Mail archive
alpine-aports

[alpine-aports] [PATCH v3.2] main/quagga: security upgrade - fixes #6384

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 8 Dec 2016 14:19:46 +0000

CVE-2016-1245
---
 main/quagga/APKBUILD            |  7 ++++++-
 main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 main/quagga/CVE-2016-1245.patch
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 3cd1797..6f8f16d 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
_at_@ -1,7 +1,8 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
+# Contributor: Sergey Lukin <sergej.lukin_at_gmail.com>
 pkgname=quagga
 pkgver=0.99.24.1
-pkgrel=4
+pkgrel=5
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
 url="http://quagga.net/"
 arch="all"
_at_@ -16,6 +17,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	bgpd-route-selection-crash.patch
 	dont-hook-core-signals.patch
 	bgpd-fix-useless-call-in-bgp_mplsvpn.patch
+	CVE-2016-1245.patch
 	CVE-2016-2342.patch
 
 	bgpd.initd
_at_@ -78,6 +80,7 @@ md5sums="b168db69435100ee04564c4fb39c7413  quagga-0.99.24.1.tar.xz
 10c9c745f2f9fdd1d81a4100d44e3313  bgpd-route-selection-crash.patch
 1224ba91ea6b6e81f583bad7813aba98  dont-hook-core-signals.patch
 92a293e339a971dbee61a7e3532fc07f  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
+82495a990f82d36b2f71e0193840f72d  CVE-2016-1245.patch
 9599aae2fc46e171d6cd1e0ad65bb0b8  CVE-2016-2342.patch
 09a77e2e84e71c43f5a449738c026261  bgpd.initd
 916f1dd1a286ee7b862cda4fe56cbf21  zebra.initd
_at_@ -86,6 +89,7 @@ sha256sums="6fd6baadb136a801c29c1dd72d0fe69da9f19ae498e87bff7057778361e43b14  qu
 d8d65cc092cf7644b059d4c1b789b223482b0f50ba2cc891da4d71fe083f8cc0  bgpd-route-selection-crash.patch
 4b71588e34ac14f8d6e72e6064b5e4ec302f286ebbe43df94c97411cceb66a23  dont-hook-core-signals.patch
 e05f1fbec4f495fb257fb11bda4d1a7ceba008f4af4ff40f9093571f65ab6fe2  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
+5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f  CVE-2016-1245.patch
 4658d69b1e96d741aff29af72b93440b75fbff280d435614d991667f3cd32bdf  CVE-2016-2342.patch
 aab037454c6a70cd5cb45e14c47b7dfea358f8d81c7d12418edcf7e58a86c679  bgpd.initd
 c1d7526581927e990e687cbd5d08447eb060f76a439475572785b5b90c60c460  zebra.initd
_at_@ -94,6 +98,7 @@ sha512sums="71c340ce0f4e52c69892d8fed82d30956161b09b029fb0a82ba774664aa2303b4930
 3317554cc2470f12eb6694f2ada187be4ccc45976ebf09aa487634bbd7a4820a917f3c202bb9d4736771adf33e5eafa45f7bb8dadd2e9872d5fe7885261714b5  bgpd-route-selection-crash.patch
 5ef5c5e6d70d991b33b13a062e25b6fbde395dceee36aea29384b0640a48d2957ed5f50d416a1f2f770bf69bae2340133e35b1114be7e1fa722eb6d3d021f37a  dont-hook-core-signals.patch
 ee50d0ad93f3322ffa5842261359bb46cd7d3e609c44ea2dce86ecee03d0b862dac4b18dc70f116481acab6ca9e66a94cc8b22a8efb67df74ad38eab08592c76  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
+0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620  CVE-2016-1245.patch
 2cd301e9d63c1f006e8b136b6a781692f50d9a63315b58453096125bbdbd81bdb0e092549e6a496ba2451e7ab44f686faeec4b6eab6ad909c91ace95cbe8eee0  CVE-2016-2342.patch
 13b5b57e10df013bd2d931abc49bf76b8c4dee59dbceab22c9f151ccb988b2c5f7167f2909027d5e0f990b59da8de115667b02484aee9a67d347625700f6cacd  bgpd.initd
 1638a4a64ffd066b1884f7e5a4243edab68739aabd83bd35ea8c9608af7b8623eece1d59fb08feead84e4386b6d1da4220764ccf5fd7f2a9959a8470d5cce86a  zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
_at_@ -0,0 +1,46 @@
+https://bugs.alpinelinux.org/issues/6384
+
+zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
+The IPv6 RA code also receives ICMPv6 RS and RA messages.
+Unfortunately, by bad coding practice, the buffer size specified on
+receiving such messages mixed up 2 constants that in fact have
+different values.
+
+The code itself has:
+ #define RTADV_MSG_SIZE 4096
+While BUFSIZ is system-dependent, in my case (x86_64 glibc):
+ /usr/include/_G_config.h:#define _G_BUFSIZ 8192
+ /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
+ /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
+
+FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
+have BUFSIZ == 1024.
+
+As the latter is passed to the kernel on recvmsg(), it's possible to
+overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
+to any of the system's addresses (using fragmentation to get to 8k).
+
+(The socket has filters installed limiting this to RS and RA packets,
+but does not have a filter for source address or TTL.)
+
+Issue discovered by trying to test other stuff, which randomly caused
+the stack to be smaller than 8kB in that code location, which then
+causes the kernel to report EFAULT (Bad address).
+
+Signed-off-by: David Lamparter <equinox_at_opensourcerouting.org>
+Reviewed-by: Donald Sharp <sharpd_at_cumulusnetworks.com>
+
+https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
+
+diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
+--- quagga-0.99.24.1.orig/zebra/rtadv.c
++++ quagga-0.99.24.1/zebra/rtadv.c
+_at_@ -515,7 +515,7 @@
+   /* Register myself. */
+   rtadv_event (RTADV_READ, sock);
+ 
+-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
++  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
+ 
+   if (len < 0) 
+     {
-- 
2.4.11
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Dec 08 2016 - 14:19:46 GMT