main/openvswitch: security fix (CVE-2016-2074). Fixes #5339

(cherry picked from commit 3f597cd91f6b9a54ac5d7ece8cf44dd376f0cb60)

2 files changed, 62 insertions, 4 deletions

diff --git a/main/openvswitch/APKBUILD b/main/openvswitch/APKBUILD
index 4d7e4a51a0..511b3db666 100644
--- a/main/openvswitch/APKBUILD
+++ b/main/openvswitch/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
 pkgname=openvswitch
 pkgver=2.3.0
-pkgrel=6
+pkgrel=7
 pkgdesc="A production quality, multilayer virtual switch"
 url="http://openvswitch.org/"
 arch="all"
@@ -18,9 +18,11 @@ source="http://openvswitch.org/releases/$pkgname-$pkgver.tar.gz
 	ovs-vswitchd.initd
 	ovs-vswitchd.confd
 	ovs-modules.initd
+
 	musl-if_packet.patch
 	0001-ovs-thread-Set-stacksize-to-1M.patch
 	ifupdown-alpine.patch
+	CVE-2016-2074.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -88,7 +90,8 @@ f10a8ac784654bec359bda52779f16fe  ovsdb-server.confd
 ae128e5c349710c0fb3849b2d3b3aa40  ovs-modules.initd
 6e17032bd6e7caf6e6e844b5a84d7080  musl-if_packet.patch
 59fa9a6d293a25571562a5190ae559f2  0001-ovs-thread-Set-stacksize-to-1M.patch
-efb3c073b7c475d9fb3999a38e4f92c0  ifupdown-alpine.patch"
+efb3c073b7c475d9fb3999a38e4f92c0  ifupdown-alpine.patch
+c9fd9ac0c32465353da3cabe822f0b3d  CVE-2016-2074.patch"
 sha256sums="011052645cd4c7afee2732e87d45e589a0540ac7b7523027d3be2d7c7db7c899  openvswitch-2.3.0.tar.gz
 d7791b1e7e84955489f88e457631c6cedfeff26c5865c8569b69e1bd96633dc7  ovsdb-server.initd
 d0d8a6a7256f4cc47ab1b9f9f7657202388133bcfff3668e7c1d4adbcc572261  ovsdb-server.confd
@@ -97,7 +100,8 @@ cc189d5ca24708ff775a4de312df3f611c65714724b8901ec6527c9e3f22e14a  ovs-vswitchd.c
 94f4dba5e2ddedb9c91911b02dbfc41a5114e8a5066a8db3ef4444ebb5400173  ovs-modules.initd
 d0e9e3e30b2943b10e7efa59c41c3bf8d5b599d55fc99198146bf4761df4d8ae  musl-if_packet.patch
 faf997814e89b0b5948c06050ef38051f0bc6b108958f76313263f77a724906c  0001-ovs-thread-Set-stacksize-to-1M.patch
-d2284376febcdb465ef2f216be01be52dab2a9726624b12c5cc47fb0d955d1b1  ifupdown-alpine.patch"
+d2284376febcdb465ef2f216be01be52dab2a9726624b12c5cc47fb0d955d1b1  ifupdown-alpine.patch
+5b8ec5808d8c1dcdbb9b30f7af261a67668e2f6ee74df9e87fcf82e9bbb0e6a2  CVE-2016-2074.patch"
 sha512sums="f3a665bc84d8a6e282928db61ae648a826f273e44e34311a60e6f0e74a6ab10c8410cb374f0ce80abe7c58b9559a97388cdbfe2ef28ac4bedd2f5e52b3cd6ed1  openvswitch-2.3.0.tar.gz
 7b6b0a3c42839053d21ff72b576d92ba08ee5d900faa25fa04a183114a55c4d7dc85538cd7d3333386a27d7a7f632c1d2a38a2b950972c29d11d96addaffa27c  ovsdb-server.initd
 b1588d076bbfc7ef2dd46fce8e46186f40cbbc4667697f7ac13ddc68e34568fdab315fde47838de7f6d32916853190336cfe3735f672ad7cb624ae14dbff55a5  ovsdb-server.confd
@@ -106,4 +110,5 @@ b1588d076bbfc7ef2dd46fce8e46186f40cbbc4667697f7ac13ddc68e34568fdab315fde47838de7
 e1f88ff11cd1d5a4025626acad49411e8a2d5d7caa20d0a63ef0422a9b1bb55b070843327d8bb209e1e915d2a3f1c3bcae911acf40e0a419bc6cce6250239232  ovs-modules.initd
 1ebfb2629081cc0b34383e6c2f163f3c1d43da3a399b8ba8745871b77029d3b8fc21a287ff859a6a9cca2cb4885715458d4e4086cb6c17765ff7c898d4004850  musl-if_packet.patch
 5fed04e68b58ab322154fa1cc4c4b63b08c22ed41f0b7713dbe8437f7cb4e9fd93c8aba524c2e5a46bba956da9439f5bfe5ba6fcdff2b98fa9bbcc748c5b64db  0001-ovs-thread-Set-stacksize-to-1M.patch
-eb24886fd8110adde4a68f7ab0887af0cdf88e27d58f030208a0a9d7aef0065b8c5f7e2d489ff48c82ba386fbb9575c0273c5d4958e2638263ea78824242354e  ifupdown-alpine.patch"
+eb24886fd8110adde4a68f7ab0887af0cdf88e27d58f030208a0a9d7aef0065b8c5f7e2d489ff48c82ba386fbb9575c0273c5d4958e2638263ea78824242354e  ifupdown-alpine.patch
+4c208225c200199939e82d8d8170c4d62b40d8b9293eaf7b1f701f1958d2b3982ab649b6b46ab467582ac55c2a9b3c1407d447d8511d32f232f80c8aca97812b  CVE-2016-2074.patch"
diff --git a/main/openvswitch/CVE-2016-2074.patch b/main/openvswitch/CVE-2016-2074.patch
new file mode 100644
index 0000000000..2b20a3abdd
--- /dev/null
+++ b/main/openvswitch/CVE-2016-2074.patch
@@ -0,0 +1,53 @@
+From: Ben Pfaff <blp at ovn.org>
+Date: Mon, 7 Mar 2016 15:30:39 -0800
+Subject: [PATCH branch-2.3] flow: Fix buffer overflow for crafted MPLS packets.
+
+A bug in MPLS parsing could cause a crafted MPLS packet to overflow the
+buffer reserved for MPLS labels in the OVS internal flow structure.  This
+fixes the problem.
+
+This commit also fixes a secondary problem where an MPLS packet with zero
+labels could cause an out-of-range shift that would overwrite memory.
+There is no obvious way to control the data used in the overwrite, so this
+is harder to exploit.
+
+Vulnerability: CVE-2016-2074
+Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
+Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
+Signed-off-by: Ben Pfaff <blp at ovn.org>
+Acked-by: Jesse Gross <jesse at kernel.org>
+---
+ lib/flow.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/flow.c b/lib/flow.c
+index 52a384e..61a66ec 100644
+--- a/lib/flow.c
++++ b/lib/flow.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
++ * Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2016 Nicira, Inc.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -159,7 +159,7 @@ struct mf_ctx {
+ 
+ /* Data at 'valuep' may be unaligned. */
+ #define miniflow_push_words_(MF, OFS, VALUEP, N_WORDS)          \
+-{                                                               \
++if (N_WORDS) {                                                  \
+     int ofs32 = (OFS) / 4;                                      \
+                                                                         \
+     MINIFLOW_ASSERT(MF.data + (N_WORDS) <= MF.end && (OFS) % 4 == 0     \
+@@ -210,7 +210,7 @@ parse_mpls(void **datap, size_t *sizep)
+             break;
+         }
+     }
+-    return MAX(count, FLOW_MAX_MPLS_LABELS);
++    return MIN(count, FLOW_MAX_MPLS_LABELS);
+ }
+ 
+ static inline ovs_be16
+-- 
+2.1.3