From 963d505650490baf73bcae36431b83a63997ff75 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Wed, 24 Jun 2015 07:58:13 +0000 Subject: [PATCH] * Added patch for CVE-2015-3221 (Closes: #789713): CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch Rewritten-From: 9bc3197a4c8b4c59d7ba8782b13c3835a92ac470 --- xenial/debian/changelog | 6 +- ...de_work_around_for_0.0.0.0_for_ipset.patch | 123 ++++++++++++++++++ .../patches/better-config-defaults.patch | 38 ++++-- xenial/debian/patches/series | 1 + 4 files changed, 152 insertions(+), 16 deletions(-) create mode 100644 xenial/debian/patches/CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch diff --git a/xenial/debian/changelog b/xenial/debian/changelog index 669923162..506f57118 100644 --- a/xenial/debian/changelog +++ b/xenial/debian/changelog @@ -1,8 +1,8 @@ neutron (2015.1.0+2015.06.24.git61.bdf194a0e1-1) unstable; urgency=medium - * New upstream release (based on commit 61 and sha bdf194a0e1): - - Fixes CVE-2015-3221: L2 agent DoS through incorrect allowed address pairs - (Closes: #789713). + * New upstream release (based on commit 61 and sha bdf194a0e1). + * Added patch for CVE-2015-3221 (Closes: #789713): + CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch -- Thomas Goirand Wed, 24 Jun 2015 07:41:07 +0000 diff --git a/xenial/debian/patches/CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch b/xenial/debian/patches/CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch new file mode 100644 index 000000000..02fa50742 --- /dev/null +++ b/xenial/debian/patches/CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch @@ -0,0 +1,123 @@ +From: Aaron Rosen +Date: Wed, 3 Jun 2015 23:19:39 +0000 (-0700) +Subject: Provide work around for 0.0.0.0/0 ::/0 for ipset +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fneutron.git;a=commitdiff_plain;h=9ff6138c47c95034ba845e9448ddffd147b51f38 + +Provide work around for 0.0.0.0/0 ::/0 for ipset + +Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if +these addresses were inputted as allowed address pairs. This causes +ipset to raise an error as it does not work with zero prefix sizes. +To solve this problem we use two ipset rules to represent this: + +Ipv4: 0.0.0.0/1 and 128.0.0.1/1 +IPv6: ::/1' and '8000::/1 + +All of this logic is handled via _sanitize_addresses() in the ipset_manager +which is called to convert the input. + +Conflicts: + neutron/agent/linux/ipset_manager.py + neutron/tests/unit/agent/linux/test_ipset_manager.py + +Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c666b8ac75 +Closes-bug: 1461054 +--- + +diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py +index 0f76418..af59f1f 100644 +--- a/neutron/agent/linux/ipset_manager.py ++++ b/neutron/agent/linux/ipset_manager.py +@@ -11,6 +11,8 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + ++import netaddr ++ + from neutron.agent.linux import utils as linux_utils + from neutron.common import utils + +@@ -31,6 +33,26 @@ class IpsetManager(object): + self.namespace = namespace + self.ipset_sets = {} + ++ def _sanitize_addresses(self, addresses): ++ """This method converts any address to ipset format. ++ ++ If an address has a mask of /0 we need to cover to it to a mask of ++ /1 as ipset does not support /0 length addresses. Instead we use two ++ /1's to represent the /0. ++ """ ++ sanitized_addresses = [] ++ for ip in addresses: ++ if (netaddr.IPNetwork(ip).prefixlen == 0): ++ if(netaddr.IPNetwork(ip).version == 4): ++ sanitized_addresses.append('0.0.0.0/1') ++ sanitized_addresses.append('128.0.0.0/1') ++ elif (netaddr.IPNetwork(ip).version == 6): ++ sanitized_addresses.append('::/1') ++ sanitized_addresses.append('8000::/1') ++ else: ++ sanitized_addresses.append(ip) ++ return sanitized_addresses ++ + @staticmethod + def get_name(id, ethertype): + """Returns the given ipset name for an id+ethertype pair. +@@ -51,6 +73,7 @@ class IpsetManager(object): + add / remove new members, or swapped atomically if + that's faster. + """ ++ member_ips = self._sanitize_addresses(member_ips) + set_name = self.get_name(id, ethertype) + if not self.set_exists(id, ethertype): + # The initial creation is handled with create/refresh to +diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py +index 4484008..a1c6dc5 100644 +--- a/neutron/tests/unit/agent/linux/test_ipset_manager.py ++++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py +@@ -38,7 +38,7 @@ class BaseIpsetManagerTest(base.BaseTestCase): + def expect_set(self, addresses): + temp_input = ['create NETIPv4fake_sgid-new hash:net family inet'] + temp_input.extend('add NETIPv4fake_sgid-new %s' % ip +- for ip in addresses) ++ for ip in self.ipset._sanitize_addresses(addresses)) + input = '\n'.join(temp_input) + self.expected_calls.extend([ + mock.call(['ipset', 'restore', '-exist'], +@@ -55,13 +55,16 @@ class BaseIpsetManagerTest(base.BaseTestCase): + self.expected_calls.extend( + mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_del(self, addresses): ++ + self.expected_calls.extend( + mock.call(['ipset', 'del', TEST_SET_NAME, ip], + process_input=None, +- run_as_root=True) for ip in addresses) ++ run_as_root=True) ++ for ip in self.ipset._sanitize_addresses(addresses)) + + def expect_create(self): + self.expected_calls.append( +@@ -113,6 +116,16 @@ class IpsetManagerTestCase(BaseIpsetManagerTest): + self.ipset.set_members(TEST_SET_ID, ETHERTYPE, FAKE_IPS) + self.verify_mock_calls() + ++ def test_set_members_adding_all_zero_ipv4(self): ++ self.expect_set(['0.0.0.0/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['0.0.0.0/0']) ++ self.verify_mock_calls() ++ ++ def test_set_members_adding_all_zero_ipv6(self): ++ self.expect_set(['::/0']) ++ self.ipset.set_members(TEST_SET_ID, ETHERTYPE, ['::/0']) ++ self.verify_mock_calls() ++ + def test_destroy(self): + self.add_first_ip() + self.expect_destroy() diff --git a/xenial/debian/patches/better-config-defaults.patch b/xenial/debian/patches/better-config-defaults.patch index b39fc4f8f..9c97ea6cb 100644 --- a/xenial/debian/patches/better-config-defaults.patch +++ b/xenial/debian/patches/better-config-defaults.patch @@ -5,8 +5,10 @@ Author: Thomas Goirand Forwarded: not-needed Last-Update: 2015-04-15 ---- neutron-2015.1~rc1.orig/etc/dhcp_agent.ini -+++ neutron-2015.1~rc1/etc/dhcp_agent.ini +Index: neutron/etc/dhcp_agent.ini +=================================================================== +--- neutron.orig/etc/dhcp_agent.ini ++++ neutron/etc/dhcp_agent.ini @@ -9,14 +9,12 @@ # The DHCP agent requires an interface driver be set. Choose the one that best @@ -59,8 +61,10 @@ Last-Update: 2015-04-15 # Comma-separated list of DNS servers which will be used by dnsmasq # as forwarders. ---- neutron-2015.1~rc1.orig/etc/l3_agent.ini -+++ neutron-2015.1~rc1/etc/l3_agent.ini +Index: neutron/etc/l3_agent.ini +=================================================================== +--- neutron.orig/etc/l3_agent.ini ++++ neutron/etc/l3_agent.ini @@ -4,11 +4,9 @@ # L3 requires that an interface driver be set. Choose the one that best @@ -135,8 +139,10 @@ Last-Update: 2015-04-15 # ha_vrrp_advert_int = 2 + +allow_automatic_l3agent_failover = False ---- neutron-2015.1~rc1.orig/etc/metadata_agent.ini -+++ neutron-2015.1~rc1/etc/metadata_agent.ini +Index: neutron/etc/metadata_agent.ini +=================================================================== +--- neutron.orig/etc/metadata_agent.ini ++++ neutron/etc/metadata_agent.ini @@ -23,7 +23,7 @@ admin_password = %SERVICE_PASSWORD% # nova_metadata_port = 8775 @@ -146,8 +152,10 @@ Last-Update: 2015-04-15 # Whether insecure SSL connection should be accepted for Nova metadata server # requests ---- neutron-2015.1~rc1.orig/etc/neutron.conf -+++ neutron-2015.1~rc1/etc/neutron.conf +Index: neutron/etc/neutron.conf +=================================================================== +--- neutron.orig/etc/neutron.conf ++++ neutron/etc/neutron.conf @@ -57,8 +57,8 @@ # previous versions, the class name of a plugin can be specified instead of its # entrypoint name. @@ -252,7 +260,7 @@ Last-Update: 2015-04-15 # Set to true to add comments to generated iptables rules that describe # each rule's purpose. (System must support the iptables comments module.) -@@ -702,15 +703,14 @@ admin_password = %SERVICE_PASSWORD% +@@ -693,15 +694,14 @@ admin_password = %SERVICE_PASSWORD% [database] # This line MUST be changed to actually run the plugin. @@ -270,8 +278,10 @@ Last-Update: 2015-04-15 # Database engine for which script will be generated when using offline # migration ---- neutron-2015.1~rc1.orig/etc/neutron/plugins/ml2/ml2_conf.ini -+++ neutron-2015.1~rc1/etc/neutron/plugins/ml2/ml2_conf.ini +Index: neutron/etc/neutron/plugins/ml2/ml2_conf.ini +=================================================================== +--- neutron.orig/etc/neutron/plugins/ml2/ml2_conf.ini ++++ neutron/etc/neutron/plugins/ml2/ml2_conf.ini @@ -1,25 +1,24 @@ [ml2] # (ListOpt) List of network type driver entrypoints to be loaded from @@ -333,8 +343,10 @@ Last-Update: 2015-04-15 # requires that ipset is installed on L2 agent node. -# enable_ipset = True +enable_ipset = True ---- neutron-2015.1~rc1.orig/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini -+++ neutron-2015.1~rc1/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini +Index: neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini +=================================================================== +--- neutron.orig/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini ++++ neutron/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini @@ -5,7 +5,7 @@ # attached to this bridge and then "patched" according to their network # connectivity. diff --git a/xenial/debian/patches/series b/xenial/debian/patches/series index d45a00c11..6cf27d967 100644 --- a/xenial/debian/patches/series +++ b/xenial/debian/patches/series @@ -1 +1,2 @@ better-config-defaults.patch +CVE-2015-3221_Provide_work_around_for_0.0.0.0_for_ipset.patch -- 2.45.2