5 files changed, 319 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch
new file mode 100644
index 0000000000..d94d16e6c6
--- /dev/null
+++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch
@@ -0,0 +1,100 @@
+From b7e7e83e92812707669aa92a41f301366bfbd114 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:16:47 +0100
+Subject: [PATCH] vrrp: Handle empty ipset names with vrrp_ipsets keyword
+We now handle empty ipset names and return a config error.
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+CVE: CVE-2024-41184
+Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/e78513fe0ce5d83c226ea2c0bd222f375c2438e7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ keepalived/core/global_parser.c | 37 ++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index 2b8a80d..e273b74 100644
+--- a/keepalived/core/global_parser.c
+++ b/keepalived/core/global_parser.c
+@@ -1008,6 +1008,22 @@ vrrp_iptables_handler(const vector_t *strvec)
+        }
+ }
+ #ifdef _HAVE_LIBIPSET_
+static bool
+check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
+{
+       if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
+               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
+               return false;
+       }
+
+       if (strlen(strvec_slot(strvec, entry)) == 0) {
+               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
+               return false;
+       }
+
+       return true;
+}
+
+ static void
+ vrrp_ipsets_handler(const vector_t *strvec)
+ {
+@@ -1025,17 +1041,14 @@ vrrp_ipsets_handler(const vector_t *strvec)
+                return;
+        }
+ 
+-       if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
+-               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
+       if (!check_valid_ipset_name(strvec, 1, "address"))
+                return;
+-       }
+
+        global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
+ 
+        if (vector_size(strvec) >= 3) {
+-               if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
+               if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
+                        return;
+-               }
+                global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
+        }
+        else {
+@@ -1046,10 +1059,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+                global_data->vrrp_ipset_address6 = STRDUP(set_name);
+        }
+        if (vector_size(strvec) >= 4) {
+-               if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
+               if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
+                        return;
+-               }
+                global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
+        }
+        else {
+@@ -1064,10 +1075,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+        }
+ 
+        if (vector_size(strvec) >= 5) {
+-               if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
+               if (!check_valid_ipset_name(strvec, 4, "IGMP"))
+                        return;
+-               }
+                global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
+        }
+        else {
+@@ -1078,10 +1087,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+                global_data->vrrp_ipset_igmp = STRDUP(set_name);
+        }
+        if (vector_size(strvec) >= 6) {
+-               if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
+               if (!check_valid_ipset_name(strvec, 5, "MLD"))
+                        return;
+-               }
+                global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
+        }
+        else {
diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch
new file mode 100644
index 0000000000..b86c62c8a6
--- /dev/null
+++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch
@@ -0,0 +1,88 @@
+From f546b221c6e9672f8d3f86660376dfad07d1aefd Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:18:20 +0100
+Subject: [PATCH] vrrp: handle empty iptables chain names - vrrp_iptables
+ keyword
+We now return an error if a chain name is empty.
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+CVE: CVE-2024-41184
+Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/281de3aa8a0990fa3cd694a9addc0bf28953da0b]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ keepalived/core/global_parser.c | 42 ++++++++++++++++++++-------------
+ 1 file changed, 25 insertions(+), 17 deletions(-)
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index e273b74..85c9a64 100644
+--- a/keepalived/core/global_parser.c
+++ b/keepalived/core/global_parser.c
+@@ -981,6 +981,28 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
+                global_data->vrrp_higher_prio_send_advert = true;
+ }
+ #ifdef _WITH_IPTABLES_
+static bool
+check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
+{
+       if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
+               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
+               return false;
+       }
+
+       if (strlen(strvec_slot(strvec, entry)) == 0) {
+               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name empty - ignored", type_name, log_name);
+               return false;
+       }
+
+       return true;
+}
+
+static bool
+check_valid_iptables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
+{
+       return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
+}
+
+ static void
+ vrrp_iptables_handler(const vector_t *strvec)
+ {
+@@ -990,16 +1012,12 @@ vrrp_iptables_handler(const vector_t *strvec)
+        }
+ 
+        if (vector_size(strvec) >= 2) {
+-               if (strlen(strvec_slot(strvec,1)) >= XT_EXTENSION_MAXNAMELEN - 1) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables in chain name too long - ignored");
+               if (!check_valid_iptables_chain_name(strvec, 1, "in chain"))
+                        return;
+-               }
+                global_data->vrrp_iptables_inchain = STRDUP(strvec_slot(strvec,1));
+                if (vector_size(strvec) >= 3) {
+-                       if (strlen(strvec_slot(strvec,2)) >= XT_EXTENSION_MAXNAMELEN - 1) {
+-                               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables out chain name too long - ignored");
+                       if (!check_valid_iptables_chain_name(strvec, 2, "out chain"))
+                                return;
+-                       }
+                        global_data->vrrp_iptables_outchain = STRDUP(strvec_slot(strvec,2));
+                }
+        } else {
+@@ -1011,17 +1029,7 @@ vrrp_iptables_handler(const vector_t *strvec)
+ static bool
+ check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-       if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
+-               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
+-               return false;
+-       }
+-
+-       if (strlen(strvec_slot(strvec, entry)) == 0) {
+-               report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
+-               return false;
+-       }
+-
+-       return true;
+       return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
+ }
+ 
+ static void
diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch
new file mode 100644
index 0000000000..c620a667c2
--- /dev/null
+++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch
@@ -0,0 +1,94 @@
+From 2d9e3eb366e71b561481b4f1a804a77e8e364ae1 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:32:35 +0100
+Subject: [PATCH] vrrp and ipvs: handle empty nftables chain names
+We now return an error if a chain name is empty.
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+CVE: CVE-2024-41184
+Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/1e5902c4793ac01b810f0faa3b5cf47b41ae95c1]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ keepalived/core/global_parser.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index 85c9a64..a6b3f40 100644
+--- a/keepalived/core/global_parser.c
+++ b/keepalived/core/global_parser.c
+@@ -980,9 +980,10 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
+        else
+                global_data->vrrp_higher_prio_send_advert = true;
+ }
+-#ifdef _WITH_IPTABLES_
+
+#if defined _WITH_IPTABLES_ || defined _WITH_NFTABLES_
+ static bool
+-check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
+check_valid_iptables_ipset_nftables_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
+ {
+        if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
+                report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
+@@ -996,11 +997,13 @@ check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned
+ 
+        return true;
+ }
+#endif
+ 
+#ifdef _WITH_IPTABLES_
+ static bool
+ check_valid_iptables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-       return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
+       return check_valid_iptables_ipset_nftables_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
+ }
+ 
+ static void
+@@ -1029,7 +1032,7 @@ vrrp_iptables_handler(const vector_t *strvec)
+ static bool
+ check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-       return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
+       return check_valid_iptables_ipset_nftables_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
+ }
+ 
+ static void
+@@ -1124,6 +1127,12 @@ vrrp_iptables_handler(__attribute__((unused)) const vector_t *strvec)
+ 
+ #ifdef _WITH_NFTABLES_
+ #ifdef _WITH_VRRP_
+static bool
+check_valid_nftables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
+{
+       return check_valid_iptables_ipset_nftables_name(strvec, entry, NFT_TABLE_MAXNAMELEN, "nftables", log_name);
+}
+
+ static void
+ vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+ {
+@@ -1135,10 +1144,8 @@ vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+        }
+ 
+        if (vector_size(strvec) >= 2) {
+-               if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "nftables table name too long - ignoring");
+               if (!check_valid_nftables_chain_name(strvec, 1, "chain"))
+                        return;
+-               }
+                name = strvec_slot(strvec, 1);
+        }
+        else {
+@@ -1178,10 +1185,8 @@ ipvs_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+        }
+ 
+        if (vector_size(strvec) >= 2) {
+-               if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
+-                       report_config_error(CONFIG_GENERAL_ERROR, "ipvs nftables table name too long - ignoring");
+               if (!check_valid_nftables_chain_name(strvec, 1, "ipvs chain"))
+                        return;
+-               }
+                name = strvec_slot(strvec, 1);
+        }
+        else {
diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch
new file mode 100644
index 0000000000..084f7f69b1
--- /dev/null
+++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch
@@ -0,0 +1,33 @@
+From 67174a59068633ada8f77756d56399a53794224e Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:11:13 +0100
+Subject: [PATCH] lib: don't return subtracted addresses for rb_find() compare
+ function
+If sizeof(int) < sizeof(void *) returning the difference between two
+addresses in an int can cause an overflow.
+Use less_equal_greater_than() for comparing addresses.
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+CVE: CVE-2024-41184
+Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/f3a32e3557520dccb298b36b4952eff3e236fb86]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ lib/memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/memory.c b/lib/memory.c
+index 78ca675..46d7172 100644
+--- a/lib/memory.c
+++ b/lib/memory.c
+@@ -185,7 +185,7 @@ static FILE *log_op = NULL;
+ static inline int
+ memcheck_ptr_cmp(const MEMCHECK *m1, const MEMCHECK *m2)
+ {
+-       return (char *)m1->ptr - (char *)m2->ptr;
+       return less_equal_greater_than((char *)m1->ptr, (char *)m2->ptr);
+ }
+ 
+ static inline int
diff --git a/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb b/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb
index ca476f8605..582f6341db 100644
--- a/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb
+++ b/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb
@@ -13,6 +13,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 SRC_URI = "http://www.keepalived.org/software/${BP}.tar.gz \
           file://0001-layer4-Change-order-of-include-files.patch \
           file://CVE-2021-44225.patch \
+           file://CVE-2024-41184-1.patch \
+           file://CVE-2024-41184-2.patch \
+           file://CVE-2024-41184-3.patch \
+           file://CVE-2024-41184-4.patch \
           "
 SRC_URI[sha256sum] = "103692bd5345a4ed9f4581632ea636214fdf53e45682e200aab122c4fa674ece"
 UPSTREAM_CHECK_URI = "https://github.com/acassen/keepalived/releases"

diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch new file mode 100644 index 0000000000..d94d16e6c6 --- /dev/null +++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-1.patch
@@ -0,0 +1,100 @@
		1	From b7e7e83e92812707669aa92a41f301366bfbd114 Mon Sep 17 00:00:00 2001
		2	From: Quentin Armitage <quentin@armitage.org.uk>
		3	Date: Fri, 12 Jul 2024 15:16:47 +0100
		4	Subject: [PATCH] vrrp: Handle empty ipset names with vrrp_ipsets keyword
		5
		6	We now handle empty ipset names and return a config error.
		7
		8	Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
		9
		10	CVE: CVE-2024-41184
		11	Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/e78513fe0ce5d83c226ea2c0bd222f375c2438e7]
		12	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		13	---
		14	keepalived/core/global_parser.c \| 37 ++++++++++++++++++++-------------
		15	1 file changed, 22 insertions(+), 15 deletions(-)
		16
		17	diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
		18	index 2b8a80d..e273b74 100644
		19	--- a/keepalived/core/global_parser.c
		20	+++ b/keepalived/core/global_parser.c
		21	@@ -1008,6 +1008,22 @@ vrrp_iptables_handler(const vector_t *strvec)
		22	}
		23	}
		24	#ifdef _HAVE_LIBIPSET_
		25	+static bool
		26	+check_valid_ipset_name(const vector_t strvec, unsigned entry, const char log_name)
		27	+{
		28	+ if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
		29	+ report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
		30	+ return false;
		31	+ }
		32	+
		33	+ if (strlen(strvec_slot(strvec, entry)) == 0) {
		34	+ report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
		35	+ return false;
		36	+ }
		37	+
		38	+ return true;
		39	+}
		40	+
		41	static void
		42	vrrp_ipsets_handler(const vector_t *strvec)
		43	{
		44	@@ -1025,17 +1041,14 @@ vrrp_ipsets_handler(const vector_t *strvec)
		45	return;
		46	}
		47
		48	- if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
		49	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
		50	+ if (!check_valid_ipset_name(strvec, 1, "address"))
		51	return;
		52	- }
		53	+
		54	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
		55
		56	if (vector_size(strvec) >= 3) {
		57	- if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
		58	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
		59	+ if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
		60	return;
		61	- }
		62	global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
		63	}
		64	else {
		65	@@ -1046,10 +1059,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
		66	global_data->vrrp_ipset_address6 = STRDUP(set_name);
		67	}
		68	if (vector_size(strvec) >= 4) {
		69	- if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
		70	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
		71	+ if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
		72	return;
		73	- }
		74	global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
		75	}
		76	else {
		77	@@ -1064,10 +1075,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
		78	}
		79
		80	if (vector_size(strvec) >= 5) {
		81	- if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
		82	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
		83	+ if (!check_valid_ipset_name(strvec, 4, "IGMP"))
		84	return;
		85	- }
		86	global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
		87	}
		88	else {
		89	@@ -1078,10 +1087,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
		90	global_data->vrrp_ipset_igmp = STRDUP(set_name);
		91	}
		92	if (vector_size(strvec) >= 6) {
		93	- if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
		94	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
		95	+ if (!check_valid_ipset_name(strvec, 5, "MLD"))
		96	return;
		97	- }
		98	global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
		99	}
		100	else {


diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch new file mode 100644 index 0000000000..b86c62c8a6 --- /dev/null +++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-2.patch
@@ -0,0 +1,88 @@
		1	From f546b221c6e9672f8d3f86660376dfad07d1aefd Mon Sep 17 00:00:00 2001
		2	From: Quentin Armitage <quentin@armitage.org.uk>
		3	Date: Fri, 12 Jul 2024 15:18:20 +0100
		4	Subject: [PATCH] vrrp: handle empty iptables chain names - vrrp_iptables
		5	keyword
		6
		7	We now return an error if a chain name is empty.
		8
		9	Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
		10
		11	CVE: CVE-2024-41184
		12	Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/281de3aa8a0990fa3cd694a9addc0bf28953da0b]
		13	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		14	---
		15	keepalived/core/global_parser.c \| 42 ++++++++++++++++++++-------------
		16	1 file changed, 25 insertions(+), 17 deletions(-)
		17
		18	diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
		19	index e273b74..85c9a64 100644
		20	--- a/keepalived/core/global_parser.c
		21	+++ b/keepalived/core/global_parser.c
		22	@@ -981,6 +981,28 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
		23	global_data->vrrp_higher_prio_send_advert = true;
		24	}
		25	#ifdef _WITH_IPTABLES_
		26	+static bool
		27	+check_valid_iptables_ipset_name(const vector_t strvec, unsigned entry, unsigned max_len, const char type_name, const char *log_name)
		28	+{
		29	+ if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
		30	+ report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
		31	+ return false;
		32	+ }
		33	+
		34	+ if (strlen(strvec_slot(strvec, entry)) == 0) {
		35	+ report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name empty - ignored", type_name, log_name);
		36	+ return false;
		37	+ }
		38	+
		39	+ return true;
		40	+}
		41	+
		42	+static bool
		43	+check_valid_iptables_chain_name(const vector_t strvec, unsigned entry, const char log_name)
		44	+{
		45	+ return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
		46	+}
		47	+
		48	static void
		49	vrrp_iptables_handler(const vector_t *strvec)
		50	{
		51	@@ -990,16 +1012,12 @@ vrrp_iptables_handler(const vector_t *strvec)
		52	}
		53
		54	if (vector_size(strvec) >= 2) {
		55	- if (strlen(strvec_slot(strvec,1)) >= XT_EXTENSION_MAXNAMELEN - 1) {
		56	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables in chain name too long - ignored");
		57	+ if (!check_valid_iptables_chain_name(strvec, 1, "in chain"))
		58	return;
		59	- }
		60	global_data->vrrp_iptables_inchain = STRDUP(strvec_slot(strvec,1));
		61	if (vector_size(strvec) >= 3) {
		62	- if (strlen(strvec_slot(strvec,2)) >= XT_EXTENSION_MAXNAMELEN - 1) {
		63	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables out chain name too long - ignored");
		64	+ if (!check_valid_iptables_chain_name(strvec, 2, "out chain"))
		65	return;
		66	- }
		67	global_data->vrrp_iptables_outchain = STRDUP(strvec_slot(strvec,2));
		68	}
		69	} else {
		70	@@ -1011,17 +1029,7 @@ vrrp_iptables_handler(const vector_t *strvec)
		71	static bool
		72	check_valid_ipset_name(const vector_t strvec, unsigned entry, const char log_name)
		73	{
		74	- if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
		75	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
		76	- return false;
		77	- }
		78	-
		79	- if (strlen(strvec_slot(strvec, entry)) == 0) {
		80	- report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
		81	- return false;
		82	- }
		83	-
		84	- return true;
		85	+ return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
		86	}
		87
		88	static void


diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch new file mode 100644 index 0000000000..c620a667c2 --- /dev/null +++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-3.patch
@@ -0,0 +1,94 @@
		1	From 2d9e3eb366e71b561481b4f1a804a77e8e364ae1 Mon Sep 17 00:00:00 2001
		2	From: Quentin Armitage <quentin@armitage.org.uk>
		3	Date: Fri, 12 Jul 2024 15:32:35 +0100
		4	Subject: [PATCH] vrrp and ipvs: handle empty nftables chain names
		5
		6	We now return an error if a chain name is empty.
		7
		8	Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
		9
		10	CVE: CVE-2024-41184
		11	Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/1e5902c4793ac01b810f0faa3b5cf47b41ae95c1]
		12	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		13	---
		14	keepalived/core/global_parser.c \| 25 +++++++++++++++----------
		15	1 file changed, 15 insertions(+), 10 deletions(-)
		16
		17	diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
		18	index 85c9a64..a6b3f40 100644
		19	--- a/keepalived/core/global_parser.c
		20	+++ b/keepalived/core/global_parser.c
		21	@@ -980,9 +980,10 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
		22	else
		23	global_data->vrrp_higher_prio_send_advert = true;
		24	}
		25	-#ifdef _WITH_IPTABLES_
		26	+
		27	+#if defined _WITH_IPTABLES_ \|\| defined _WITH_NFTABLES_
		28	static bool
		29	-check_valid_iptables_ipset_name(const vector_t strvec, unsigned entry, unsigned max_len, const char type_name, const char *log_name)
		30	+check_valid_iptables_ipset_nftables_name(const vector_t strvec, unsigned entry, unsigned max_len, const char type_name, const char *log_name)
		31	{
		32	if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
		33	report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
		34	@@ -996,11 +997,13 @@ check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned
		35
		36	return true;
		37	}
		38	+#endif
		39
		40	+#ifdef _WITH_IPTABLES_
		41	static bool
		42	check_valid_iptables_chain_name(const vector_t strvec, unsigned entry, const char log_name)
		43	{
		44	- return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
		45	+ return check_valid_iptables_ipset_nftables_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
		46	}
		47
		48	static void
		49	@@ -1029,7 +1032,7 @@ vrrp_iptables_handler(const vector_t *strvec)
		50	static bool
		51	check_valid_ipset_name(const vector_t strvec, unsigned entry, const char log_name)
		52	{
		53	- return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
		54	+ return check_valid_iptables_ipset_nftables_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
		55	}
		56
		57	static void
		58	@@ -1124,6 +1127,12 @@ vrrp_iptables_handler(__attribute__((unused)) const vector_t *strvec)
		59
		60	#ifdef _WITH_NFTABLES_
		61	#ifdef _WITH_VRRP_
		62	+static bool
		63	+check_valid_nftables_chain_name(const vector_t strvec, unsigned entry, const char log_name)
		64	+{
		65	+ return check_valid_iptables_ipset_nftables_name(strvec, entry, NFT_TABLE_MAXNAMELEN, "nftables", log_name);
		66	+}
		67	+
		68	static void
		69	vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
		70	{
		71	@@ -1135,10 +1144,8 @@ vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
		72	}
		73
		74	if (vector_size(strvec) >= 2) {
		75	- if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
		76	- report_config_error(CONFIG_GENERAL_ERROR, "nftables table name too long - ignoring");
		77	+ if (!check_valid_nftables_chain_name(strvec, 1, "chain"))
		78	return;
		79	- }
		80	name = strvec_slot(strvec, 1);
		81	}
		82	else {
		83	@@ -1178,10 +1185,8 @@ ipvs_nftables_handler(__attribute__((unused)) const vector_t *strvec)
		84	}
		85
		86	if (vector_size(strvec) >= 2) {
		87	- if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
		88	- report_config_error(CONFIG_GENERAL_ERROR, "ipvs nftables table name too long - ignoring");
		89	+ if (!check_valid_nftables_chain_name(strvec, 1, "ipvs chain"))
		90	return;
		91	- }
		92	name = strvec_slot(strvec, 1);
		93	}
		94	else {


diff --git a/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch new file mode 100644 index 0000000000..084f7f69b1 --- /dev/null +++ b/meta-networking/recipes-daemons/keepalived/keepalived/CVE-2024-41184-4.patch
@@ -0,0 +1,33 @@
		1	From 67174a59068633ada8f77756d56399a53794224e Mon Sep 17 00:00:00 2001
		2	From: Quentin Armitage <quentin@armitage.org.uk>
		3	Date: Fri, 12 Jul 2024 15:11:13 +0100
		4	Subject: [PATCH] lib: don't return subtracted addresses for rb_find() compare
		5	function
		6
		7	If sizeof(int) < sizeof(void *) returning the difference between two
		8	addresses in an int can cause an overflow.
		9
		10	Use less_equal_greater_than() for comparing addresses.
		11
		12	Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
		13
		14	CVE: CVE-2024-41184
		15	Upstream-Status: Backport [https://github.com/acassen/keepalived/commit/f3a32e3557520dccb298b36b4952eff3e236fb86]
		16	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		17	---
		18	lib/memory.c \| 2 +-
		19	1 file changed, 1 insertion(+), 1 deletion(-)
		20
		21	diff --git a/lib/memory.c b/lib/memory.c
		22	index 78ca675..46d7172 100644
		23	--- a/lib/memory.c
		24	+++ b/lib/memory.c
		25	@@ -185,7 +185,7 @@ static FILE *log_op = NULL;
		26	static inline int
		27	memcheck_ptr_cmp(const MEMCHECK m1, const MEMCHECK m2)
		28	{
		29	- return (char )m1->ptr - (char )m2->ptr;
		30	+ return less_equal_greater_than((char )m1->ptr, (char )m2->ptr);
		31	}
		32
		33	static inline int


diff --git a/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb b/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb index ca476f8605..582f6341db 100644 --- a/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb +++ b/meta-networking/recipes-daemons/keepalived/keepalived_2.2.2.bb
@@ -13,6 +13,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
13	SRC_URI = "http://www.keepalived.org/software/${BP}.tar.gz \	13	SRC_URI = "http://www.keepalived.org/software/${BP}.tar.gz \
14	file://0001-layer4-Change-order-of-include-files.patch \	14	file://0001-layer4-Change-order-of-include-files.patch \
15	file://CVE-2021-44225.patch \	15	file://CVE-2021-44225.patch \
		16	file://CVE-2024-41184-1.patch \
		17	file://CVE-2024-41184-2.patch \
		18	file://CVE-2024-41184-3.patch \
		19	file://CVE-2024-41184-4.patch \
16	"	20	"
17	SRC_URI[sha256sum] = "103692bd5345a4ed9f4581632ea636214fdf53e45682e200aab122c4fa674ece"	21	SRC_URI[sha256sum] = "103692bd5345a4ed9f4581632ea636214fdf53e45682e200aab122c4fa674ece"
18	UPSTREAM_CHECK_URI = "https://github.com/acassen/keepalived/releases"	22	UPSTREAM_CHECK_URI = "https://github.com/acassen/keepalived/releases"