comment>Description:
+- Added fix for CVE-2023-3152, openvswitch : service monitor MAC flow is not rate limited
+
+Actions:
+- submit network/openvswitch =&gt; openSUSE:Factory/openvswitch
+
+Changes:
+- Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited
+- Added patch,
+       CVE-2023-3152.patch </comment>
+    <requestid>1109539</requestid>
+  </revision>
 </revisionlist>
diff --git a/packages/o/openvswitch/CVE-2023-3152.patch b/packages/o/openvswitch/CVE-2023-3152.patch
@@ -0,0 +1,121 @@
+commit 9a3f7ed905e525ebdcb14541e775211cbb0203bd
+Author: Ales Musil <amusil@redhat.com>
+Date:   Wed Jul 12 07:12:29 2023 +0200
+
+    northd, controller: Add CoPP for SVC monitor
+
+    The SVC monitor was exposed without any limitation.
+    Add CoPP for the SVC monitor flow, which adds a way
+    for CMSs to limit the traffic that this flow accepts.
+
+    Signed-off-by: Ales Musil <amusil@redhat.com>
+
+diff --git a/lib/copp.c b/lib/copp.c
+index 603e3f5bf..11dd9029d 100644
+--- a/lib/copp.c
++++ b/lib/copp.c
+@@ -38,6 +38,7 @@ static char *copp_proto_names[COPP_PROTO_MAX] = {
+     [COPP_ND_RA_OPTS]    = "nd-ra-opts",
+     [COPP_TCP_RESET]     = "tcp-reset",
+     [COPP_REJECT]        = "reject",
++    [COPP_SVC_MONITOR]   = "svc-monitor",
+     [COPP_BFD]           = "bfd",
+ };
+
+diff --git a/lib/copp.h b/lib/copp.h
+index f03004aa6..b99737220 100644
+--- a/lib/copp.h
++++ b/lib/copp.h
+@@ -37,6 +37,7 @@ enum copp_proto {
+     COPP_TCP_RESET,
+     COPP_BFD,
+     COPP_REJECT,
++    COPP_SVC_MONITOR,
+     COPP_PROTO_MAX,
+     COPP_PROTO_INVALID = COPP_PROTO_MAX,
+ };
+diff --git a/northd/northd.c b/northd/northd.c
+index 7ad4cdfad..1e05b8f22 100644
+--- a/northd/northd.c
++++ b/northd/northd.c
+@@ -8876,9 +8876,11 @@ build_lswitch_destination_lookup_bmcast(struct ovn_datapath *od,
+ {
+     if (od->nbs) {
+
+-        ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 110,
+-                      "eth.dst == $svc_monitor_mac",
+-                      "handle_svc_check(inport);");
++        ovn_lflow_metered(lflows, od, S_SWITCH_IN_L2_LKUP, 110, "eth.dst == "
++                          "$svc_monitor_mac && (tcp || icmp || icmp6)",
++                          "handle_svc_check(inport);",
++                          copp_meter_get(COPP_SVC_MONITOR, od->nbs->copp,
++                                         meter_groups));
+
+         struct mcast_switch_info *mcast_sw_info = &od->mcast_info.sw;
+
+diff --git a/ovn-nb.xml b/ovn-nb.xml
+index 35acda107..59ac42dbd 100644
+--- a/ovn-nb.xml
++++ b/ovn-nb.xml
+@@ -466,6 +466,10 @@
+     <column name="meters" key="reject">
+       Rate limiting meter for packets that trigger a reject action
+     </column>
++    <column name="meters" key="svc-monitor">
++      Rate limiting meter for packets that are arriving to service
++      monitor MAC address.
++    </column>
+     <column name="external_ids">
+       See <em>External IDs</em> at the beginning of this document.
+     </column>
+diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
+index b8376991b..70350a781 100644
+--- a/tests/ovn-northd.at
++++ b/tests/ovn-northd.at
+@@ -3544,7 +3544,7 @@ AT_CHECK([ovn-sbctl list logical_flow | grep trigger_event -A 2 | grep -q meter0
+
+ # let's try to add an usupported protocol "dhcp"
+ AT_CHECK([ovn-nbctl --wait=hv copp-add copp5 dhcp meter1],[1],[],[dnl
+-ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject.
++ovn-nbctl: Invalid control protocol. Allowed values: arp, arp-resolve, dhcpv4-opts, dhcpv6-opts, dns, event-elb, icmp4-error, icmp6-error, igmp, nd-na, nd-ns, nd-ns-resolve, nd-ra-opts, tcp-reset, bfd, reject, svc-monitor.
+ ])
+
+ #Let's try to add a valid protocol to an unknown datapath
+diff --git a/tests/system-ovn.at b/tests/system-ovn.at
+index f8131b90e..7c009e157 100644
+--- a/tests/system-ovn.at
++++ b/tests/system-ovn.at
+@@ -7282,6 +7282,23 @@ OVS_WAIT_UNTIL([
+ ])
+ kill $(pidof tcpdump)
+
++check ovn-nbctl set nb_global . options:svc_monitor_mac="33:33:33:33:33:33"
++check ovn-nbctl meter-add svc-meter drop 1 pktps 0
++check ovn-nbctl --wait=hv copp-add copp4 svc-monitor svc-meter
++check ovn-nbctl --wait=hv ls-copp-add copp4 sw0
++check ovn-appctl -t ovn-controller vlog/set vconn:dbg
++AT_CHECK([ovn-nbctl copp-list copp4], [0], [dnl
++svc-monitor: svc-meter
++])
++
++ip netns exec sw01 scapy -H <<-EOF
++p = Ether(dst="33:33:33:33:33:33", src="f0:00:00:01:02:03") /\
++    IP(dst="192.168.1.100", src="192.168.1.2") / TCP(dport=1234, sport=1234)
++sendp(p, iface='sw01', loop=0, verbose=0, count=20)
++EOF
++
++OVS_WAIT_UNTIL([test "1" = "$(grep -c "dl_dst=33:33:33:33:33:33" ovn-controller.log)"])
++
+ kill $(pidof ovn-controller)
+
+ as ovn-sb
+@@ -7295,7 +7312,8 @@ OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
+
+ as
+ OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d
+-/.*terminating with signal 15.*/d"])
++/.*terminating with signal 15.*/d
++/.*Service monitor not found/d"])
+
+ AT_CLEANUP
+ ])
diff --git a/packages/o/openvswitch/openvswitch.changes b/packages/o/openvswitch/openvswitch.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep  7 07:55:29 UTC 2023 - Duraisankar P <Duraisankar.pitchumani@suse.com>
+
+- Fix CVE-2023-3153 [bsc#1212125], VUL-0: CVE-2023-3153: openvswitch,openvswitch3: service monitor MAC flow is not rate limited
+- Added patch,
+       CVE-2023-3152.patch 
+
 -------------------------------------------------------------------
 Wed May 17 09:46:44 UTC 2023 - Duraisankar P <Duraisankar.pitchumani@suse.com>
 

diff --git a/packages/o/openvswitch/openvswitch.spec b/packages/o/openvswitch/openvswitch.spec
@@ -81,6 +81,8 @@ Patch5:         CVE-2023-1668.patch
 #OVN patches
 # PATCH-FIX-OPENSUSE: 0001-Run-ovn-as-openvswitch-openvswitch.patch
 Patch20:        0001-Run-ovn-as-openvswitch-openvswitch.patch
+# PATCH-FIX-UPSTREAM CVE-2023-3152 [bsc#1212125] -- service monitor MAC flow is not rate limited
+Patch21:        CVE-2023-3152.patch
 # CVE-2021-36980 [bsc#1188524], use-after-free in decode_NXAST_RAW_ENCAP
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -417,6 +419,7 @@ Devel libraries and headers for Open Virtual Network.
 rm python/ovs/dirs.py
 cd %{ovn_dir}
 %patch20 -p1
+%patch21 -p1
 
 %build
 mkdir %ovs_dir