Hello community, here is the log from the commit of package quagga for openSUSE:11.3 checked in at Thu Oct 13 17:34:48 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/quagga/quagga.changes 2011-06-02 13:30:16.000000000 +0200 +++ 11.3/quagga/quagga.changes 2011-09-19 04:11:37.000000000 +0200 @@ -1,0 +2,28 @@ +Mon Sep 19 02:05:55 UTC 2011 - boy...@suse.com + +- DoS while decoding EXTENDED_COMMUNITIES in Quagga's BGP + [bnc#718062] + +------------------------------------------------------------------- +Mon Sep 19 02:05:25 UTC 2011 - boy...@suse.com + +- OSPFD DoS while decoding Link State Update [bnc#718061] + +------------------------------------------------------------------- +Mon Sep 19 02:04:52 UTC 2011 - boy...@suse.com + +- OSPFD DoS while decoding Hello packet [bnc#718059] + +------------------------------------------------------------------- +Mon Sep 19 02:04:08 UTC 2011 - boy...@suse.com + +- OSPF6D DoS while decoding Database Description packet + [bnc#718058] + +------------------------------------------------------------------- +Mon Sep 19 02:00:52 UTC 2011 - boy...@suse.com + +- OSPF6D buffer overflow while decoding Link State Update with + Inter Area Prefix Lsa [bnc#718056] + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- bug-718056_quagga-0.99.18-514840.patch bug-718058_quagga-master-514839.patch bug-718059_quagga-master-514838.1.patch bug-718059_quagga-master-514838.2.patch bug-718061_quagga-master-514837.patch bug-718062_quagga-master-513254.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.fWgqMz/_old 2011-10-13 17:34:17.000000000 +0200 +++ /var/tmp/diff_new_pack.fWgqMz/_new 2011-10-13 17:34:17.000000000 +0200 @@ -19,7 +19,7 @@ Name: quagga Version: 0.99.17 -Release: 1.<RELEASE7> +Release: 1.<RELEASE11> License: LGPLv2.1+ Summary: Free Routing Software (for BGP, OSPF and RIP, for example) Url: http://www.quagga.net @@ -29,6 +29,12 @@ Source2: %{name}.pam Patch0: %{name}-0.99.17-CVE-2010-1674.patch Patch1: %{name}-0.99.17-CVE-2010-1675.patch +Patch2: bug-718056_quagga-0.99.18-514840.patch +Patch3: bug-718058_quagga-master-514839.patch +Patch4: bug-718059_quagga-master-514838.1.patch +Patch5: bug-718059_quagga-master-514838.2.patch +Patch6: bug-718061_quagga-master-514837.patch +Patch7: bug-718062_quagga-master-513254.patch BuildRequires: net-snmp-devel BuildRequires: pam-devel BuildRequires: readline-devel @@ -68,6 +74,12 @@ %setup -q -a 1 %patch0 -p 1 %patch1 -p 1 +%patch2 -p 1 +%patch3 -p 1 +%patch4 -p 1 +%patch5 -p 1 +%patch6 -p 1 +%patch7 -p 1 %build if ! ls /proc/net/{dev,route,snmp} >/dev/null; then ++++++ bug-718056_quagga-0.99.18-514840.patch ++++++ ++++ 793 lines (skipped) ++++++ bug-718058_quagga-master-514839.patch ++++++ commit 814a21b1a5af7b942e67ddf49e4b3eb3fd9353a6 Author: Denis Ovsienko <infrastat...@yandex.ru> Date: Thu Sep 1 18:48:42 2011 +0400 ospf6d: CERT-FI #514839 (DD LSA assertion) This vulnerability was reported by CROSS project. When Database Description LSA header list contains trailing zero octets, ospf6d tries to process this data as an LSA header. This triggers an assertion in the code and ospf6d shuts down. * ospf6_lsa.c * ospf6_lsa_is_changed(): handle header-only argument(s) appropriately, do not treat LSA length underrun as a fatal error. diff --git a/ospf6d/ospf6_lsa.c b/ospf6d/ospf6_lsa.c index c1db374..a9545c3 100644 --- a/ospf6d/ospf6_lsa.c +++ b/ospf6d/ospf6_lsa.c @@ -163,9 +163,19 @@ ospf6_lsa_is_changed (struct ospf6_lsa *lsa1, return 1; if (ntohs (lsa1->header->length) != ntohs (lsa2->header->length)) return 1; + /* Going beyond LSA headers to compare the payload only makes sense, when both LSAs aren't header-only. */ + if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY) != CHECK_FLAG (lsa2->flag, OSPF6_LSA_HEADERONLY)) + { + zlog_warn ("%s: only one of two (%s, %s) LSAs compared is header-only", __func__, lsa1->name, lsa2->name); + return 1; + } + if (CHECK_FLAG (lsa1->flag, OSPF6_LSA_HEADERONLY)) + return 0; length = OSPF6_LSA_SIZE (lsa1->header) - sizeof (struct ospf6_lsa_header); - assert (length > 0); + /* Once upper layer verifies LSAs received, length underrun should become a warning. */ + if (length <= 0) + return 0; return memcmp (OSPF6_LSA_HEADER_END (lsa1->header), OSPF6_LSA_HEADER_END (lsa2->header), length); ++++++ bug-718059_quagga-master-514838.1.patch ++++++ commit 6952d9a10f29b29ae79a7329a882da5938dda553 Author: Denis Ovsienko <infrastat...@yandex.ru> Date: Thu Sep 1 18:46:51 2011 +0400 ospfd: CERT-FI #514838.1 (OSPF header underrun) This vulnerability was reported by CROSS project. When only 14 first bytes of a Hello packet is delivered, ospfd crashes. * ospf_packet.c * ospf_read(): add size check diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 1066e64..7227452 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2367,10 +2367,19 @@ ospf_read (struct thread *thread) return 0; } - /* Adjust size to message length. */ + /* Advance from IP header to OSPF header (iph->ip_hl has been verified + by ospf_recv_packet() to be correct). */ stream_forward_getp (ibuf, iph->ip_hl * 4); - - /* Get ospf packet header. */ + + /* Make sure the OSPF header is really there. */ + if (stream_get_endp (ibuf) - stream_get_getp (ibuf) < OSPF_HEADER_SIZE) + { + zlog_debug ("ospf_read: ignored OSPF packet with undersized (%u bytes) header", + stream_get_endp (ibuf) - stream_get_getp (ibuf)); + return -1; + } + + /* Now it is safe to access all fields of OSPF packet header. */ ospfh = (struct ospf_header *) STREAM_PNT (ibuf); /* associate packet with ospf interface */ ++++++ bug-718059_quagga-master-514838.2.patch ++++++ commit 399339cc74071a056e28f7233e3d31b48704139e Author: Denis Ovsienko <infrastat...@yandex.ru> Date: Thu Sep 1 18:47:35 2011 +0400 ospfd: CERT-FI #514838.2 (OSPF pkt type segfault) This vulnerability was reported by CROSS project. The error is reproducible only when ospfd debugging is enabled: * debug ospf packet all * debug ospf zebra When incoming packet header type field is set to 0x0a, ospfd will crash. * ospf_packet.c * ospf_verify_header(): add type field check * ospf_read(): perform input checks early diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c index 7227452..489b928 100644 --- a/ospfd/ospf_packet.c +++ b/ospfd/ospf_packet.c @@ -2258,6 +2258,13 @@ ospf_verify_header (struct stream *ibuf, struct ospf_interface *oi, return -1; } + /* Valid OSPFv2 packet types are 1 through 5 inclusive. */ + if (ospfh->type < 1 || ospfh->type > 5) + { + zlog_warn ("interface %s: invalid packet type %u", IF_NAME (oi), ospfh->type); + return -1; + } + /* Check Area ID. */ if (!ospf_check_area_id (oi, ospfh)) { @@ -2385,6 +2392,17 @@ ospf_read (struct thread *thread) /* associate packet with ospf interface */ oi = ospf_if_lookup_recv_if (ospf, iph->ip_src, ifp); + /* Verify header fields before any further processing. */ + ret = ospf_verify_header (ibuf, oi, iph, ospfh); + if (ret < 0) + { + if (IS_DEBUG_OSPF_PACKET (0, RECV)) + zlog_debug ("ospf_read[%s]: Header check failed, " + "dropping.", + inet_ntoa (iph->ip_src)); + return ret; + } + /* If incoming interface is passive one, ignore it. */ if (oi && OSPF_IF_PASSIVE_STATUS (oi) == OSPF_IF_PASSIVE) { @@ -2494,20 +2512,6 @@ ospf_read (struct thread *thread) zlog_debug ("-----------------------------------------------------"); } - /* Some header verification. */ - ret = ospf_verify_header (ibuf, oi, iph, ospfh); - if (ret < 0) - { - if (IS_DEBUG_OSPF_PACKET (ospfh->type - 1, RECV)) - { - zlog_debug ("ospf_read[%s/%s]: Header check failed, " - "dropping.", - ospf_packet_type_str[ospfh->type], - inet_ntoa (iph->ip_src)); - } - return ret; - } - stream_forward_getp (ibuf, OSPF_HEADER_SIZE); /* Adjust size to message length. */ ++++++ bug-718061_quagga-master-514837.patch ++++++ commit ef53ed9691c435a50b3addf44b733a60ad022597 Author: Denis Ovsienko <infrastat...@yandex.ru> Date: Thu Sep 1 18:45:55 2011 +0400 ospfd: CERT-FI #514837 (uknown LSA type segfault) This vulnerability was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. Quagga ospfd does not seem to handle unknown LSA types in a Link State Update message correctly. If LSA type is something else than one supported by Quagga, the default handling of unknown types leads to an error. * ospf_flood.c * ospf_flood(): check return value of ospf_lsa_install() diff --git a/ospfd/ospf_flood.c b/ospfd/ospf_flood.c index 41661da..fc0bbf1 100644 --- a/ospfd/ospf_flood.c +++ b/ospfd/ospf_flood.c @@ -319,7 +319,8 @@ ospf_flood (struct ospf *ospf, struct ospf_neighbor *nbr, procedure cannot overwrite the newly installed LSA until MinLSArrival seconds have elapsed. */ - new = ospf_lsa_install (ospf, nbr->oi, new); + if (! (new = ospf_lsa_install (ospf, nbr->oi, new))) + return 0; /* unknown LSA type */ /* Acknowledge the receipt of the LSA by sending a Link State Acknowledgment packet back out the receiving interface. */ ++++++ bug-718062_quagga-master-513254.patch ++++++ commit d850aabc9bca322dd366d4d3ee2d82b4dddc96d6 Author: Denis Ovsienko <infrastat...@yandex.ru> Date: Thu Sep 1 18:31:57 2011 +0400 bgpd: CERT-FI #513254 (ext. comm. buffer overflow) This vulnerability was reported by CROSS project. They have also suggested a fix to the problem, which was found acceptable. The problem occurs when bgpd receives an UPDATE message containing 255 unknown AS_PATH attributes in Path Attribute Extended Communities. This causes a buffer overlow in bgpd. * bgp_ecommunity.c * ecommunity_ecom2str(): perform size check earlier diff --git a/bgpd/bgp_ecommunity.c b/bgpd/bgp_ecommunity.c index 8d5fa74..e7eb0a0 100644 --- a/bgpd/bgp_ecommunity.c +++ b/bgpd/bgp_ecommunity.c @@ -619,6 +619,13 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) for (i = 0; i < ecom->size; i++) { + /* Make it sure size is enough. */ + while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) + { + str_size *= 2; + str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); + } + /* Space between each value. */ if (! first) str_buf[str_pnt++] = ' '; @@ -662,13 +669,6 @@ ecommunity_ecom2str (struct ecommunity *ecom, int format) break; } - /* Make it sure size is enough. */ - while (str_pnt + ECOMMUNITY_STR_DEFAULT_LEN >= str_size) - { - str_size *= 2; - str_buf = XREALLOC (MTYPE_ECOMMUNITY_STR, str_buf, str_size); - } - /* Put string into buffer. */ if (encode == ECOMMUNITY_ENCODE_AS4) { continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org