[Bug 1951834] Re: [MIR]: frr

[Steve Langasek]

Override component to main
frr 8.1-1 in jammy amd64: universe/net/optional/100% -> main
frr 8.1-1 in jammy arm64: universe/net/optional/100% -> main
frr 8.1-1 in jammy armhf: universe/net/optional/100% -> main
frr 8.1-1 in jammy ppc64el: universe/net/optional/100% -> main
frr 8.1-1 in jammy riscv64: universe/net/optional/100% -> main
frr 8.1-1 in jammy s390x: universe/net/optional/100% -> main
6 publications overridden.
Override component to main
frr 8.1-1 in jammy: universe/misc -> main
frr 8.1-1 in jammy amd64: main/net/optional/100% -> main
frr 8.1-1 in jammy amd64: universe/net/optional/100% -> main
frr 8.1-1 in jammy arm64: main/net/optional/100% -> main
frr 8.1-1 in jammy arm64: universe/net/optional/100% -> main
frr 8.1-1 in jammy armhf: main/net/optional/100% -> main
frr 8.1-1 in jammy armhf: universe/net/optional/100% -> main
frr 8.1-1 in jammy ppc64el: main/net/optional/100% -> main
frr 8.1-1 in jammy ppc64el: universe/net/optional/100% -> main
frr 8.1-1 in jammy riscv64: main/net/optional/100% -> main
frr 8.1-1 in jammy riscv64: universe/net/optional/100% -> main
frr 8.1-1 in jammy s390x: main/net/optional/100% -> main
frr 8.1-1 in jammy s390x: universe/net/optional/100% -> main
frr-doc 8.1-1 in jammy amd64: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy arm64: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy armhf: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy i386: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy ppc64el: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy riscv64: universe/doc/optional/100% -> main
frr-doc 8.1-1 in jammy s390x: universe/doc/optional/100% -> main
frr-pythontools 8.1-1 in jammy amd64: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy arm64: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy armhf: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy i386: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy ppc64el: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy riscv64: universe/net/optional/100% -> main
frr-pythontools 8.1-1 in jammy s390x: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy amd64: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy arm64: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy armhf: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy ppc64el: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy riscv64: universe/net/optional/100% -> main
frr-rpki-rtrlib 8.1-1 in jammy s390x: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy amd64: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy arm64: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy armhf: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy ppc64el: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy riscv64: universe/net/optional/100% -> main
frr-snmp 8.1-1 in jammy s390x: universe/net/optional/100% -> main
frr 8.1-1 in jammy amd64 remained the same
frr 8.1-1 in jammy arm64 remained the same
frr 8.1-1 in jammy armhf remained the same
frr 8.1-1 in jammy ppc64el remained the same
frr 8.1-1 in jammy riscv64 remained the same
frr 8.1-1 in jammy s390x remained the same
33 publications overridden; 6 publications remained the same.


** Changed in: frr (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

Archive Admin, please promote src:frr and these binary packages to main:
frr
frr-pythontools (pulled in by frr via Recommends)

Note libyang2 will be pulled in as well, and its MIR (#1958293) was
completed and ACKed.

Leave in universe:
frr-snmp
frr-rpki-rtrlib (uses a library that is still in universe)
frr-doc (or not, whatever happens automatically)

frr-snmp I decided to not promote:
- there are quite a large number of bugs filed in the upstream tracker with 
"snmp" in them that are still open 
(https://github.com/FRRouting/frr/issues?page=2=is%3Aissue+is%3Aopen+snmp)
- the upstream documentation warns that it can be a firehose and lead to 
crashes and hangs[1] if abused
- snmp is usually hard to troubleshoot, and can be a security nightmare
- it's easier to promote it to main later if deemed necessary, than to demote 
it after it has been in main in a release

frr was given a special consideration by the security team (see comment
#10) and didn't go through the usual security review process. This plus
all the above made me decide to keep frr-snmp in universe for now.


1. http://docs.frrouting.org/en/latest/snmp.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Launchpad Bug Tracker]

** Merge proposal linked:
   
https://code.launchpad.net/~ahasenack/ubuntu-seeds/+git/platform/+merge/415918

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

The libyang2 MIR[1] got an ACK from security


1. https://bugs.launchpad.net/ubuntu/+source/libyang2/+bug/1958293

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Christian Ehrhardt ]

Everything resovled - in the MIR meeting we decided today that for this special 
case no security re-review is needed.
Setting to "in progress" to reflect that it is ready.
But it has to wait on libyang2 still to fully be ready.

** Changed in: frr (Ubuntu)
 Assignee: Didier Roche (didrocks) => (unassigned)

** Changed in: frr (Ubuntu)
   Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Christian Ehrhardt ]

Seeding is here:

$ grep -Hrn quagga  platform-git ubuntu-git/
platform-git/supported-misc-servers:175: * quagga # 
RobertCollins

Therefore this is what we will change to promote FRR and demote quagga
at the same time.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Christian Ehrhardt ]

This is requested by security to be in Jammy for reasonable long term support 
of the routing daemon.
Setting prio critical and milestone to jammy-FF

** Changed in: frr (Ubuntu)
Milestone: ubuntu-22.01 => ubuntu-22.04-feature-freeze

** Changed in: frr (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

At least it's fixed upstream.

I'll address the remaining points next week, as I'm on +1 maintenance
this week.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Didier Roche]

Yeah, I don’t think that worths a delta. My general annoyance with this
is that when you start having some warnings/errors in a project during
build, you start accepting more and more of them until it’s not readable
and you miss a valid concern. This is why, I tend to patch and add
either linter stenza with explanation or fix the issue to keep something
"clean".

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

I wonder if it's worth adding a delta with debian for this strncmp()
fix, though.

The upstream patch switches to strcmp(), arguing that these buffers are
always null terminated. In that case, even the incorrect size_t
parameter for strncmp() (source of the warning) won't matter, as the
comparison will always stop at the \0.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

For the strncmp() warnings, I filed an upstream bug[1] and it was
promptly fixed. I also filed a LP bug for me to fix it in Ubuntu, and
forward to Debian.

1. https://github.com/FRRouting/frr/issues/10484
2. https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1959896

** Bug watch added: github.com/FRRouting/frr/issues #10484
   https://github.com/FRRouting/frr/issues/10484

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

> specified bound depends on the length of the source argument
[-Wstringop-truncation]

I believe the strncpy warning can be ignored because the buffer was
reallocated using that size just before:

static void str_append(char **buf, const char *repr)
{
if (*buf) {
*buf = realloc(*buf, strlen(*buf) + strlen(repr) + 1);
assert(*buf);
strncpy((*buf) + strlen(*buf), repr, strlen(repr) + 1);
} else {
*buf = strdup(repr);
assert(*buf);
}
}


And we are copying into the middle of the reallocated buffer, not its start. 
Furthermore, this is test code.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

>   * It is on the lto-disabled list. Fix, or the work-around should be
directly in the package.

Good catch.

I checked and it was incorrectly added to that list, and filed a bug to
remove it:

https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1959838

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Didier Roche]

[Summary]

Thanks a lot Andreas for the detailed and high quality MIR, with
relevant researches and background information.

I was first tempted to diff between quagga and frr to do a quick
assessement. However, there are too many differences to avoid doing a
full package checks. Here are my findings:

I can’t give a definitive ack right now until those questions are
answered and some few fixes:

Notes/required TODOs:
 * does it need a security review in your opinon? Like, since the first MIR 
security assessment, a lot of time have passed. Is this the opportunity to 
benefit from another review or do you think the overall diff from the first MIR 
in term of security handling is small enough to not justify having a new one?
 * can you give the exact list of binary packages to promote? You mentioned for 
instance to keep frr-rpki-rtrlib in universe to avoid pulling librtr to main. I 
think the definitive will help on the AA side.
 * It is on the lto-disabled list. Fix, or the work-around should be directly 
in the package.
 * There are some compiler warning in the build logs. This is maybe the right 
time to get them fixed?
 * finally, once this is promoted, how do we explicitely demote quagga? I don’t 
find it in the seed. What is going to be uploaded to switch to frr?


[Duplication]
Fork of quagga, will replace it and the first one will be demoted.

[Dependencies]
OK:
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

Problems:
- new dependencies in main, libyang2: 
https://launchpad.net/ubuntu/+source/libyang2 #1958293

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries

[Security]
OK:
- history of CVEs is expected for this kind of daemon and usage, It does not 
look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- one run a daemon as root, as explained in the description

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
- test suite fails will fail the build upon error from the MIR description. 
Note that the summary mentions "TOTAL: 0"
- does have a non-trivial test suite that runs as autopkgtest
- no new python2 dependency


[Packaging red flags]

OK:
 Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- d/watch is present and looks ok (if needed, e.g. non-native)
- Upstream update history is good
- Debian/Ubuntu update history is good
- the current release is packaged
- promoting this does not seem to cause issues for MOTUs that so far
  maintained the package
- no massive Lintian warnings (rather pendantic ones)
- d/rules is rather clean

Problems:
- It is on the lto-disabled list. Fix, or the work-around should be directly in 
the package,

[Upstream red flags]
OK:
- no incautious use of malloc/sprintf (as far as we can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH (usage is OK inside
  tests)
- no use of user nobody
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- not part of the UI for extra checks

Problems:
* Some warnings during build logs:
bgpd/bgp_community_alias.c: In function ‘bgp_ca_alias_hash_cmp’:
bgpd/bgp_community_alias.c:60:17: warning: ‘strncmp’ specified bound 8228 
exceeds source size 8192 [-Wstringop-overread]
   60 | return (strncmp(ca1->alias, ca2->alias, sizeof(struct 
community_alias))
  | 
^~~
bgpd/bgp_community_alias.c: In function ‘bgp_ca_community_hash_cmp’:
bgpd/bgp_community_alias.c:43:17: warning: ‘strncmp’ specified bound 8228 
exceeds source size 36 [-Wstringop-overread]
   43 | return (strncmp(ca1->community, ca2->community,
  | ^~~
   44 | sizeof(struct community_alias))
  | ~~~
In file included from /usr/include/string.h:519,
 from ./lib/zebra.h:38,
 from tests/lib/test_nexthop_iter.c:25:
In function ‘strncpy’,
inlined from ‘str_append’ at tests/lib/test_nexthop_iter.c:37:3,
inlined from ‘str_appendf’ at tests/lib/test_nexthop_iter.c:55:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: warning: 
‘__builtin_strncpy’ specified bound depends on the length of the source 
argument [-Wstringop-truncation]
   95 |   return __builtin___strncpy_chk (__dest, __src, __len,
  |  

[Bug 1951834] Re: [MIR]: frr

[Didier Roche]

** Changed in: frr (Ubuntu)
 Assignee: (unassigned) => Didier Roche (didrocks)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Description changed:

  [Availability]
  The package frr is already in Ubuntu universe.
  The package builds for the architectures it is designed to work on.
  It currently builds and works for architetcures: amd64, arm64, armhf, 
ppc64el, s390x, riscv64
  Link to package: https://launchpad.net/ubuntu/+source/frr
  
  [Rationale]
  frr is a fork and replacement for quagga, which is what we have in main but 
is unmaintained by upstream.
  About quagga:
-   - we have been carrying the same version since bionic
-   - upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
-   - git mirror at https://github.com/Quagga/quagga shows last commit in 2018 
(https://github.com/Quagga/quagga
-   - mailing lists have crickets 
(https://lists.quagga.net/pipermail/quagga-users/, 
https://lists.quagga.net/pipermail/quagga-dev/)
+   - we have been carrying the same version since bionic
+   - upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
+   - git mirror at https://github.com/Quagga/quagga shows last commit in 2018 
(https://github.com/Quagga/quagga
+   - mailing lists have crickets 
(https://lists.quagga.net/pipermail/quagga-users/, 
https://lists.quagga.net/pipermail/quagga-dev/)
  
  The proposal is to demote quagga, and promote ffr, for jammy.
  
  [Security]
  http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr
  4 CVEs in older versions (jammy has 8.1)
  CVE-2017-15865 - information leak
  CVE-2017-5495 - DoS due to memleak
  CVE-2019-5892 - DoS
  CVE-2020-12831 - (disputed) info leak via an initially empty world readable 
config file
  
  site:www.openwall.com/lists/oss-security frr
  0 hits (the single hit was for the "frr" string in a pgp signature)
  
  Ubuntu:
  https://ubuntu.com/security/cve?q=frr
  https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak 
via an initially empty world readable config file
  https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it 
seems
  
  - no `suid` or `sgid` binaries
  - no executables in `/sbin` and `/usr/sbin`
  - Package installs services:
  /lib/systemd/system/frr.service
  
  Right after installation, one daemon runs as root, the other two as "frr":
  root   32148  0.0  0.0   7960  2892 ?Ss   14:02   0:00 
/usr/lib/frr/watchfrr -d -F traditional zebra staticd
  frr32161  0.0  0.0 242848  7000 ?Ssl  14:02   0:00 
/usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 9000
  frr32166  0.0  0.0   9256  3608 ?Ss   14:02   0:00 
/usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
  
  Many more can be run depending on configuration, though. Default list in 
/etc/frr/daemons:
  bgpd=no
  ospfd=no
  ospf6d=no
  ripd=no
  ripngd=no
  isisd=no
  pimd=no
  ldpd=no
  nhrpd=no
  eigrpd=no
  babeld=no
  sharpd=no
  pbrd=no
  bfdd=no
  fabricd=no
  vrrpd=no
  pathd=no
  
  If all are enabled, we get this by default:
  frr 1033  0.0  0.0 1722872 9648 ?Ssl  14:42   0:00 
/usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 9000
  frr 1038  0.0  0.0 173100  9108 ?Ssl  14:42   0:00 
/usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1
  frr 1045  0.0  0.0   9916  4192 ?Ss   14:42   0:00 
/usr/lib/frr/ripd -d -F traditional -A 127.0.0.1
  frr 1048  0.0  0.0   9660  3832 ?Ss   14:42   0:00 
/usr/lib/frr/ripngd -d -F traditional -A ::1
  frr 1051  0.0  0.0  11852  4900 ?Ss   14:42   0:00 
/usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1
  frr 1054  0.0  0.0  10828  4632 ?Ss   14:42   0:00 
/usr/lib/frr/ospf6d -d -F traditional -A ::1
  frr 1057  0.0  0.0  11540  4884 ?Ss   14:42   0:00 
/usr/lib/frr/isisd -d -F traditional -A 127.0.0.1
  frr 1060  0.0  0.0   9388  3532 ?Ss   14:42   0:00 
/usr/lib/frr/babeld -d -F traditional -A 127.0.0.1
  frr 1063  0.0  0.0  11540  5088 ?Ss   14:42   0:00 
/usr/lib/frr/pimd -d -F traditional -A 127.0.0.1
  frr 1071  0.0  0.0   9692  5380 ?S14:42   0:00 
/usr/lib/frr/ldpd -L -u frr -g frr
  frr 1072  0.0  0.0   9520  5376 ?S14:42   0:00 
/usr/lib/frr/ldpd -E -u frr -g frr
  frr 1074  0.0  0.0  10288  3652 ?Ss   14:42   0:00 
/usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1
  frr 1078  0.0  0.0   9968  3652 ?Ss   14:42   0:00 
/usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1
  frr 1082  0.0  0.0   9812  4000 ?Ss   14:42   0:00 
/usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1
  frr 1085  0.0  0.0   9232  3376 ?Ss   14:42   0:00 
/usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1
  frr 1088  0.0  0.0   9204  3136 ?Ss   14:42   0:00 
/usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
  frr 1091  0.0  0.0   9496  3596 ?Ss   14:42   0:00 
/usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1
  frr 1094  0.0  0.0  10460  4052 ?Ss   

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Changed in: frr (Ubuntu)
 Assignee: Andreas Hasenack (ahasenack) => (unassigned)

** Changed in: frr (Ubuntu)
   Status: In Progress => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Description changed:

- placeholder for MIR
- 
- - frr has its roots in quagga
- - quagga is unmaintained upstream:
+ [Availability]
+ The package frr is already in Ubuntu universe.
+ The package builds for the architectures it is designed to work on.
+ It currently builds and works for architetcures: amd64, arm64, armhf, 
ppc64el, s390x, riscv64
+ Link to package: https://launchpad.net/ubuntu/+source/frr
+ 
+ [Rationale]
+ frr is a fork and replacement for quagga, which is what we have in main but 
is unmaintained by upstream.
+ About quagga:
- we have been carrying the same version since bionic
- upstream's git repo is gone (http://git.savannah.gnu.org/cgit/quagga.git)
- git mirror at https://github.com/Quagga/quagga shows last commit in 2018 
(https://github.com/Quagga/quagga
- mailing lists have crickets 
(https://lists.quagga.net/pipermail/quagga-users/, 
https://lists.quagga.net/pipermail/quagga-dev/)
  
  The proposal is to demote quagga, and promote ffr, for jammy.
  
- I'll do the initial MIR evaluation, and thus assign this bug to me. Once
- the MIR template is filled out, I'll mark this bug as NEW again and
- unassigned.
+ [Security]
+ http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=frr
+ 4 CVEs in older versions (jammy has 8.1)
+ CVE-2017-15865 - information leak
+ CVE-2017-5495 - DoS due to memleak
+ CVE-2019-5892 - DoS
+ CVE-2020-12831 - (disputed) info leak via an initially empty world readable 
config file
+ 
+ site:www.openwall.com/lists/oss-security frr
+ 0 hits (the single hit was for the "frr" string in a pgp signature)
+ 
+ Ubuntu:
+ https://ubuntu.com/security/cve?q=frr
+ https://ubuntu.com/security/CVE-2020-12831 needs triage: (disputed) info leak 
via an initially empty world readable config file
+ https://ubuntu.com/security/CVE-2017-5495 only affected quagga in ubuntu it 
seems
+ 
+ - no `suid` or `sgid` binaries
+ - no executables in `/sbin` and `/usr/sbin`
+ - Package installs services:
+ /lib/systemd/system/frr.service
+ 
+ Right after installation, one daemon runs as root, the other two as "frr":
+ root   32148  0.0  0.0   7960  2892 ?Ss   14:02   0:00 
/usr/lib/frr/watchfrr -d -F traditional zebra staticd
+ frr32161  0.0  0.0 242848  7000 ?Ssl  14:02   0:00 
/usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 9000
+ frr32166  0.0  0.0   9256  3608 ?Ss   14:02   0:00 
/usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
+ 
+ Many more can be run depending on configuration, though. Default list in 
/etc/frr/daemons:
+ bgpd=no
+ ospfd=no
+ ospf6d=no
+ ripd=no
+ ripngd=no
+ isisd=no
+ pimd=no
+ ldpd=no
+ nhrpd=no
+ eigrpd=no
+ babeld=no
+ sharpd=no
+ pbrd=no
+ bfdd=no
+ fabricd=no
+ vrrpd=no
+ pathd=no
+ 
+ If all are enabled, we get this by default:
+ frr 1033  0.0  0.0 1722872 9648 ?Ssl  14:42   0:00 
/usr/lib/frr/zebra -d -F traditional -A 127.0.0.1 -s 9000
+ frr 1038  0.0  0.0 173100  9108 ?Ssl  14:42   0:00 
/usr/lib/frr/bgpd -d -F traditional -A 127.0.0.1
+ frr 1045  0.0  0.0   9916  4192 ?Ss   14:42   0:00 
/usr/lib/frr/ripd -d -F traditional -A 127.0.0.1
+ frr 1048  0.0  0.0   9660  3832 ?Ss   14:42   0:00 
/usr/lib/frr/ripngd -d -F traditional -A ::1
+ frr 1051  0.0  0.0  11852  4900 ?Ss   14:42   0:00 
/usr/lib/frr/ospfd -d -F traditional -A 127.0.0.1
+ frr 1054  0.0  0.0  10828  4632 ?Ss   14:42   0:00 
/usr/lib/frr/ospf6d -d -F traditional -A ::1
+ frr 1057  0.0  0.0  11540  4884 ?Ss   14:42   0:00 
/usr/lib/frr/isisd -d -F traditional -A 127.0.0.1
+ frr 1060  0.0  0.0   9388  3532 ?Ss   14:42   0:00 
/usr/lib/frr/babeld -d -F traditional -A 127.0.0.1
+ frr 1063  0.0  0.0  11540  5088 ?Ss   14:42   0:00 
/usr/lib/frr/pimd -d -F traditional -A 127.0.0.1
+ frr 1071  0.0  0.0   9692  5380 ?S14:42   0:00 
/usr/lib/frr/ldpd -L -u frr -g frr
+ frr 1072  0.0  0.0   9520  5376 ?S14:42   0:00 
/usr/lib/frr/ldpd -E -u frr -g frr
+ frr 1074  0.0  0.0  10288  3652 ?Ss   14:42   0:00 
/usr/lib/frr/ldpd -d -F traditional -A 127.0.0.1
+ frr 1078  0.0  0.0   9968  3652 ?Ss   14:42   0:00 
/usr/lib/frr/nhrpd -d -F traditional -A 127.0.0.1
+ frr 1082  0.0  0.0   9812  4000 ?Ss   14:42   0:00 
/usr/lib/frr/eigrpd -d -F traditional -A 127.0.0.1
+ frr 1085  0.0  0.0   9232  3376 ?Ss   14:42   0:00 
/usr/lib/frr/pbrd -d -F traditional -A 127.0.0.1
+ frr 1088  0.0  0.0   9204  3136 ?Ss   14:42   0:00 
/usr/lib/frr/staticd -d -F traditional -A 127.0.0.1
+ frr 1091  0.0  0.0   9496  3596 ?Ss   14:42   0:00 
/usr/lib/frr/bfdd -d -F traditional -A 127.0.0.1
+ frr 1094  0.0  0.0  10460  4052 ?Ss   14:42   0:00 
/usr/lib/frr/fabricd -d -F traditional -A 127.0.0.1
+ frr 1097  0.0  0.0   9256  3472 ?Ss   14:42   0:00 

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Tags added: server-todo

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Changed in: frr (Ubuntu)
Milestone: None => ubuntu-22.01

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1951834] Re: [MIR]: frr

[Andreas Hasenack]

** Changed in: frr (Ubuntu)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1951834

Title:
  [MIR]: frr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/frr/+bug/1951834/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs