Date: Saturday, February 23, 2013 @ 21:56:19 Author: seblu Revision: 84731
upgpkg: quagga 0.99.22-1 Modified: quagga/trunk/PKGBUILD Deleted: quagga/trunk/0001-isisd-fix-typo-in-topology-generator-BZ-731.patch quagga/trunk/0002-CVE-2012-1820.patch --------------------------------------------------------+ 0001-isisd-fix-typo-in-topology-generator-BZ-731.patch | 30 ------ 0002-CVE-2012-1820.patch | 74 --------------- PKGBUILD | 14 +- 3 files changed, 5 insertions(+), 113 deletions(-) Deleted: 0001-isisd-fix-typo-in-topology-generator-BZ-731.patch =================================================================== --- 0001-isisd-fix-typo-in-topology-generator-BZ-731.patch 2013-02-23 20:47:41 UTC (rev 84730) +++ 0001-isisd-fix-typo-in-topology-generator-BZ-731.patch 2013-02-23 20:56:19 UTC (rev 84731) @@ -1,30 +0,0 @@ -From a47c5838e9f445ab887ad927706b11ccbb181364 Mon Sep 17 00:00:00 2001 -From: David Lamparter <[email protected]> -Date: Thu, 21 Jun 2012 09:55:38 +0200 -Subject: [PATCH] isisd: fix typo in topology generator (BZ#731) - -There was a "lsp->" missing before "level" in line 2416. -(introduced by git commit e38e0df) - -Reported-by: Seblu <[email protected]> -Signed-off-by: David Lamparter <[email protected]> ---- - isisd/isis_lsp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/isisd/isis_lsp.c b/isisd/isis_lsp.c -index 5c1e993..082e9dc 100644 ---- a/isisd/isis_lsp.c -+++ b/isisd/isis_lsp.c -@@ -2413,7 +2413,7 @@ top_lsp_refresh (struct thread *thread) - isis_dynhn_insert (lsp->lsp_header->lsp_id, lsp->tlv_data.hostname, - IS_LEVEL_1); - -- lsp->lsp_header->lsp_bits = lsp_bits_generate (level, -+ lsp->lsp_header->lsp_bits = lsp_bits_generate (lsp->level, - lsp->area->overload_bit); - rem_lifetime = lsp_rem_lifetime (lsp->area, IS_LEVEL_1); - lsp->lsp_header->rem_lifetime = htons (rem_lifetime); --- -1.7.11 - Deleted: 0002-CVE-2012-1820.patch =================================================================== --- 0002-CVE-2012-1820.patch 2013-02-23 20:47:41 UTC (rev 84730) +++ 0002-CVE-2012-1820.patch 2013-02-23 20:56:19 UTC (rev 84731) @@ -1,74 +0,0 @@ -@@ -, +, @@ - bgpd: CVE-2012-1820, DoS in bgp_capability_orf() - - An ORF (code 3) capability TLV is defined to contain exactly one - AFI/SAFI block. Function bgp_capability_orf(), which parses ORF - capability TLV, uses do-while cycle to call its helper function - bgp_capability_orf_entry(), which actually processes the AFI/SAFI data - block. The call is made at least once and repeated as long as the input - buffer has enough data for the next call. - - The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" - field of the provided AFI/SAFI block to verify, if it fits the input - buffer. However, the check is made based on the total length of the ORF - TLV regardless of the data already consumed by the previous helper - function call(s). This way, the check condition is only valid for the - first AFI/SAFI block inside an ORF capability TLV. - - For the subsequent calls of the helper function, if any are made, the - check condition may erroneously tell, that the current "Number of ORFs" - field fits the buffer boundary, where in fact it does not. This makes it - possible to trigger an assertion by feeding an OPEN message with a - specially-crafted malformed ORF capability TLV. - - This commit fixes the vulnerability by making the implementation follow - the spec. ---- a/bgpd/bgp_open.c -+++ a/bgpd/bgp_open.c -@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) - } - - /* validate number field */ -- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length) -+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length) - { - zlog_info ("%s ORF Capability entry length error," - " Cap length %u, num %u", -@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr) - } - - static int --bgp_capability_orf (struct peer *peer, struct capability_header *hdr) --{ -- struct stream *s = BGP_INPUT (peer); -- size_t end = stream_get_getp (s) + hdr->length; -- -- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end); -- -- /* We must have at least one ORF entry, as the caller has already done -- * minimum length validation for the capability code - for ORF there must -- * at least one ORF entry (header and unknown number of pairs of bytes). -- */ -- do -- { -- if (bgp_capability_orf_entry (peer, hdr) == -1) -- return -1; -- } -- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end); -- -- return 0; --} -- --static int - bgp_capability_restart (struct peer *peer, struct capability_header *caphdr) - { - struct stream *s = BGP_INPUT (peer); -@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability, - break; - case CAPABILITY_CODE_ORF: - case CAPABILITY_CODE_ORF_OLD: -- if (bgp_capability_orf (peer, &caphdr)) -+ if (bgp_capability_orf_entry (peer, &caphdr)) - return -1; - break; - case CAPABILITY_CODE_RESTART: Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-02-23 20:47:41 UTC (rev 84730) +++ PKGBUILD 2013-02-23 20:56:19 UTC (rev 84731) @@ -2,8 +2,8 @@ # Maintainer: Sébastien Luttringer pkgname=quagga -pkgver=0.99.21 -pkgrel=3 +pkgver=0.99.22 +pkgrel=1 pkgdesc='BGP/OSPF/ISIS/RIP/RIPNG routing daemon suite' arch=('i686' 'x86_64') url='http://www.quagga.net' @@ -19,10 +19,8 @@ 'ospfd.service' 'ripd.service' 'ripngd.service' - 'zebra.service' - '0001-isisd-fix-typo-in-topology-generator-BZ-731.patch' - '0002-CVE-2012-1820.patch') -md5sums=('99840adbe57047c90dfba6b6ed9aec7f' + 'zebra.service') +md5sums=('3057bf3a91116a1017dd0df7e5e8ef93' '45d8bf56a426b0e7ebe429547be8a27a' 'ab31ed8dafd7a92137f4f00ad0937b4f' '4c05d0105cd0db23a2583bd75a1bde4d' @@ -30,9 +28,7 @@ 'c5f8a729685cebf8fc5b1a1552d37b6d' 'e721b334bb0b31983642b307033c63d0' 'effeb26ff78ffcafe7808596ddc5d3fc' - 'f0c0b99346b2c373a74158e45f04cf91' - 'c80174f7bdd32cd84550d52451e8f495' - '44f39016d81f3b13b2744f7dcd93289d') + 'f0c0b99346b2c373a74158e45f04cf91') build() { cd $pkgname-$pkgver
