From c7b50b955b6c12c086dec726b195f4a1a2561724 Mon Sep 17 00:00:00 2001 From: xingwei Date: Tue, 11 Jun 2024 06:11:56 +0000 Subject: [PATCH 1/2] fix CVE-2024-5564 --- backport-CVE-2024-5564.patch | 47 ++++++++++++++++++++++++++++++++++++ libndp.spec | 10 +++++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-5564.patch diff --git a/backport-CVE-2024-5564.patch b/backport-CVE-2024-5564.patch new file mode 100644 index 0000000..17119f4 --- /dev/null +++ b/backport-CVE-2024-5564.patch @@ -0,0 +1,47 @@ +From 05e4ba7b0d126eea4c04387dcf40596059ee24af Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Wed, 5 Jun 2024 11:57:43 +0800 +Subject: [PATCH] libndp: valid route information option length + +RFC 4191 specifies that the Route Information Option Length should be 1, 2, +or 3, depending on the Prefix Length. A malicious node could potentially +trigger a buffer overflow and crash the tool by sending an IPv6 router +advertisement message containing the "Route Information" option with a +"Length" field larger than 3. + +To address this, add a check on the length field. + +Fixes: 8296a5bf0755 ("add support for Route Information Option (rfc4191)") +Reported-by: Evgeny Vereshchagin +Suggested-by: Felix Maurer +Signed-off-by: Hangbin Liu +Signed-off-by: Jiri Pirko + +Reference:https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af +Conflict:NA +--- + libndp/libndp.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/libndp/libndp.c b/libndp/libndp.c +index 6314717..72ec92e 100644 +--- a/libndp/libndp.c ++++ b/libndp/libndp.c +@@ -1231,6 +1231,17 @@ static bool ndp_msg_opt_route_check_valid(void *opt_data) + */ + if (((ri->nd_opt_ri_prf_reserved >> 3) & 3) == 2) + return false; ++ ++ /* The Length field is 1, 2, or 3 depending on the Prefix Length. ++ * If Prefix Length is greater than 64, then Length must be 3. ++ * If Prefix Length is greater than 0, then Length must be 2 or 3. ++ * If Prefix Length is zero, then Length must be 1, 2, or 3. ++ */ ++ if (ri->nd_opt_ri_len > 3 || ++ (ri->nd_opt_ri_prefix_len > 64 && ri->nd_opt_ri_len != 3) || ++ (ri->nd_opt_ri_prefix_len > 0 && ri->nd_opt_ri_len == 1)) ++ return false; ++ + return true; + } + diff --git a/libndp.spec b/libndp.spec index 2b0cf2a..a9d9686 100644 --- a/libndp.spec +++ b/libndp.spec @@ -1,11 +1,13 @@ Name: libndp Version: 1.8 -Release: 2 +Release: 3 Summary: Library for Neighbor Discovery Protocol License: LGPLv2+ URL: http://www.libndp.org/ Source: http://www.libndp.org/files/libndp-%{version}.tar.gz +Patch0: backport-CVE-2024-5564.patch + BuildRequires: gcc BuildRequires: make @@ -54,6 +56,12 @@ Document files for libndp. %{_mandir}/man8/ndptool.8* %changelog +* Tue Jun 11 2024 xingwei - 1.8-3 +- Type:CVE +- ID:CVE-2024-5564 +- SUG:NA +- DESC:fix CVE-2024-5564 + * Fri Oct 21 2022 gaihuiying - 1.8-2 - Type:bugfix - ID:NA -- Gitee From 4c15272ef28c19a733f72d1115f94d4dde547400 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AF=9B=E7=8E=89=E8=B4=A4?= Date: Mon, 19 Aug 2024 14:59:10 +0800 Subject: [PATCH 2/2] =?UTF-8?q?=E4=BF=AE=E6=94=B9spec=E6=96=87=E4=BB=B6?= =?UTF-8?q?=EF=BC=8C=E7=94=A8=E5=AE=8F%package=5Fhelp=E6=9B=BF=E6=8D=A2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- libndp.spec | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/libndp.spec b/libndp.spec index a9d9686..9605dd2 100644 --- a/libndp.spec +++ b/libndp.spec @@ -1,6 +1,6 @@ Name: libndp Version: 1.8 -Release: 3 +Release: 4 Summary: Library for Neighbor Discovery Protocol License: LGPLv2+ URL: http://www.libndp.org/ @@ -23,11 +23,13 @@ Requires: libndp = %{version}-%{release} %description devel This package contains files and libraries for libndp. -%package help -Summary: Document files for libndp +#%package help +#Summary: Document files for libndp -%description help -Document files for libndp. +#%description help +#Document files for libndp. + +%package_help %prep %autosetup -p1 @@ -56,6 +58,9 @@ Document files for libndp. %{_mandir}/man8/ndptool.8* %changelog +* Mon Aug 19 2024 yuxian Mao - 1.8-4 +- Replaced declaration of help subpakage with the 'libndp-help' macro. + * Tue Jun 11 2024 xingwei - 1.8-3 - Type:CVE - ID:CVE-2024-5564 -- Gitee