Mail archive
alpine-aports

[alpine-aports] [PATCH v3.1] main/quagga: security upgrade - fixes #6385

From: Sergey Lukin <sergej.lukin_at_gmail.com>
Date: Mon, 12 Dec 2016 11:28:52 +0000

CVE-2016-1245
---
 main/quagga/APKBUILD            | 14 ++++++++-----
 main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 main/quagga/CVE-2016-1245.patch
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 1f78c5a..8113cf4 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
_at_@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=quagga
 pkgver=0.99.23.1
-pkgrel=2
+pkgrel=3
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
 url="http://quagga.net/"
 arch="all"
_at_@ -16,6 +16,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	1001-bgpd-implement-next-hop-self-all.patch
 	bgpd-gr-route-selection-fix.patch
 	bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+	CVE-2016-1245.patch
 	CVE-2016-2342.patch
 
 	bgpd.initd
_at_@ -23,9 +24,9 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	zebra.confd
 	"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
_at_@ -34,7 +35,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	quagga_cv_ipforward_method=proc \
 	./configure \
 		--build=$CBUILD \
_at_@ -60,7 +61,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 
_at_@ -78,6 +79,7 @@ md5sums="da14aed6ae4be582486816f3eac2a46f  quagga-0.99.23.1.tar.xz
 cb97c9d7e192ca05b64c9da909daa97a  1001-bgpd-implement-next-hop-self-all.patch
 1fbfcff69bc7df56f9e6682012261004  bgpd-gr-route-selection-fix.patch
 0d21bd5e197324ffba95830ecb744a74  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+82495a990f82d36b2f71e0193840f72d  CVE-2016-1245.patch
 f431ae1dc0e568b3f762609622170dc9  CVE-2016-2342.patch
 e80a3df594eba8b09e19aa28d9283698  bgpd.initd
 33d0e34f11460881161ab930d3d3b987  zebra.initd
_at_@ -86,6 +88,7 @@ sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8  qu
 cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3  1001-bgpd-implement-next-hop-self-all.patch
 66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de  bgpd-gr-route-selection-fix.patch
 a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f  CVE-2016-1245.patch
 b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922  CVE-2016-2342.patch
 41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3  bgpd.initd
 d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56  zebra.initd
_at_@ -94,6 +97,7 @@ sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4d
 a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e  1001-bgpd-implement-next-hop-self-all.patch
 3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac  bgpd-gr-route-selection-fix.patch
 b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620  CVE-2016-1245.patch
 eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab  CVE-2016-2342.patch
 d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413  bgpd.initd
 a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723  zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
_at_@ -0,0 +1,46 @@
+https://bugs.alpinelinux.org/issues/6384
+
+zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
+The IPv6 RA code also receives ICMPv6 RS and RA messages.
+Unfortunately, by bad coding practice, the buffer size specified on
+receiving such messages mixed up 2 constants that in fact have
+different values.
+
+The code itself has:
+ #define RTADV_MSG_SIZE 4096
+While BUFSIZ is system-dependent, in my case (x86_64 glibc):
+ /usr/include/_G_config.h:#define _G_BUFSIZ 8192
+ /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
+ /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
+
+FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
+have BUFSIZ == 1024.
+
+As the latter is passed to the kernel on recvmsg(), it's possible to
+overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
+to any of the system's addresses (using fragmentation to get to 8k).
+
+(The socket has filters installed limiting this to RS and RA packets,
+but does not have a filter for source address or TTL.)
+
+Issue discovered by trying to test other stuff, which randomly caused
+the stack to be smaller than 8kB in that code location, which then
+causes the kernel to report EFAULT (Bad address).
+
+Signed-off-by: David Lamparter <equinox_at_opensourcerouting.org>
+Reviewed-by: Donald Sharp <sharpd_at_cumulusnetworks.com>
+
+https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
+
+diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
+--- quagga-0.99.24.1.orig/zebra/rtadv.c
++++ quagga-0.99.24.1/zebra/rtadv.c
+_at_@ -515,7 +515,7 @@
+   /* Register myself. */
+   rtadv_event (RTADV_READ, sock);
+ 
+-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
++  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
+ 
+   if (len < 0) 
+     {
-- 
2.2.1
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Mon Dec 12 2016 - 11:28:52 GMT