~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.2] main/quagga: security upgrade - fixes #6384

Sergey Lukin <sergej.lukin@gmail.com>
Details
Message ID
<1481206786-16037-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1481206786
DKIM signature
missing
Download raw message
7 years ago
Patch: +52 -1 
CVE-2016-1245
---
 main/quagga/APKBUILD            |  7 ++++++-
 main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 main/quagga/CVE-2016-1245.patch

diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 3cd1797..6f8f16d 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,8 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
# Contributor: Sergey Lukin <sergej.lukin@gmail.com>
pkgname=quagga
pkgver=0.99.24.1
pkgrel=4
pkgrel=5
pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
url="http://quagga.net/"
arch="all"
@@ -16,6 +17,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
	bgpd-route-selection-crash.patch
	dont-hook-core-signals.patch
	bgpd-fix-useless-call-in-bgp_mplsvpn.patch
	CVE-2016-1245.patch
	CVE-2016-2342.patch

	bgpd.initd
@@ -78,6 +80,7 @@ md5sums="b168db69435100ee04564c4fb39c7413  quagga-0.99.24.1.tar.xz
10c9c745f2f9fdd1d81a4100d44e3313  bgpd-route-selection-crash.patch
1224ba91ea6b6e81f583bad7813aba98  dont-hook-core-signals.patch
92a293e339a971dbee61a7e3532fc07f  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
82495a990f82d36b2f71e0193840f72d  CVE-2016-1245.patch
9599aae2fc46e171d6cd1e0ad65bb0b8  CVE-2016-2342.patch
09a77e2e84e71c43f5a449738c026261  bgpd.initd
916f1dd1a286ee7b862cda4fe56cbf21  zebra.initd
@@ -86,6 +89,7 @@ sha256sums="6fd6baadb136a801c29c1dd72d0fe69da9f19ae498e87bff7057778361e43b14  qu
d8d65cc092cf7644b059d4c1b789b223482b0f50ba2cc891da4d71fe083f8cc0  bgpd-route-selection-crash.patch
4b71588e34ac14f8d6e72e6064b5e4ec302f286ebbe43df94c97411cceb66a23  dont-hook-core-signals.patch
e05f1fbec4f495fb257fb11bda4d1a7ceba008f4af4ff40f9093571f65ab6fe2  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f  CVE-2016-1245.patch
4658d69b1e96d741aff29af72b93440b75fbff280d435614d991667f3cd32bdf  CVE-2016-2342.patch
aab037454c6a70cd5cb45e14c47b7dfea358f8d81c7d12418edcf7e58a86c679  bgpd.initd
c1d7526581927e990e687cbd5d08447eb060f76a439475572785b5b90c60c460  zebra.initd
@@ -94,6 +98,7 @@ sha512sums="71c340ce0f4e52c69892d8fed82d30956161b09b029fb0a82ba774664aa2303b4930
3317554cc2470f12eb6694f2ada187be4ccc45976ebf09aa487634bbd7a4820a917f3c202bb9d4736771adf33e5eafa45f7bb8dadd2e9872d5fe7885261714b5  bgpd-route-selection-crash.patch
5ef5c5e6d70d991b33b13a062e25b6fbde395dceee36aea29384b0640a48d2957ed5f50d416a1f2f770bf69bae2340133e35b1114be7e1fa722eb6d3d021f37a  dont-hook-core-signals.patch
ee50d0ad93f3322ffa5842261359bb46cd7d3e609c44ea2dce86ecee03d0b862dac4b18dc70f116481acab6ca9e66a94cc8b22a8efb67df74ad38eab08592c76  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620  CVE-2016-1245.patch
2cd301e9d63c1f006e8b136b6a781692f50d9a63315b58453096125bbdbd81bdb0e092549e6a496ba2451e7ab44f686faeec4b6eab6ad909c91ace95cbe8eee0  CVE-2016-2342.patch
13b5b57e10df013bd2d931abc49bf76b8c4dee59dbceab22c9f151ccb988b2c5f7167f2909027d5e0f990b59da8de115667b02484aee9a67d347625700f6cacd  bgpd.initd
1638a4a64ffd066b1884f7e5a4243edab68739aabd83bd35ea8c9608af7b8623eece1d59fb08feead84e4386b6d1da4220764ccf5fd7f2a9959a8470d5cce86a  zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
@@ -0,0 +1,46 @@
https://bugs.alpinelinux.org/issues/6384

zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
The IPv6 RA code also receives ICMPv6 RS and RA messages.
Unfortunately, by bad coding practice, the buffer size specified on
receiving such messages mixed up 2 constants that in fact have
different values.

The code itself has:
 #define RTADV_MSG_SIZE 4096
While BUFSIZ is system-dependent, in my case (x86_64 glibc):
 /usr/include/_G_config.h:#define _G_BUFSIZ 8192
 /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
 /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ

FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
have BUFSIZ == 1024.

As the latter is passed to the kernel on recvmsg(), it's possible to
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
to any of the system's addresses (using fragmentation to get to 8k).

(The socket has filters installed limiting this to RS and RA packets,
but does not have a filter for source address or TTL.)

Issue discovered by trying to test other stuff, which randomly caused
the stack to be smaller than 8kB in that code location, which then
causes the kernel to report EFAULT (Bad address).

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>

https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546

diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
--- quagga-0.99.24.1.orig/zebra/rtadv.c
+++ quagga-0.99.24.1/zebra/rtadv.c
@@ -515,7 +515,7 @@
   /* Register myself. */
   rtadv_event (RTADV_READ, sock);
 
-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
+  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
 
   if (len < 0) 
     {
-- 
2.4.11



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)