Hello community, here is the log from the commit of package quagga for openSUSE:11.3 checked in at Thu Mar 31 18:06:51 CEST 2011. -------- --- old-versions/11.3/UPDATES/all/quagga/quagga.changes 2010-11-10 17:26:08.000000000 +0100 +++ 11.3/quagga/quagga.changes 2011-03-31 14:14:30.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Feb 23 13:10:09 UTC 2011 - prusnak@opensuse.org + +- fix CVE-2010-1674 and CVE-2010-1675 [bnc#654270] + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- quagga-0.99.17-CVE-2010-1674.patch quagga-0.99.17-CVE-2010-1675.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.chlgK9/_old 2011-03-31 18:06:22.000000000 +0200 +++ /var/tmp/diff_new_pack.chlgK9/_new 2011-03-31 18:06:22.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package quagga (Version 0.99.17) +# spec file for package quagga # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ Name: quagga Version: 0.99.17 -Release: 1.<RELEASE1> +Release: 1.<RELEASE5> License: LGPLv2.1+ Summary: Free Routing Software (for BGP, OSPF and RIP, for example) Url: http://www.quagga.net @@ -27,6 +27,8 @@ Source: http://www.quagga.net/download/%{name}-%{version}.tar.gz Source1: %{name}-SUSE.tar.bz2 Source2: %{name}.pam +Patch0: %{name}-0.99.17-CVE-2010-1674.patch +Patch1: %{name}-0.99.17-CVE-2010-1675.patch BuildRequires: net-snmp-devel BuildRequires: pam-devel BuildRequires: readline-devel @@ -64,6 +66,8 @@ %prep %setup -q -a 1 +%patch0 -p 1 +%patch1 -p 1 %build if ! ls /proc/net/{dev,route,snmp} >/dev/null; then ++++++ quagga-0.99.17-CVE-2010-1674.patch ++++++ commit 5aadc3763588766490a25ef6b475f64ef88f8e0e Author: Paul Jakma <paul@quagga.net> Date: Sun Dec 5 17:17:26 2010 +0000 bgpd/security: CVE-2010-1674 Fix crash due to extended-community parser error * bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs can leave attr->flag indicating ext-community is present, even though no extended-community object has been attached to the attr structure. Thus a null-pointer dereference can occur later. (bgp_attr_community) No bug fixed here, but tidy up flow so it has same form as previous. Problem and fix thanks to anonymous reporter. Index: quagga-0.99.17/bgpd/bgp_attr.c =================================================================== --- quagga-0.99.17.orig/bgpd/bgp_attr.c +++ quagga-0.99.17/bgpd/bgp_attr.c @@ -1235,13 +1235,16 @@ bgp_attr_community (struct peer *peer, b attr->community = NULL; return 0; } - else - { - attr->community = - community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); - stream_forward_getp (peer->ibuf, length); - } + + attr->community = + community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length); + + /* XXX: fix community_parse to use stream API and remove this */ + stream_forward_getp (peer->ibuf, length); + if (!attr->community) + return -1; + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_COMMUNITIES); return 0; @@ -1478,13 +1481,18 @@ bgp_attr_ext_communities (struct peer *p { if (attr->extra) attr->extra->ecommunity = NULL; + /* Empty extcomm doesn't seem to be invalid per se */ + return 0; } - else - { - (bgp_attr_extra_get (attr))->ecommunity = - ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); - stream_forward_getp (peer->ibuf, length); - } + + (bgp_attr_extra_get (attr))->ecommunity = + ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length); + /* XXX: fix ecommunity_parse to use stream API */ + stream_forward_getp (peer->ibuf, length); + + if (!attr->extra->ecommunity) + return -1; + attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES); return 0; ++++++ quagga-0.99.17-CVE-2010-1675.patch ++++++ Index: quagga-0.99.17/bgpd/bgp_attr.c =================================================================== --- quagga-0.99.17.orig/bgpd/bgp_attr.c +++ quagga-0.99.17/bgpd/bgp_attr.c @@ -704,43 +704,6 @@ bgp_attr_flush (struct attr *attr) } } -/* Parse AS_PATHLIMIT attribute in an UPDATE */ -static int -bgp_attr_aspathlimit (struct peer *peer, bgp_size_t length, - struct attr *attr, u_char flag, u_char *startp) -{ - bgp_size_t total; - - total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); - - if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) - || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) - { - zlog (peer->log, LOG_ERR, - "AS-Pathlimit attribute flag isn't transitive %d", flag); - bgp_notify_send_with_data (peer, - BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, - startp, total); - return -1; - } - - if (length != 5) - { - zlog (peer->log, LOG_ERR, - "AS-Pathlimit length, %u, is not 5", length); - bgp_notify_send_with_data (peer, - BGP_NOTIFY_UPDATE_ERR, - BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, - startp, total); - return -1; - } - - attr->pathlimit.ttl = stream_getc (BGP_INPUT(peer)); - attr->pathlimit.as = stream_getl (BGP_INPUT(peer)); - attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_AS_PATHLIMIT); - return 0; -} /* Get origin attribute of the update message. */ static int bgp_attr_origin (struct peer *peer, bgp_size_t length, @@ -1717,9 +1680,6 @@ bgp_attr_parse (struct peer *peer, struc case BGP_ATTR_EXT_COMMUNITIES: ret = bgp_attr_ext_communities (peer, length, attr, flag); break; - case BGP_ATTR_AS_PATHLIMIT: - ret = bgp_attr_aspathlimit (peer, length, attr, flag, startp); - break; default: ret = bgp_attr_unknown (peer, attr, flag, type, length, startp); break; @@ -2273,25 +2233,7 @@ bgp_packet_attribute (struct bgp *bgp, s stream_putl (s, attr->extra->aggregator_as); stream_put_ipv4 (s, attr->extra->aggregator_addr.s_addr); } - - /* AS-Pathlimit */ - if (attr->pathlimit.ttl) - { - u_int32_t as = attr->pathlimit.as; - - /* should already have been done in announce_check(), - * but just in case.. - */ - if (!as) - as = peer->local_as; - - stream_putc (s, BGP_ATTR_FLAG_OPTIONAL|BGP_ATTR_FLAG_TRANS); - stream_putc (s, BGP_ATTR_AS_PATHLIMIT); - stream_putc (s, 5); - stream_putc (s, attr->pathlimit.ttl); - stream_putl (s, as); - } - + /* Unknown transit attribute. */ if (attr->extra && attr->extra->transit) stream_put (s, attr->extra->transit->val, attr->extra->transit->length); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org