X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-qt0-f195.google.com (mail-qt0-f195.google.com [209.85.216.195])
	by lists.alpinelinux.org (Postfix) with ESMTP id 150585C4570
	for <alpine-aports@lists.alpinelinux.org>; Mon, 12 Dec 2016 11:28:59 +0000 (GMT)
Received: by mail-qt0-f195.google.com with SMTP id m48so9315356qta.2
        for <alpine-aports@lists.alpinelinux.org>; Mon, 12 Dec 2016 03:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=from:to:cc:subject:date:message-id;
        bh=e3RF7/7ejaMsxtzQE8a3FCZ76gfwkUdJS1RIy6uxDlg=;
        b=FNGz1zgr+k74K4Ew4Agf1ZyPsWBe2bHqm/EQJWmoZDf/niBNk49VtEgNaai/9obja4
         EzhwB1YNvG4bITaZKsXJFUz/quxaRMkdi+0Q6DwDCnbEV9tBGk3A4j3vyHL01QIx+JDa
         J52ZqIDEL888EXmcWeKU1uWfHG+7UdNN1jo2oB7z8afjkr2n+LvjyztONtS6TBFgBnc6
         qiGZunXLleyVV85EsW7ZX8w49KJfH6BCc9lfZ9Y5O6XbQTylfLBCJ6AXr0XsdtFnk4ef
         wGzr0JNIpH4Q0zZI7TQgOV1CI/IAZqvJCajXl5c30/S1dePXFBvBQXAWIHhBafnCnJZJ
         XmHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=e3RF7/7ejaMsxtzQE8a3FCZ76gfwkUdJS1RIy6uxDlg=;
        b=KT801WITwQig3SiLENZYwRe6cmztjTP06vPlRKfcQeAlao3aXeblfVZyCagN/Swjfo
         vVExo5dvP+whdWGrnG1aUF2Ighcd+mf2xcaoRsSm5XqOD9bFN9GXAZyl8X9/mYy3cFF0
         c3XFG3FOgPlwXjy3yRWM26i7ygtBrDLVYtbxqvsh1DaEDdLXkNkEGix5/gE9xhbsTQvF
         1W1X3R2uhsDdTlnTFBKwfOzUxvSrtt98NAq48DzqkYWXYkAn1VcgX027xAJ3bs7YV/2+
         UMpPASp1Z3mltItMivC8jyhJQmjD0/0IaLwgUnPnXN8fDdQe6GrePcjx382ExZvhV1pH
         9KHw==
X-Gm-Message-State: AKaTC01bFbb+/29y5l5jNfKujLP3yI0RNLIRiM5K1hbTBj7d3NiwFuqG7JFdK9tzKMDXzg==
X-Received: by 10.25.196.136 with SMTP id u130mr30227672lff.62.1481542139419;
        Mon, 12 Dec 2016 03:28:59 -0800 (PST)
Received: from v3-1.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id w67sm8674913lff.16.2016.12.12.03.28.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Mon, 12 Dec 2016 03:28:58 -0800 (PST)
From: Sergey Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergey Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.1] main/quagga: security upgrade - fixes #6385
Date: Mon, 12 Dec 2016 11:28:52 +0000
Message-Id: <1481542132-10549-1-git-send-email-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.2.1
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2016-1245
---
 main/quagga/APKBUILD            | 14 ++++++++-----
 main/quagga/CVE-2016-1245.patch | 46 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 5 deletions(-)
 create mode 100644 main/quagga/CVE-2016-1245.patch

diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 1f78c5a..8113cf4 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=quagga
 pkgver=0.99.23.1
-pkgrel=2
+pkgrel=3
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
 url="http://quagga.net/"
 arch="all"
@@ -16,6 +16,7 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	1001-bgpd-implement-next-hop-self-all.patch
 	bgpd-gr-route-selection-fix.patch
 	bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+	CVE-2016-1245.patch
 	CVE-2016-2342.patch
 
 	bgpd.initd
@@ -23,9 +24,9 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	zebra.confd
 	"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
-	cd "$_builddir"
+	cd "$builddir"
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -34,7 +35,7 @@ prepare() {
 }
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	quagga_cv_ipforward_method=proc \
 	./configure \
 		--build=$CBUILD \
@@ -60,7 +61,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 
@@ -78,6 +79,7 @@ md5sums="da14aed6ae4be582486816f3eac2a46f  quagga-0.99.23.1.tar.xz
 cb97c9d7e192ca05b64c9da909daa97a  1001-bgpd-implement-next-hop-self-all.patch
 1fbfcff69bc7df56f9e6682012261004  bgpd-gr-route-selection-fix.patch
 0d21bd5e197324ffba95830ecb744a74  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+82495a990f82d36b2f71e0193840f72d  CVE-2016-1245.patch
 f431ae1dc0e568b3f762609622170dc9  CVE-2016-2342.patch
 e80a3df594eba8b09e19aa28d9283698  bgpd.initd
 33d0e34f11460881161ab930d3d3b987  zebra.initd
@@ -86,6 +88,7 @@ sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8  qu
 cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3  1001-bgpd-implement-next-hop-self-all.patch
 66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de  bgpd-gr-route-selection-fix.patch
 a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+5ea0138eda1e81f065f36957c51ba927b4c09512e28c84ea03b0e38787b4c84f  CVE-2016-1245.patch
 b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922  CVE-2016-2342.patch
 41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3  bgpd.initd
 d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56  zebra.initd
@@ -94,6 +97,7 @@ sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4d
 a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e  1001-bgpd-implement-next-hop-self-all.patch
 3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac  bgpd-gr-route-selection-fix.patch
 b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+0de1c3d1846ccc10577f87b67b43667428887fa8af38b70c46d357c45261e78e0f4343d5c60042abef3f674dd4322995b21139c78e59c894779616b8c0ff0620  CVE-2016-1245.patch
 eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab  CVE-2016-2342.patch
 d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413  bgpd.initd
 a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723  zebra.initd
diff --git a/main/quagga/CVE-2016-1245.patch b/main/quagga/CVE-2016-1245.patch
new file mode 100644
index 0000000..ad7d764
--- /dev/null
+++ b/main/quagga/CVE-2016-1245.patch
@@ -0,0 +1,46 @@
+https://bugs.alpinelinux.org/issues/6384
+
+zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
+The IPv6 RA code also receives ICMPv6 RS and RA messages.
+Unfortunately, by bad coding practice, the buffer size specified on
+receiving such messages mixed up 2 constants that in fact have
+different values.
+
+The code itself has:
+ #define RTADV_MSG_SIZE 4096
+While BUFSIZ is system-dependent, in my case (x86_64 glibc):
+ /usr/include/_G_config.h:#define _G_BUFSIZ 8192
+ /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
+ /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
+
+FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
+have BUFSIZ == 1024.
+
+As the latter is passed to the kernel on recvmsg(), it's possible to
+overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
+to any of the system's addresses (using fragmentation to get to 8k).
+
+(The socket has filters installed limiting this to RS and RA packets,
+but does not have a filter for source address or TTL.)
+
+Issue discovered by trying to test other stuff, which randomly caused
+the stack to be smaller than 8kB in that code location, which then
+causes the kernel to report EFAULT (Bad address).
+
+Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
+Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
+
+https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
+
+diff -ru quagga-0.99.24.1.orig/zebra/rtadv.c quagga-0.99.24.1/zebra/rtadv.c
+--- quagga-0.99.24.1.orig/zebra/rtadv.c
++++ quagga-0.99.24.1/zebra/rtadv.c
+@@ -515,7 +515,7 @@
+   /* Register myself. */
+   rtadv_event (RTADV_READ, sock);
+ 
+-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
++  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
+ 
+   if (len < 0) 
+     {
-- 
2.2.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---