frr: Security fix for CVE-2022-42917

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42917 https://www.suse.com/de-de/security/cve/CVE-2022-42917.html https://bugzilla.suse.com/show_bug.cgi?id=1204124 Patch from: [1] https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624 [2] https://github.com/FRRouting/frr/commit/6031b8a3224cde14fd1df6e60855310f97942ff9 Per [2], update frr.pam to eliminate the warning issued by pam: vtysh[485]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] flags=0 service=[frr] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yi Zhao <yi.zhao@eng.windriver.com> 2023-02-09 12:02:21 +0800
committer: Armin Kuster <akuster808@gmail.com> 2023-02-11 11:11:04 -0500
commit: b19d7a311af91754d30ea8ab365aaf24a1183334 (patch)
tree: 3381e64f1c55aded8e35039f969eb4710454f3ce /meta-networking/recipes-protocols
parent: 5fdd2edebebcafbb87b1171d57cb5bd53baf8038 (diff)
download: meta-openembedded-b19d7a311af91754d30ea8ab365aaf24a1183334.tar.gz
3 files changed, 39 insertions, 1 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch
new file mode 100644
index 0000000000..73493bb120
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch
@@ -0,0 +1,36 @@
+From 5216a05b32390a64efeb598051411e1776042624 Mon Sep 17 00:00:00 2001
+From: Marius Tomaschewski <mt@suse.com>
+Date: Fri, 11 Nov 2022 12:26:04 +0100
+Subject: [PATCH] tools: remove backslash from declare check regex
+The backslash in `grep -q '^declare \-a'` is not needed and
+causes `grep: warning: stray \ before -` warning in grep-3.8.
+Signed-off-by: Marius Tomaschewski <mt@suse.com>
+CVE: CVE-2022-42917
+Upstream-Status: Backport
+[https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ tools/frrcommon.sh.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
+index 61f1abb37..3c16c27c6 100755
+--- a/tools/frrcommon.sh.in
+++ b/tools/frrcommon.sh.in
+@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
+        load_old_config "/etc/sysconfig/frr"
+ fi
+ 
+-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then
+if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then
+        log_warning_msg "watchfrr_options contains a bash array value." \
+                "The configured value is intentionally ignored since it is likely wrong." \
+                "Please remove or fix the setting."
+-- 
+2.25.1
diff --git a/meta-networking/recipes-protocols/frr/frr/frr.pam b/meta-networking/recipes-protocols/frr/frr/frr.pam
index 3541a975ae..a9ec35dd69 100644
--- a/meta-networking/recipes-protocols/frr/frr/frr.pam
+++ b/meta-networking/recipes-protocols/frr/frr/frr.pam
@@ -1,10 +1,11 @@
 #
-# The PAM configuration file for the quagga `vtysh' service
+# The PAM configuration file for the frr `vtysh' service
 #
 # This allows root to change user infomation without being
 # prompted for a password
 auth            sufficient      pam_rootok.so
+account         sufficient      pam_rootok.so
 # The standard Unix authentication modules, used with
 # NIS (man nsswitch) as well as normal /etc/passwd and
diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
index 658731567d..80f4729e1f 100644
--- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
+++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
           file://CVE-2022-37035.patch \
           file://CVE-2022-37032.patch \
+           file://CVE-2022-42917.patch \
           file://frr.pam \
              "
author	Yi Zhao <yi.zhao@eng.windriver.com>	2023-02-09 12:02:21 +0800
committer	Armin Kuster <akuster808@gmail.com>	2023-02-11 11:11:04 -0500
commit	b19d7a311af91754d30ea8ab365aaf24a1183334 (patch)
tree	3381e64f1c55aded8e35039f969eb4710454f3ce /meta-networking/recipes-protocols
parent	5fdd2edebebcafbb87b1171d57cb5bd53baf8038 (diff)
download	meta-openembedded-b19d7a311af91754d30ea8ab365aaf24a1183334.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch new file mode 100644 index 0000000000..73493bb120 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch
@@ -0,0 +1,36 @@
		1	From 5216a05b32390a64efeb598051411e1776042624 Mon Sep 17 00:00:00 2001
		2	From: Marius Tomaschewski <mt@suse.com>
		3	Date: Fri, 11 Nov 2022 12:26:04 +0100
		4	Subject: [PATCH] tools: remove backslash from declare check regex
		5
		6	The backslash in `grep -q '^declare \-a'` is not needed and
		7	causes `grep: warning: stray \ before -` warning in grep-3.8.
		8
		9	Signed-off-by: Marius Tomaschewski <mt@suse.com>
		10
		11	CVE: CVE-2022-42917
		12
		13	Upstream-Status: Backport
		14	[https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624]
		15
		16	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		17	---
		18	tools/frrcommon.sh.in \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in
		22	index 61f1abb37..3c16c27c6 100755
		23	--- a/tools/frrcommon.sh.in
		24	+++ b/tools/frrcommon.sh.in
		25	@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then
		26	load_old_config "/etc/sysconfig/frr"
		27	fi
		28
		29	-if { declare -p watchfrr_options 2>/dev/null \|\| true; } \| grep -q '^declare \-a'; then
		30	+if { declare -p watchfrr_options 2>/dev/null \|\| true; } \| grep -q '^declare -a'; then
		31	log_warning_msg "watchfrr_options contains a bash array value." \
		32	"The configured value is intentionally ignored since it is likely wrong." \
		33	"Please remove or fix the setting."
		34	--
		35	2.25.1
		36


diff --git a/meta-networking/recipes-protocols/frr/frr/frr.pam b/meta-networking/recipes-protocols/frr/frr/frr.pam index 3541a975ae..a9ec35dd69 100644 --- a/meta-networking/recipes-protocols/frr/frr/frr.pam +++ b/meta-networking/recipes-protocols/frr/frr/frr.pam
@@ -1,10 +1,11 @@
1	#	1	#
2	# The PAM configuration file for the quagga `vtysh' service	2	# The PAM configuration file for the frr `vtysh' service
3	#	3	#
4		4
5	# This allows root to change user infomation without being	5	# This allows root to change user infomation without being
6	# prompted for a password	6	# prompted for a password
7	auth sufficient pam_rootok.so	7	auth sufficient pam_rootok.so
		8	account sufficient pam_rootok.so
8		9
9	# The standard Unix authentication modules, used with	10	# The standard Unix authentication modules, used with
10	# NIS (man nsswitch) as well as normal /etc/passwd and	11	# NIS (man nsswitch) as well as normal /etc/passwd and


diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 658731567d..80f4729e1f 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
12	SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \	12	SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \
13	file://CVE-2022-37035.patch \	13	file://CVE-2022-37035.patch \
14	file://CVE-2022-37032.patch \	14	file://CVE-2022-37032.patch \
		15	file://CVE-2022-42917.patch \
15	file://frr.pam \	16	file://frr.pam \
16	"	17	"
17		18