On Thu, Jun 07, 2018 at 01:37:04PM +0200, Jonas Meurer wrote: > Source: bird > Version: 1.6.3-2 > Severity: critical > Tags: security > > According to the upstream website[1] and changelog[2], bird release 1.6.4 > includes an "important security bugfix".
Hi It is an security bugfix, but perhaps not so critical, it can be exploited in very specific circumstances and probably only as a DoS, not as a privilege escalation. > The changelog mentions "Filter: Fixed stack overflow in BGP mask > expressions". A quick scan through the git history revealed a few > commits that mention overflow and use after free fixes: > > e8bc64e308586b6502090da2775af84cd760ed0d > Filter: make bgpmask literals real constructors This is the relevant commit. It would not cleanly apply to 1.6.3, but i can prepare patch for 1.6.3. But i don't know Debian processes, i.e. what should be done to make security release. > 30c734fc73648e4c43af4f45e68ac2de3d7ddea1 > Static: Fix bug in static route filter expressions This is not security related, but it is important bugfix and trivial to be sure it does not cause further problems, so could be probably added too. I could probably find some more similar bugfixes. > Probably the best is to ask upstream about security relevant commits and > consider to either backport them to stretch-backports. Another option > would be to upload 1.6.4 to stretch-security as 1.6.4-0+deb9u1. Packing 1.6.4 to stretch-security is probably not a good idea, there are too many changes and new features. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
signature.asc
Description: PGP signature
