~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH v3.1] main/quagga: security upgrade - fixes #6385

Details
Message ID
<1481542132-10549-1-git-send-email-sergej.lukin@gmail.com>
Sender timestamp
1481542132
DKIM signature
missing
Download raw message
Patch: +55 -5
CVE-2016-1245
---
 main/quagga/APKBUILD            | 14 ++++++++-----
 main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 main/quagga/CVE-2016-1245.patch

diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 1f78c5a..8113cf4 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=quagga
pkgver=0.99.23.1
pkgrel=2
pkgrel=3
pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
url="http://quagga.net/"
arch="all"
@@ -16,6 +16,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
	1001-bgpd-implement-next-hop-self-all.patch
	bgpd-gr-route-selection-fix.patch
	bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
	CVE-2016-1245.patch
	CVE-2016-2342.patch

	bgpd.initd
@@ -23,9 +24,9 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
	zebra.confd
	"

_builddir="$srcdir"/$pkgname-$pkgver
builddir="$srcdir"/$pkgname-$pkgver
prepare() {
	cd "$_builddir"
	cd "$builddir"
	for i in $source; do
		case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -34,7 +35,7 @@ prepare() {
}

build() {
	cd "$_builddir"
	cd "$builddir"
	quagga_cv_ipforward_method=proc \
	./configure \
		--build=$CBUILD \
@@ -60,7 +61,7 @@ build() {
}

package() {
	cd "$_builddir"
	cd "$builddir"
	make DESTDIR="$pkgdir" install || return 1
	rm "$pkgdir"/usr/lib/*.la || return 1

@@ -78,6 +79,7 @@ md5sums="da14aed6ae4be582486816f3eac2a46f  quagga-0.99.23.1.tar.xz
cb97c9d7e192ca05b64c9da909daa97a  1001-bgpd-implement-next-hop-self-all.patch
1fbfcff69bc7df56f9e6682012261004  bgpd-gr-route-selection-fix.patch
0d21bd5e197324ffba95830ecb744a74  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
82495a990f82d36b2f71e0193840f72d  CVE-2016-1245.patch
f431ae1dc0e568b3f762609622170dc9  CVE-2016-2342.patch
e80a3df594eba8b09e19aa28d9283698  bgpd.initd
33d0e34f11460881161ab930d3d3b987  zebra.initd
@@ -86,6 +88,7 @@ sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8  qu
cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3  1001-bgpd-implement-next-hop-self-all.patch
66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de  bgpd-gr-route-selection-fix.patch
a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f  CVE-2016-1245.patch
b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922  CVE-2016-2342.patch
41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3  bgpd.initd
d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56  zebra.initd
@@ -94,6 +97,7 @@ sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4d
a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e  1001-bgpd-implement-next-hop-self-all.patch
3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac  bgpd-gr-route-selection-fix.patch
b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620  CVE-2016-1245.patch
eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab  CVE-2016-2342.patch
d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413  bgpd.initd
a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723  zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
@@ -0,0 +1,46 @@
https://bugs.alpinelinux.org/issues/6384

zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
The IPv6 RA code also receives ICMPv6 RS and RA messages.
Unfortunately, by bad coding practice, the buffer size specified on
receiving such messages mixed up 2 constants that in fact have
different values.

The code itself has:
 #define RTADV_MSG_SIZE 4096
While BUFSIZ is system-dependent, in my case (x86_64 glibc):
 /usr/include/_G_config.h:#define _G_BUFSIZ 8192
 /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
 /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ

FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
have BUFSIZ == 1024.

As the latter is passed to the kernel on recvmsg(), it's possible to
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
to any of the system's addresses (using fragmentation to get to 8k).

(The socket has filters installed limiting this to RS and RA packets,
but does not have a filter for source address or TTL.)

Issue discovered by trying to test other stuff, which randomly caused
the stack to be smaller than 8kB in that code location, which then
causes the kernel to report EFAULT (Bad address).

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>

https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546

diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
--- quagga-0.99.24.1.orig/zebra/rtadv.c
+++ quagga-0.99.24.1/zebra/rtadv.c
@@ -515,7 +515,7 @@
   /* Register myself. */
   rtadv_event (RTADV_READ, sock);
 
-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
+  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
 
   if (len < 0) 
     {
-- 
2.2.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)