CVE-2016-1245
---
main/quagga/APKBUILD | 14 ++++++++-----
main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 55 insertions(+), 5 deletions(-)
create mode 100644 main/quagga/CVE-2016-1245.patch
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 1f78c5a..8113cf4 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=quagga
pkgver=0.99.23.1
-pkgrel=2
+pkgrel=3
pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
url="http://quagga.net/"
arch="all"
@@ -16,6 +16,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
1001-bgpd-implement-next-hop-self-all.patch
bgpd-gr-route-selection-fix.patch
bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+ CVE-2016-1245.patch
CVE-2016-2342.patch
bgpd.initd
@@ -23,9 +24,9 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
zebra.confd
"
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
prepare() {
- cd "$_builddir"
+ cd "$builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -34,7 +35,7 @@ prepare() {
}
build() {
- cd "$_builddir"
+ cd "$builddir"
quagga_cv_ipforward_method=proc \
./configure \
--build=$CBUILD \
@@ -60,7 +61,7 @@ build() {
}
package() {
- cd "$_builddir"
+ cd "$builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
@@ -78,6 +79,7 @@ md5sums="da14aed6ae4be582486816f3eac2a46f quagga-0.99.23.1.tar.xz
cb97c9d7e192ca05b64c9da909daa97a 1001-bgpd-implement-next-hop-self-all.patch
1fbfcff69bc7df56f9e6682012261004 bgpd-gr-route-selection-fix.patch
0d21bd5e197324ffba95830ecb744a74 bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+82495a990f82d36b2f71e0193840f72d CVE-2016-1245.patch
f431ae1dc0e568b3f762609622170dc9 CVE-2016-2342.patch
e80a3df594eba8b09e19aa28d9283698 bgpd.initd
33d0e34f11460881161ab930d3d3b987 zebra.initd
@@ -86,6 +88,7 @@ sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8 qu
cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3 1001-bgpd-implement-next-hop-self-all.patch
66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de bgpd-gr-route-selection-fix.patch
a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f CVE-2016-1245.patch
b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922 CVE-2016-2342.patch
41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3 bgpd.initd
d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56 zebra.initd
@@ -94,6 +97,7 @@ sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4d
a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e 1001-bgpd-implement-next-hop-self-all.patch
3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac bgpd-gr-route-selection-fix.patch
b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620 CVE-2016-1245.patch
eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab CVE-2016-2342.patch
d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413 bgpd.initd
a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723 zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
@@ -0,0 +1,46 @@
+https://bugs.alpinelinux.org/issues/6384
+
+zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
+The IPv6 RA code also receives ICMPv6 RS and RA messages.
+Unfortunately, by bad coding practice, the buffer size specified on
+receiving such messages mixed up 2 constants that in fact have
+different values.
+
+The code itself has:
+ #define RTADV_MSG_SIZE 4096
+While BUFSIZ is system-dependent, in my case (x86_64 glibc):
+ /usr/include/_G_config.h:#define _G_BUFSIZ 8192
+ /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
+ /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
+
+FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
+have BUFSIZ == 1024.
+
+As the latter is passed to the kernel on recvmsg(), it's possible to
+overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
+to any of the system's addresses (using fragmentation to get to 8k).
+
+(The socket has filters installed limiting this to RS and RA packets,
+but does not have a filter for source address or TTL.)
+
+Issue discovered by trying to test other stuff, which randomly caused
+the stack to be smaller than 8kB in that code location, which then
+causes the kernel to report EFAULT (Bad address).
+
+Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
+Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
+
+https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
+
+diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
+--- quagga-0.99.24.1.orig/zebra/rtadv.c
++++ quagga-0.99.24.1/zebra/rtadv.c
+@@ -515,7 +515,7 @@
+ /* Register myself. */
+ rtadv_event (RTADV_READ, sock);
+
+- len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
++ len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
+
+ if (len < 0)
+ {
--
2.2.1
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---