Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620258 (CVE-2016-10377, CVE-2017-9263, CVE-2017-9264, CVE-2017-9265) - <net-misc/openvswitch-2.7.2: multiple vulnerabilities (CVE-2016-10377,CVE-2017-{9263,9264,9265})
Summary: <net-misc/openvswitch-2.7.2: multiple vulnerabilities (CVE-2016-10377,CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2016-10377, CVE-2017-9263, CVE-2017-9264, CVE-2017-9265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-31 15:00 UTC by Agostino Sarubbo
Modified: 2018-11-25 00:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-31 15:00:01 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1457335:

In Open vSwitch there is a buffer over-read while parsing the group mod OpenFlow message sent from the controller in `lib/ofp-util.c` in the function `ofputil_pull_ofp15_group_mod`.
References:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html


From https://bugzilla.redhat.com/show_bug.cgi?id=1457329:

In lib/conntrack.c in the firewall implementation in Open vSwitch, there is a buffer over-read while parsing malformed TCP, UDP, and IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, and `extract_l4_udp` that can be triggered remotely.
References:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html


From https://bugzilla.redhat.com/show_bug.cgi?id=1457327:

In Open vSwitch while parsing an OpenFlow role status message, there is a call to the abort() function for undefined role status reasons in the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may be leveraged toward a remote DoS attack by a malicious switch.
References:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332966.html


From https://bugzilla.redhat.com/show_bug.cgi?id=1457325:

In Open vSwitch a malformed IP packet can cause the switch to read past the end of the packet buffer due to an unsigned integer underflow in `lib/flow.c` in the function `miniflow_extract`, permitting remote bypass of the access control list enforced by the switch.
References:
https://mail.openvswitch.org/pipermail/ovs-dev/2016-July/319503.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Volkan 2017-06-14 19:24:40 UTC
CVE numbers for the issues. Please add to alias

CVE-2016-10377 
CVE-2017-9263
CVE-2017-9264
CVE-2017-9265
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-15 20:15:03 UTC
CVE-2016-10377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10377):
  In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch to
  read past the end of the packet buffer due to an unsigned integer underflow
  in `lib/flow.c` in the function `miniflow_extract`, permitting remote bypass
  of the access control list enforced by the switch.

CVE-2017-9263 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9263):
  In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status message,
  there is a call to the abort() function for undefined role status reasons in
  the function `ofp_print_role_status_message` in `lib/ofp-print.c` that may
  be leveraged toward a remote DoS attack by a malicious switch.

CVE-2017-9264 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9264):
  In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS)
  2.6.1, there is a buffer over-read while parsing malformed TCP, UDP, and
  IPv6 packets in the functions `extract_l3_ipv6`, `extract_l4_tcp`, and
  `extract_l4_udp` that can be triggered remotely.

CVE-2017-9265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9265):
  In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsing the
  group mod OpenFlow message sent from the controller in `lib/ofp-util.c` in
  the function `ofputil_pull_ofp15_group_mod`.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-07-24 00:12:41 UTC
I cleaned up as much as I could (neutron needs a 2.6 to remain around), but removed all others, 2.7.2 has all the fixes/patches mentioned here and was fast stablized (low delta at that).

removing self from cc, feel free to readd if additional work is needed
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-11-25 00:39:04 UTC
tree is clean now.