From 271e4d180539500dadc79f1bb5a6329dbd2d9c23 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Tue, 30 Apr 2024 16:20:17 +0200
Subject: [PATCH] debian: pull in 9.1-0.1 as uploaded on Debian

(the corresponding FRR branch is _not_ pulled in here for simplicity)

Authored-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---
 debian/changelog                    | 48 +++++++++++++++++++++++++++++
 debian/control                      |  5 +--
 debian/frr.conf                     |  2 ++
 debian/frr.install                  |  1 +
 debian/patches/CVE-2024-27913.patch | 34 ++++++++++++++++++++
 debian/patches/series               |  1 +
 debian/rules                        |  5 ++-
 7 files changed, 91 insertions(+), 5 deletions(-)
 create mode 100644 debian/frr.conf
 create mode 100644 debian/patches/CVE-2024-27913.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 7280f9a9b3..108c215b89 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,51 @@
+frr (9.1-0.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * New upstream release (Closes: #1042473, #1055852):
+    - CVE-2023-3748: parsing certain babeld unicast hello messages that are
+      intended to be ignored. This issue may allow an attacker to send specially
+      crafted hello messages with the unicast flag set, the interval field set
+      to 0, or any TLV that contains a sub-TLV with the Mandatory flag set to
+      enter an infinite loop and cause a denial of service.
+    - CVE-2023-38407: bgpd/bgp_label.c attempts to read beyond the end of the
+      stream during labeled unicast parsing.
+    - CVE-2023-41361: bgpd/bgp_open.c does not check for an overly large
+      length of the rcv software version.
+    - CVE-2023-46752: It mishandles malformed MP_REACH_NLRI data, leading to a
+      crash.
+    - CVE-2023-46753: A crash can occur for a crafted BGP UPDATE message
+      without mandatory attributes, e.g., one with only an unknown transit
+      attribute.
+    - CVE-2023-47234: A crash can occur when processing a crafted BGP UPDATE
+      message with a MP_UNREACH_NLRI attribute and additional NLRI data (that
+      lacks mandatory path attributes).
+    - CVE-2023-47235: A crash can occur when a malformed BGP UPDATE message
+      with an EOR is processed, because the presence of EOR does not lead to a
+      treat-as-withdraw outcome.
+  * Updating patches:
+    - removing CVE-2023-38802.patch, included upstream.
+    - removing CVE-2023-41358.patch, included upstream.
+    - removing CVE-2023-41360.patch, included upstream.
+    - removing unapplied CVE-2023-41361.patch, included upstream.
+    - adding CVE-2024-27913.patch from upstream:
+      ospf_te_parse_te in ospfd/ospf_te.c allows remote attackers to cause a
+      denial of service (ospfd daemon crash) via a malformed OSPF LSA packet,
+      because of an attempted access to a missing attribute field (Closes:
+      #1065144).
+  * Updating build-depends:
+    - adding now required protobuf-c-compiler to build-depends.
+    - adding now required libprotobuf-c-dev to build-depends.
+    - adding new libmgmt_be_nb.so to frr.install.
+    - removing obsolete lsb-base.
+    - prefering new pkgconf over old pkg-config.
+  * Updating override_dh_auto_clean to fix FTBFS when built twice in a row
+    (Closes: #1044470):
+    - call dh_auto_clean which is safe to run now.
+    - remove tests/.pytest_cache.
+  * Removing obsolete doc-base.
+
+ -- Daniel Baumann <daniel.baumann@progress-linux.org>  Fri, 08 Mar 2024 23:21:21 +0100
+
 frr (8.4.4-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/control b/debian/control
index 43fb033968..66961f3f0d 100644
--- a/debian/control
+++ b/debian/control
@@ -17,14 +17,15 @@ Build-Depends: bison,
                libjson-c-dev | libjson0-dev,
                libpam0g-dev | libpam-dev,
                libpcre2-dev,
+               libprotobuf-c-dev,
                libpython3-dev:native,
                libreadline-dev,
                librtr-dev (>= 0.8.0~) <!pkg.frr.nortrlib>,
                libsnmp-dev,
                libssh-dev <!pkg.frr.nortrlib>,
                libyang2-dev,
-               lsb-base,
-               pkg-config,
+               pkgconf | pkg-config,
+               protobuf-c-compiler,
                python3:native,
                python3-dev:native,
                python3-pytest:native <!nocheck>,
diff --git a/debian/frr.conf b/debian/frr.conf
new file mode 100644
index 0000000000..dee3cd849a
--- /dev/null
+++ b/debian/frr.conf
@@ -0,0 +1,2 @@
+# Create the /run/frr directory at boot or from systemd-tmpfiles on install
+d /run/frr 0755 frr frr
diff --git a/debian/frr.install b/debian/frr.install
index 69ccb4f8a0..e33ddab95c 100644
--- a/debian/frr.install
+++ b/debian/frr.install
@@ -6,6 +6,7 @@ usr/bin/vtysh
 usr/lib/*/frr/libfrr.*
 usr/lib/*/frr/libfrrcares.*
 usr/lib/*/frr/libfrrospfapiclient.*
+usr/lib/*/frr/libmgmt_be_nb.so.*
 usr/lib/*/frr/modules/bgpd_bmp.so
 usr/lib/*/frr/modules/dplane_fpm_nl.so
 usr/lib/*/frr/modules/zebra_cumulus_mlag.so
diff --git a/debian/patches/CVE-2024-27913.patch b/debian/patches/CVE-2024-27913.patch
new file mode 100644
index 0000000000..0db69fd122
--- /dev/null
+++ b/debian/patches/CVE-2024-27913.patch
@@ -0,0 +1,34 @@
+commit aae54e20498974cb026bd0e2649ca3e753090492
+Author: Olivier Dugeon <olivier.dugeon@orange.com>
+Date:   Mon Feb 26 10:40:34 2024 +0100
+
+    ospfd: Solved crash in OSPF TE parsing
+    
+    Iggy Frankovic discovered an ospfd crash when perfomring fuzzing of OSPF LSA
+    packets. The crash occurs in ospf_te_parse_te() function when attemping to
+    create corresponding egde from TE Link parameters. If there is no local
+    address, an edge is created but without any attributes. During parsing, the
+    function try to access to this attribute fields which has not been created
+    causing an ospfd crash.
+    
+    The patch simply check if the te parser has found a valid local address. If not
+    found, we stop the parser which avoid the crash.
+    
+    Signed-off-by: Olivier Dugeon <olivier.dugeon@orange.com>
+    (cherry picked from commit a73e66d07329d721f26f3f336f7735de420b0183)
+
+diff --git a/ospfd/ospf_te.c b/ospfd/ospf_te.c
+index d203b5ef4..1a01bf77b 100644
+--- a/ospfd/ospf_te.c
++++ b/ospfd/ospf_te.c
+@@ -2245,6 +2245,10 @@ static int ospf_te_parse_te(struct ls_ted *ted, struct ospf_lsa *lsa)
+ 	}
+ 
+ 	/* Get corresponding Edge from Link State Data Base */
++	if (IPV4_NET0(attr.standard.local.s_addr) && !attr.standard.local_id) {
++		ote_debug("  |- Found no TE Link local address/ID. Abort!");
++		return -1;
++	}
+ 	edge = get_edge(ted, attr.adv, attr.standard.local);
+ 	old = edge->attributes;
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000000..d43093e4db
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2024-27913.patch
diff --git a/debian/rules b/debian/rules
index 71ee2117ee..d833ec5bd7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -116,9 +116,8 @@ override_dh_auto_test:
 endif
 
 override_dh_auto_clean:
-# we generally do NOT want a full distclean since that wipes both
-# debian/changelog and config.version
-	if test -f Makefile; then make redistclean; fi
+	dh_auto_clean
+	-rm -rf tests/.pytest_cache
 	-rm -f debian/frr.init
 	-rm -f debian/frr.service
 	-rm -f debian/frr@.service
-- 
2.39.5