diff --git a/CVE-2021-40085.diff b/CVE-2021-40085.diff new file mode 100644 index 0000000000000000000000000000000000000000..b03f8bc22d33c4357ff23684fd13403aae0c624d --- /dev/null +++ b/CVE-2021-40085.diff @@ -0,0 +1,75 @@ +From 110fed07cb83deb3abd85073cb351066713b6384 Mon Sep 17 00:00:00 2001 +From: Slawek Kaplonski +Date: Mon, 23 Aug 2021 13:01:37 +0200 +Subject: [PATCH] Remove dhcp_extra_opt value after first newline character + +Passing newline to the dnsmasq may cause security issues, especially +that in case of Neutron that dhcp options' values are controlled by +cloud users. +This patch removes everything what is after first newline character +in the dhcp_extra_opt's values before passing them to dnsmasq. + +Conflicts: + neutron/tests/unit/agent/linux/test_dhcp.py + +Closes-Bug: #1939733 +Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e +(cherry picked from commit df891f0593d234e01f27d7c0376d9702e178ecfb) +--- + +diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py +index 3114f43..67e5cfa 100644 +--- a/neutron/agent/linux/dhcp.py ++++ b/neutron/agent/linux/dhcp.py +@@ -1153,10 +1153,11 @@ + else: + option = 'option6:%s' % option + if extra_tag: +- tags = ('tag:' + tag, extra_tag[:-1], '%s' % option) ++ tags = ['tag:' + tag, extra_tag[:-1], '%s' % option] + else: +- tags = ('tag:' + tag, '%s' % option) +- return ','.join(tags + args) ++ tags = ['tag:' + tag, '%s' % option] ++ ++ return ','.join(tags + [v.split("\n", 1)[0] for v in args]) + + @staticmethod + def _convert_to_literal_addrs(ip_version, ips): +diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py +index c819782..0229bb8 100644 +--- a/neutron/tests/unit/agent/linux/test_dhcp.py ++++ b/neutron/tests/unit/agent/linux/test_dhcp.py +@@ -225,6 +225,9 @@ + self.extra_dhcp_opts = [ + DhcpOpt(opt_name='dns-server', + opt_value='ffea:3ba5:a17a:4ba3::100', ++ ip_version=6), ++ DhcpOpt(opt_name='malicious-option', ++ opt_value='aaa\nbbb.ccc\n', + ip_version=6)] + + +@@ -2700,7 +2703,9 @@ + exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,' + 'option6:domain-search,openstacklocal\n' + 'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,' +- 'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip() ++ 'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n' ++ 'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,' ++ 'option6:malicious-option,aaa').lstrip() + dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP()) + dm._output_hosts_file() + dm._output_opts_file() +diff --git a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml +new file mode 100644 +index 0000000..d2a8c2f +--- /dev/null ++++ b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml +@@ -0,0 +1,6 @@ ++--- ++security: ++ - | ++ Fix `bug 1939733 `_ by ++ dropping from the dhcp extra option values everything what is after first ++ newline (``\n``) character before passing them to the dnsmasq. diff --git a/openstack-neutron.spec b/openstack-neutron.spec index 0aaccf96c948e792b03b65ff08a09041c8b82aac..b69b860dc9931c95be3508aaffd7dc4bbc9a6b29 100644 --- a/openstack-neutron.spec +++ b/openstack-neutron.spec @@ -6,7 +6,7 @@ done \ Name: openstack-neutron Version: 12.1.1 -Release: 3 +Release: 4 Summary: OpenStack Networking Service License: Apache-2.0 URL: https://opendev.org/openstack/neutron @@ -32,6 +32,7 @@ Source33: neutron-enable-bridge-firewall.sh Source34: neutron-l2-agent-sysctl.conf Source35: neutron-l2-agent.modules Source36: openstack-neutron-destroy-patch-ports.service +Patch: CVE-2021-40085.diff BuildArch: noarch @@ -676,6 +677,8 @@ fi %changelog +* Wed Aug 03 2022 zhangy +- Fix CVE-2021-40085 * Tue Jun 15 2021 wangxiyuan - Update systemd config file * Tue Jun 08 2021 wangxiyuan