From b19d7a311af91754d30ea8ab365aaf24a1183334 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 9 Feb 2023 12:02:21 +0800 Subject: frr: Security fix for CVE-2022-42917 Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42917 https://www.suse.com/de-de/security/cve/CVE-2022-42917.html https://bugzilla.suse.com/show_bug.cgi?id=1204124 Patch from: [1] https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624 [2] https://github.com/FRRouting/frr/commit/6031b8a3224cde14fd1df6e60855310f97942ff9 Per [2], update frr.pam to eliminate the warning issued by pam: vtysh[485]: pam_warn(frr:account): function=[pam_sm_acct_mgmt] flags=0 service=[frr] terminal=[] user=[root] ruser=[] rhost=[] Signed-off-by: Yi Zhao Signed-off-by: Armin Kuster --- .../recipes-protocols/frr/frr/CVE-2022-42917.patch | 36 ++++++++++++++++++++++ meta-networking/recipes-protocols/frr/frr/frr.pam | 3 +- meta-networking/recipes-protocols/frr/frr_8.2.2.bb | 1 + 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch (limited to 'meta-networking/recipes-protocols') diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch new file mode 100644 index 0000000000..73493bb120 --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2022-42917.patch @@ -0,0 +1,36 @@ +From 5216a05b32390a64efeb598051411e1776042624 Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Fri, 11 Nov 2022 12:26:04 +0100 +Subject: [PATCH] tools: remove backslash from declare check regex + +The backslash in `grep -q '^declare \-a'` is not needed and +causes `grep: warning: stray \ before -` warning in grep-3.8. + +Signed-off-by: Marius Tomaschewski + +CVE: CVE-2022-42917 + +Upstream-Status: Backport +[https://github.com/FRRouting/frr/commit/5216a05b32390a64efeb598051411e1776042624] + +Signed-off-by: Yi Zhao +--- + tools/frrcommon.sh.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/frrcommon.sh.in b/tools/frrcommon.sh.in +index 61f1abb37..3c16c27c6 100755 +--- a/tools/frrcommon.sh.in ++++ b/tools/frrcommon.sh.in +@@ -335,7 +335,7 @@ if [ -z "$FRR_PATHSPACE" ]; then + load_old_config "/etc/sysconfig/frr" + fi + +-if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare \-a'; then ++if { declare -p watchfrr_options 2>/dev/null || true; } | grep -q '^declare -a'; then + log_warning_msg "watchfrr_options contains a bash array value." \ + "The configured value is intentionally ignored since it is likely wrong." \ + "Please remove or fix the setting." +-- +2.25.1 + diff --git a/meta-networking/recipes-protocols/frr/frr/frr.pam b/meta-networking/recipes-protocols/frr/frr/frr.pam index 3541a975ae..a9ec35dd69 100644 --- a/meta-networking/recipes-protocols/frr/frr/frr.pam +++ b/meta-networking/recipes-protocols/frr/frr/frr.pam @@ -1,10 +1,11 @@ # -# The PAM configuration file for the quagga `vtysh' service +# The PAM configuration file for the frr `vtysh' service # # This allows root to change user infomation without being # prompted for a password auth sufficient pam_rootok.so +account sufficient pam_rootok.so # The standard Unix authentication modules, used with # NIS (man nsswitch) as well as normal /etc/passwd and diff --git a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb index 658731567d..80f4729e1f 100644 --- a/meta-networking/recipes-protocols/frr/frr_8.2.2.bb +++ b/meta-networking/recipes-protocols/frr/frr_8.2.2.bb @@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/8.2 \ file://CVE-2022-37035.patch \ file://CVE-2022-37032.patch \ + file://CVE-2022-42917.patch \ file://frr.pam \ " -- cgit v1.2.3-54-g00ecf