Hello community,
here is the log from the commit of package quagga for openSUSE:Factory checked
in at 2018-02-16 21:45:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/quagga (Old)
and /work/SRC/openSUSE:Factory/.quagga.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "quagga"
Fri Feb 16 21:45:15 2018 rev:53 rq:577176 version:1.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2017-11-25
08:43:34.356260511 +0100
+++ /work/SRC/openSUSE:Factory/.quagga.new/quagga.changes 2018-02-16
21:45:16.633778681 +0100
@@ -1,0 +2,19 @@
+Fri Feb 9 14:05:21 UTC 2018 - m...@suse.de
+
+- Applied security fix for bgpd DoS via specially crafted BGP
+ UPDATE messages (CVE-2017-16227,bsc#1065641)
+ [+ quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch]
+- Applied security fix for bgpd bounds check issue via attribute
+ length (CVE-2018-5378,Quagga-2018-0543,bsc#1079798)
+ [+ Quagga-2018-0543-bgpd.bsc1079798.patch]
+- Applied security fix for bgpd double free when processing UPDATE
+ message (CVE-2018-5379,Quagga-2018-1114,bsc#1079799)
+ [+ Quagga-2018-1114-bgpd.bsc1079799.patch]
+- Applied security fix for bgpd code-to-string conversion tables
+ overrun (CVE-2018-5380,Quagga-2018-1550,bsc#1079800)
+ [+ Quagga-2018-1550-bgpd-bsc1079800.patch]
+- Applied security fix for bgpd infinite loop on certain invalid
+ OPEN messages (CVE-2018-5381,Quagga-2018-1975,bsc#1079801)
+ [+ Quagga-2018-1975-bdpd.bsc1079801.patch]
+
+-------------------------------------------------------------------
New:
----
Quagga-2018-0543-bgpd.bsc1079798.patch
Quagga-2018-1114-bgpd.bsc1079799.patch
Quagga-2018-1550-bgpd-bsc1079800.patch
Quagga-2018-1975-bdpd.bsc1079801.patch
quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ quagga.spec ++++++
--- /var/tmp/diff_new_pack.KRvhcY/_old 2018-02-16 21:45:17.701740164 +0100
+++ /var/tmp/diff_new_pack.KRvhcY/_new 2018-02-16 21:45:17.705740020 +0100
@@ -1,7 +1,7 @@
#
# spec file for package quagga
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -57,6 +57,11 @@
Patch1: %{name}-add-ospf6_main-return-value.patch
Patch2: %{name}-add-table_test-return-value.patch
Patch3: 0001-systemd-change-the-WantedBy-target.patch
+Patch4: quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch
+Patch5: Quagga-2018-0543-bgpd.bsc1079798.patch
+Patch6: Quagga-2018-1114-bgpd.bsc1079799.patch
+Patch7: Quagga-2018-1550-bgpd-bsc1079800.patch
+Patch8: Quagga-2018-1975-bdpd.bsc1079801.patch
BuildRequires: autoconf >= 2.6
BuildRequires: automake >= 1.6
BuildRequires: libtool
@@ -148,6 +153,11 @@
%patch1 -p 1
%patch2 -p 1
%patch3 -p 1
+%patch4 -p 1
+%patch5 -p 1
+%patch6 -p 1
+%patch7 -p 1
+%patch8 -p 1
%build
export CFLAGS="%{optflags} -fno-strict-aliasing"
++++++ Quagga-2018-0543-bgpd.bsc1079798.patch ++++++
>From 6dde85082ca004d590030b2762bd59b0fbd74c93 Mon Sep 17 00:00:00 2001
From: Paul Jakma <p...@jakma.org>
Date: Wed, 3 Jan 2018 23:57:33 +0000
Upstream: yes
References: CVE-2018-5378,Quagga-2018-0543,bsc#1079798
Subject: bgpd/security: invalid attr length sends NOTIFY with data overrun
Security issue: Quagga-2018-0543
See: https://www.quagga.net/security/Quagga-2018-0543.txt
* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
checked, and a NOTIFY prepared. The NOTIFY can include the incorrect
received data with the NOTIFY, for debug purposes. Commit
c69698704806a9ac5 modified the code to do that just, and also send the
malformed attr with the NOTIFY. However, the invalid attribute length was
used as the length of the data to send back.
The result is a read past the end of data, which is then written to the
NOTIFY message and sent to the peer.
A configured BGP peer can use this bug to read up to 64 KiB of memory from
the bgpd process, or crash the process if the invalid read is caught by
some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
This bug _ought_ /not/ be exploitable by anything other than the connected
BGP peer, assuming the underlying TCP transport is secure. For no BGP
peer should send on an UPDATE with this attribute. Quagga will not, as
Quagga always validates the attr header length, regardless of type.
However, it is possible that there are BGP implementations that do not
check lengths on some attributes (e.g. optional/transitive ones of a type
they do not recognise), and might pass such malformed attrs on. If such
implementations exists and are common, then this bug might be triggerable
by BGP speakers further hops away. Those peers will not receive the
NOTIFY (unless they sit on a shared medium), however they might then be
able to trigger a DoS.
Fix: use the valid bound to calculate the length.
---
bgpd/bgp_attr.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 6aab50af..44906922 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -2079,6 +2079,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr,
bgp_size_t size,
memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
/* End pointer of BGP attribute. */
+ assert (size <= stream_get_size (BGP_INPUT (peer)));
+ assert (size <= stream_get_endp (BGP_INPUT (peer)));
endp = BGP_INPUT_PNT (peer) + size;
/* Get attributes to the end of attribute length. */
@@ -2160,7 +2162,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr,
bgp_size_t size,
bgp_notify_send_with_data (peer,
BGP_NOTIFY_UPDATE_ERR,
BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
- startp, attr_endp - startp);
+ startp, endp - startp);
return BGP_ATTR_PARSE_ERROR;
}
--
2.13.6
++++++ Quagga-2018-1114-bgpd.bsc1079799.patch ++++++
>From acd5857d29e8d74249410569457beba829d7b5c3 Mon Sep 17 00:00:00 2001
From: Paul Jakma <p...@jakma.org>
Date: Sat, 6 Jan 2018 19:52:10 +0000
Upstream: yes
References: CVE-2018-5379,Quagga-2018-1114,bsc#1079799
Subject: bgpd/security: Fix double free of unknown attribute
Security issue: Quagga-2018-1114
See: https://www.quagga.net/security/Quagga-2018-1114.txt
It is possible for bgpd to double-free an unknown attribute. This can happen
via bgp_update_receive receiving an UPDATE with an invalid unknown attribute.
bgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush,
and the latter may try free an already freed unknown attr.
* bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage
for the (struct transit *), so that transit_unintern can NULL out the
caller's reference if the (struct transit) is freed.
(cluster_unintern) By inspection, appears to have a similar issue.
(bgp_attr_unintern_sub) adjust for above.
---
bgpd/bgp_attr.c | 33 +++++++++++++++++++--------------
bgpd/bgp_attr.h | 4 ++--
2 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
index 44906922..43955125 100644
--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster)
}
void
-cluster_unintern (struct cluster_list *cluster)
+cluster_unintern (struct cluster_list **cluster)
{
- if (cluster->refcnt)
- cluster->refcnt--;
+ struct cluster_list *c = *cluster;
+ if (c->refcnt)
+ c->refcnt--;
- if (cluster->refcnt == 0)
+ if (c->refcnt == 0)
{
- hash_release (cluster_hash, cluster);
- cluster_free (cluster);
+ hash_release (cluster_hash, c);
+ cluster_free (c);
+ *cluster = NULL;
}
}
@@ -344,15 +346,18 @@ transit_intern (struct transit *transit)
}
void
-transit_unintern (struct transit *transit)
+transit_unintern (struct transit **transit)
{
- if (transit->refcnt)
- transit->refcnt--;
+ struct transit *t = *transit;
+
+ if (t->refcnt)
+ t->refcnt--;
- if (transit->refcnt == 0)
+ if (t->refcnt == 0)
{
- hash_release (transit_hash, transit);
- transit_free (transit);
+ hash_release (transit_hash, t);
+ transit_free (t);
+ *transit = NULL;
}
}
@@ -793,11 +798,11 @@ bgp_attr_unintern_sub (struct attr *attr)
UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES));
if (attr->extra->cluster)
- cluster_unintern (attr->extra->cluster);
+ cluster_unintern (&attr->extra->cluster);
UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
if (attr->extra->transit)
- transit_unintern (attr->extra->transit);
+ transit_unintern (&attr->extra->transit);
}
}
diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
index 8457f402..d8b7f6a6 100644
--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
@@ -184,10 +184,10 @@ extern unsigned long int attr_unknown_count (void);
/* Cluster list prototypes. */
extern int cluster_loop_check (struct cluster_list *, struct in_addr);
-extern void cluster_unintern (struct cluster_list *);
+extern void cluster_unintern (struct cluster_list **);
/* Transit attribute prototypes. */
-void transit_unintern (struct transit *);
+void transit_unintern (struct transit **);
/* Below exported for unit-test purposes only */
struct bgp_attr_parser_args {
--
2.13.6
++++++ Quagga-2018-1550-bgpd-bsc1079800.patch ++++++
>From 195a767216240fe1cc773567d214f2da7ae8bbf7 Mon Sep 17 00:00:00 2001
From: Paul Jakma <p...@jakma.org>
Date: Sat, 6 Jan 2018 22:31:52 +0000
Upstream: yes
References: CVE-2018-5380,Quagga-2018-1550,bsc#1079800
Subject: bgpd/security: debug print of received NOTIFY data can over-read msg
array
Security issue: Quagga-2018-1550
See: https://www.quagga.net/security/Quagga-2018-1550.txt
* bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY
code/subcode message arrays has their corresponding size variables off
by one, as most have 1 as first index.
This means (bgp_notify_print) can cause mes_lookup to overread the (struct
message) by 1 pointer value if given an unknown index.
Fix the bgp_notify_..._msg_max variables to use the compiler to calculate
the correct sizes.
---
bgpd/bgp_debug.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
index ba797228..43faee7c 100644
--- a/bgpd/bgp_debug.c
+++ b/bgpd/bgp_debug.c
@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA
#include "log.h"
#include "sockunion.h"
#include "filter.h"
+#include "memory.h"
#include "bgpd/bgpd.h"
#include "bgpd/bgp_aspath.h"
@@ -73,7 +74,8 @@ const struct message bgp_status_msg[] =
{ Clearing, "Clearing" },
{ Deleted, "Deleted" },
};
-const int bgp_status_msg_max = BGP_STATUS_MAX;
+#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
+BGP_DEBUG_MSG_MAX (bgp_status_msg);
/* BGP message type string. */
const char *bgp_type_str[] =
@@ -84,7 +86,8 @@ const char *bgp_type_str[] =
"NOTIFICATION",
"KEEPALIVE",
"ROUTE-REFRESH",
- "CAPABILITY"
+ "CAPABILITY",
+ NULL,
};
/* message for BGP-4 Notify */
@@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] =
{ BGP_NOTIFY_CEASE, "Cease"},
{ BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
};
-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_msg);
static const struct message bgp_notify_head_msg[] =
{
{ BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
{ BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
- { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
+ { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
};
-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
static const struct message bgp_notify_open_msg[] =
{
@@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] =
{ BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"},
{ BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
};
-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
static const struct message bgp_notify_update_msg[] =
{
@@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] =
{ BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
{ BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
};
-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
static const struct message bgp_notify_cease_msg[] =
{
@@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] =
{ BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
{ BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
};
-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
static const struct message bgp_notify_capability_msg[] =
{
@@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] =
{ BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
{ BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
};
-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
/* Origin strings. */
const char *bgp_origin_str[] = {"i","e","?"};
--
2.13.6
++++++ Quagga-2018-1975-bdpd.bsc1079801.patch ++++++
>From c7c0e5df87ca427cb4d4721b11bd8e707f86420b Mon Sep 17 00:00:00 2001
From: Paul Jakma <p...@jakma.org>
Date: Sat, 6 Jan 2018 21:20:51 +0000
Upstream: yes
References: CVE-2018-5381,Quagga-2018-1975,bsc#1079801
Subject: bgpd/security: fix infinite loop on certain invalid OPEN
messages
Security issue: Quagga-2018-1975
See: https://www.quagga.net/security/Quagga-2018-1975.txt
* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
loop due to checks that issue 'continue' without bumping the input
pointer.
---
bgpd/bgp_packet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index f42e544b..56e27dc6 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2251,7 +2251,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt,
bgp_size_t length)
end = pnt + length;
- while (pnt < end)
+ /* XXX: Streamify this */
+ for (; pnt < end; pnt += hdr->length + 3)
{
/* We need at least action, capability code and capability length. */
if (pnt + 3 > end)
@@ -2339,7 +2340,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt,
bgp_size_t length)
zlog_warn ("%s unrecognized capability code: %d - ignored",
peer->host, hdr->code);
}
- pnt += hdr->length + 3;
}
return 0;
}
--
2.13.6
++++++ quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch ++++++
>From 7a42b78be9a4108d98833069a88e6fddb9285008 Mon Sep 17 00:00:00 2001
From: Andreas Jaggi <a...@open.ch>
Date: Mon, 2 Oct 2017 19:38:43 +0530
Upstream: yes
References: CVE-2017-16227,bsc#1065641
Subject: [PATCH] bgpd: Fix AS_PATH size calculation for long paths
If you have an AS_PATH with more entries than
what can be written into a single AS_SEGMENT_MAX
it needs to be broken up. The code that noticed
that the AS_PATH needs to be broken up was not
correctly calculating the size of the resulting
message. This patch addresses this issue.
---
bgpd/bgp_aspath.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bgpd/bgp_aspath.c b/bgpd/bgp_aspath.c
index b7af5e88..d813bfba 100644
--- a/bgpd/bgp_aspath.c
+++ b/bgpd/bgp_aspath.c
@@ -903,7 +903,7 @@ aspath_put (struct stream *s, struct aspath *as, int
use32bit )
assegment_header_put (s, seg->type, AS_SEGMENT_MAX);
assegment_data_put (s, seg->as, AS_SEGMENT_MAX, use32bit);
written += AS_SEGMENT_MAX;
- bytes += ASSEGMENT_SIZE (written, use32bit);
+ bytes += ASSEGMENT_SIZE (AS_SEGMENT_MAX, use32bit);
}
/* write the final segment, probably is also the first */
--
2.13.6
