Hello community, here is the log from the commit of package quagga for openSUSE:Factory checked in at 2016-10-20 23:09:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/quagga (Old) and /work/SRC/openSUSE:Factory/.quagga.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "quagga" Changes: -------- --- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2016-07-12 23:51:56.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.quagga.new/quagga.changes 2016-10-20 23:09:55.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Oct 18 10:27:03 UTC 2016 - [email protected] + +- Add quagga-CVE-2016-1245-stack-overrun-in-IPv6-RA-receive.patch: + Fix for a zebra stack overrun in IPv6 RA receive code. + (CVE-2016-1245, bsc#1005258) + +------------------------------------------------------------------- New: ---- quagga-CVE-2016-1245-stack-overrun-in-IPv6-RA-receive.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.JrqXUd/_old 2016-10-20 23:09:56.000000000 +0200 +++ /var/tmp/diff_new_pack.JrqXUd/_new 2016-10-20 23:09:56.000000000 +0200 @@ -50,6 +50,7 @@ Patch3: 0001-systemd-change-the-WantedBy-target.patch Patch4: %{name}-autoconf-detect-AM_SILENT_RULES.patch Patch5: %{name}-CVE-2016-4049-fix-buf-ovflow-bgp-dump-routes.patch +Patch6: %{name}-CVE-2016-1245-stack-overrun-in-IPv6-RA-receive.patch BuildRequires: autoconf >= 2.6 BuildRequires: automake >= 1.6 BuildRequires: libtool @@ -112,6 +113,7 @@ %patch3 -p 1 %patch4 -p 1 %patch5 -p 1 +%patch6 -p 1 %build if ! ls /proc/net/{dev,route,snmp} >/dev/null; then ++++++ quagga-CVE-2016-1245-stack-overrun-in-IPv6-RA-receive.patch ++++++ >From cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 Mon Sep 17 00:00:00 2001 References: CVE-2016-1245,bsc#1005258 Upstream: yes From: David Lamparter <[email protected]> Date: Wed, 31 Aug 2016 13:31:16 +0200 Subject: [PATCH] zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245) The IPv6 RA code also receives ICMPv6 RS and RA messages. Unfortunately, by bad coding practice, the buffer size specified on receiving such messages mixed up 2 constants that in fact have different values. The code itself has: #define RTADV_MSG_SIZE 4096 While BUFSIZ is system-dependent, in my case (x86_64 glibc): /usr/include/_G_config.h:#define _G_BUFSIZ 8192 /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them have BUFSIZ == 1024. As the latter is passed to the kernel on recvmsg(), it's possible to overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent to any of the system's addresses (using fragmentation to get to 8k). (The socket has filters installed limiting this to RS and RA packets, but does not have a filter for source address or TTL.) Issue discovered by trying to test other stuff, which randomly caused the stack to be smaller than 8kB in that code location, which then causes the kernel to report EFAULT (Bad address). Signed-off-by: David Lamparter <[email protected]> Reviewed-by: Donald Sharp <[email protected]> diff --git a/zebra/rtadv.c b/zebra/rtadv.c index d4ef1b8..2f62714 100644 --- a/zebra/rtadv.c +++ b/zebra/rtadv.c @@ -482,7 +482,7 @@ rtadv_read (struct thread *thread) /* Register myself. */ rtadv_event (zvrf, RTADV_READ, sock); - len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit); + len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit); if (len < 0) { -- 2.6.6
