[oe] [meta-networking][kirkstone][PATCH 2/5] quagga: patch CVE-2017-3224

Fri, 27 Feb 2026 04:03:33 -0800 

Details: https://nvd.nist.gov/vuln/detail/CVE-2017-3224

Quagga is an abandoned project, but it is not without a successor.
Frr (or Frrouting) is a fork of Quagga, and they have fixed this
vulnerability. That patch from Frr was ported to Quagga.

The Frr patch mentions this CVE ID explicitly, and also Debian
has identified it as the correct patch[1].

[1]: https://security-tracker.debian.org/tracker/CVE-2017-3224

Signed-off-by: Gyorgy Sarvari <[email protected]>
---
 .../quagga/files/CVE-2017-3224.patch          | 90 +++++++++++++++++++
 .../recipes-protocols/quagga/quagga.inc       |  3 +-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 
meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch

diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch 
b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch
new file mode 100644
index 0000000000..025f0b3e4f
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch
@@ -0,0 +1,90 @@
+From 5e54975af4c6429f5e7bf9a29ff8425e131e92ca Mon Sep 17 00:00:00 2001
+From: Chirag Shah <[email protected]>
+Date: Fri, 25 Jan 2019 17:21:24 -0800
+Subject: [PATCH] ospfd: address CVE-2017-3224
+
+Based on the vulnerability mentioned in 793496 an attacker can craft an
+LSA with MaxSequence number wtih invalid links and not set age to MAX_AGE
+so the lsa would not be flush from the database.
+
+To address the issue, check incoming LSA is MaxSeq but Age is not set
+to MAX_AGE 3600, discard the LSA from processing it.
+Based on  RFC-2328 , When a LSA update sequence reaches MaxSequence
+number, it should be prematurely aged out from the database with age set
+to MAX_AGE (3600).
+
+Ticket:CM-18989
+Reviewed By:
+Testing Done:
+
+Signed-off-by: Chirag Shah <[email protected]>
+
+CVE: CVE-2017-3224
+Upstream-Status: Inactive-Upstream [ported from frr, a fork: 
https://github.com/FRRouting/frr/commit/7791d3deab8f4bbee2ccdd98ea596617536bc681]
+Signed-off-by: Gyorgy Sarvari <[email protected]>
+---
+ ospfd/ospf_packet.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
+index facba89..504df02 100644
+--- a/ospfd/ospf_packet.c
++++ b/ospfd/ospf_packet.c
+@@ -1936,9 +1936,20 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct 
ospf_header *ospfh,
+       if (current == NULL ||
+         (ret = ospf_lsa_more_recent (current, lsa)) < 0)
+       {
++          /* CVE-2017-3224 */
++          if (current && (lsa->data->ls_seqnum ==
++            htonl(OSPF_MAX_SEQUENCE_NUMBER)
++            && !IS_LSA_MAXAGE(lsa))) {
++              zlog_debug(
++                "Link State Update[%s]: has Max Seq but not MaxAge. Dropping 
it",
++                dump_lsa_key(lsa));
++
++              DISCARD_LSA(lsa, 4);
++              continue;
++          }
+         /* Actual flooding procedure. */
+         if (ospf_flood (oi->ospf, nbr, current, lsa) < 0)  /* Trap NSSA 
later. */
+-          DISCARD_LSA (lsa, 4);
++          DISCARD_LSA (lsa, 5);
+         continue;
+       }
+ 
+@@ -1987,7 +1998,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct 
ospf_header *ospfh,
+               if (NBR_IS_DR (nbr))
+                 listnode_add (oi->ls_ack, ospf_lsa_lock (lsa));
+ 
+-              DISCARD_LSA (lsa, 5);
++              DISCARD_LSA (lsa, 6);
+           }
+         else
+           /* Acknowledge the receipt of the LSA by sending a
+@@ -1995,7 +2006,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct 
ospf_header *ospfh,
+              interface. */
+           {
+             ospf_ls_ack_send (nbr, lsa);
+-            DISCARD_LSA (lsa, 6);
++            DISCARD_LSA (lsa, 7);
+           }
+       }
+ 
+@@ -2011,7 +2022,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct 
ospf_header *ospfh,
+         if (IS_LSA_MAXAGE (current) &&
+             current->data->ls_seqnum == htonl (OSPF_MAX_SEQUENCE_NUMBER))
+           {
+-            DISCARD_LSA (lsa, 7);
++            DISCARD_LSA (lsa, 8);
+           }
+         /* Otherwise, as long as the database copy has not been sent in a
+            Link State Update within the last MinLSArrival seconds, send the
+@@ -2031,7 +2042,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct 
ospf_header *ospfh,
+                         msec2tv (ospf->min_ls_arrival)) >= 0)
+               /* Trap NSSA type later.*/
+               ospf_ls_upd_send_lsa (nbr, current, OSPF_SEND_PACKET_DIRECT);
+-            DISCARD_LSA (lsa, 8);
++            DISCARD_LSA (lsa, 9);
+           }
+       }
+     }
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc 
b/meta-networking/recipes-protocols/quagga/quagga.inc
index d368311d13..3534114a22 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -34,7 +34,8 @@ SRC_URI = 
"https://github.com/Quagga/quagga/releases/download/quagga-${PV}/quagg
            file://ripd.service \
            file://ripngd.service \
            file://zebra.service \
-          "
+           file://CVE-2017-3224.patch \
+           "
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124754): 
https://lists.openembedded.org/g/openembedded-devel/message/124754
Mute This Topic: https://lists.openembedded.org/mt/118028678/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to