Bug#1070377: frr: CVE-2024-34088

2024-05-28 Thread Moritz Mühlenhoff 
Am Sat, May 04, 2024 at 06:00:24PM +0200 schrieb Moritz Mühlenhoff:
> Source: frr
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for frr.
> 
> CVE-2024-34088[0]:
> | In FRRouting (FRR) through 9.1, it is possible for the get_edge()
> | function in ospf_te.c in the OSPF daemon to return a NULL pointer.
> | In cases where calling functions do not handle the returned NULL
> | value, the OSPF daemon crashes, leading to denial of service.

There are two additional CVE IDs related covered by the same pull
request (https://github.com/FRRouting/frr/pull/15674/):

CVE-2024-31951:
| In the Opaque LSA Extended Link parser in FRRouting (FRR) through
| 9.1, there can be a buffer overflow and daemon crash in
| ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read
| Segment Routing Adjacency SID subTLVs (lengths are not validated).
  
CVE-2024-31950:
| In FRRouting (FRR) through 9.1, there can be a buffer overflow and
| daemon crash in ospf_te_parse_ri for OSPF LSA packets during an
| attempt to read Segment Routing
| subTLVs (their size is not validated).

These got merged with the following commits:
https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4
https://github.com/FRRouting/frr/commit/5557a289acdaec8cc63ffc97b5c2abf6dee7b3a
https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca
https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0

Cheers,
Moritz

Bug#1070377: frr: CVE-2024-34088

2024-05-25 Thread Tobias Frost 
Control: tags -1 fixed-upstream
Control: forwarded -1 https://github.com/FRRouting/frr/pull/15674

Upstream has merged a fix.

Bug#1070377: frr: CVE-2024-34088

2024-05-04 Thread Moritz Mühlenhoff 
Source: frr
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for frr.

CVE-2024-34088[0]:
| In FRRouting (FRR) through 9.1, it is possible for the get_edge()
| function in ospf_te.c in the OSPF daemon to return a NULL pointer.
| In cases where calling functions do not handle the returned NULL
| value, the OSPF daemon crashes, leading to denial of service.

https://github.com/FRRouting/frr/pull/15674
Introduced by: 
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
 (base_8.0)

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-34088
https://www.cve.org/CVERecord?id=CVE-2024-34088

Please adjust the affected versions in the BTS as needed.