Hello community,
here is the log from the commit of package quagga for openSUSE:11.4
checked in at Fri Apr 1 11:45:16 CEST 2011.
--------
--- old-versions/11.4/all/quagga/quagga.changes 2010-11-10 17:26:08.000000000 +0100
+++ 11.4/quagga/quagga.changes 2011-03-31 14:14:15.000000000 +0200
@@ -1,0 +2,5 @@
+Wed Feb 23 13:10:09 UTC 2011 - prusnak@opensuse.org
+
+- fix CVE-2010-1674 and CVE-2010-1675 [bnc#654270]
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/quagga
Destination is old-versions/11.4/UPDATES/all/quagga
calling whatdependson for 11.4-i586
New:
----
quagga-0.99.17-CVE-2010-1674.patch
quagga-0.99.17-CVE-2010-1675.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ quagga.spec ++++++
--- /var/tmp/diff_new_pack.flDjRU/_old 2011-04-01 11:44:37.000000000 +0200
+++ /var/tmp/diff_new_pack.flDjRU/_new 2011-04-01 11:44:37.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package quagga (Version 0.99.17)
+# spec file for package quagga
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
Name: quagga
Version: 0.99.17
-Release: 1
+Release: 4.<RELEASE5>
License: LGPLv2.1+
Summary: Free Routing Software (for BGP, OSPF and RIP, for example)
Url: http://www.quagga.net
@@ -27,6 +27,8 @@
Source: http://www.quagga.net/download/%{name}-%{version}.tar.gz
Source1: %{name}-SUSE.tar.bz2
Source2: %{name}.pam
+Patch0: %{name}-0.99.17-CVE-2010-1674.patch
+Patch1: %{name}-0.99.17-CVE-2010-1675.patch
BuildRequires: net-snmp-devel
BuildRequires: pam-devel
BuildRequires: readline-devel
@@ -64,6 +66,8 @@
%prep
%setup -q -a 1
+%patch0 -p 1
+%patch1 -p 1
%build
if ! ls /proc/net/{dev,route,snmp} >/dev/null; then
++++++ quagga-0.99.17-CVE-2010-1674.patch ++++++
commit 5aadc3763588766490a25ef6b475f64ef88f8e0e
Author: Paul Jakma
Date: Sun Dec 5 17:17:26 2010 +0000
bgpd/security: CVE-2010-1674 Fix crash due to extended-community parser error
* bgp_attr.c: (bgp_attr_ext_communities) Certain extended-community attrs
can leave attr->flag indicating ext-community is present, even though no
extended-community object has been attached to the attr structure. Thus a
null-pointer dereference can occur later.
(bgp_attr_community) No bug fixed here, but tidy up flow so it has same
form as previous.
Problem and fix thanks to anonymous reporter.
Index: quagga-0.99.17/bgpd/bgp_attr.c
===================================================================
--- quagga-0.99.17.orig/bgpd/bgp_attr.c
+++ quagga-0.99.17/bgpd/bgp_attr.c
@@ -1235,13 +1235,16 @@ bgp_attr_community (struct peer *peer, b
attr->community = NULL;
return 0;
}
- else
- {
- attr->community =
- community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length);
- stream_forward_getp (peer->ibuf, length);
- }
+
+ attr->community =
+ community_parse ((u_int32_t *)stream_pnt (peer->ibuf), length);
+
+ /* XXX: fix community_parse to use stream API and remove this */
+ stream_forward_getp (peer->ibuf, length);
+ if (!attr->community)
+ return -1;
+
attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_COMMUNITIES);
return 0;
@@ -1478,13 +1481,18 @@ bgp_attr_ext_communities (struct peer *p
{
if (attr->extra)
attr->extra->ecommunity = NULL;
+ /* Empty extcomm doesn't seem to be invalid per se */
+ return 0;
}
- else
- {
- (bgp_attr_extra_get (attr))->ecommunity =
- ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length);
- stream_forward_getp (peer->ibuf, length);
- }
+
+ (bgp_attr_extra_get (attr))->ecommunity =
+ ecommunity_parse ((u_int8_t *)stream_pnt (peer->ibuf), length);
+ /* XXX: fix ecommunity_parse to use stream API */
+ stream_forward_getp (peer->ibuf, length);
+
+ if (!attr->extra->ecommunity)
+ return -1;
+
attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES);
return 0;
++++++ quagga-0.99.17-CVE-2010-1675.patch ++++++
Index: quagga-0.99.17/bgpd/bgp_attr.c
===================================================================
--- quagga-0.99.17.orig/bgpd/bgp_attr.c
+++ quagga-0.99.17/bgpd/bgp_attr.c
@@ -704,43 +704,6 @@ bgp_attr_flush (struct attr *attr)
}
}
-/* Parse AS_PATHLIMIT attribute in an UPDATE */
-static int
-bgp_attr_aspathlimit (struct peer *peer, bgp_size_t length,
- struct attr *attr, u_char flag, u_char *startp)
-{
- bgp_size_t total;
-
- total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
-
- if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
- || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL))
- {
- zlog (peer->log, LOG_ERR,
- "AS-Pathlimit attribute flag isn't transitive %d", flag);
- bgp_notify_send_with_data (peer,
- BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
- startp, total);
- return -1;
- }
-
- if (length != 5)
- {
- zlog (peer->log, LOG_ERR,
- "AS-Pathlimit length, %u, is not 5", length);
- bgp_notify_send_with_data (peer,
- BGP_NOTIFY_UPDATE_ERR,
- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
- startp, total);
- return -1;
- }
-
- attr->pathlimit.ttl = stream_getc (BGP_INPUT(peer));
- attr->pathlimit.as = stream_getl (BGP_INPUT(peer));
- attr->flag |= ATTR_FLAG_BIT (BGP_ATTR_AS_PATHLIMIT);
- return 0;
-}
/* Get origin attribute of the update message. */
static int
bgp_attr_origin (struct peer *peer, bgp_size_t length,
@@ -1717,9 +1680,6 @@ bgp_attr_parse (struct peer *peer, struc
case BGP_ATTR_EXT_COMMUNITIES:
ret = bgp_attr_ext_communities (peer, length, attr, flag);
break;
- case BGP_ATTR_AS_PATHLIMIT:
- ret = bgp_attr_aspathlimit (peer, length, attr, flag, startp);
- break;
default:
ret = bgp_attr_unknown (peer, attr, flag, type, length, startp);
break;
@@ -2273,25 +2233,7 @@ bgp_packet_attribute (struct bgp *bgp, s
stream_putl (s, attr->extra->aggregator_as);
stream_put_ipv4 (s, attr->extra->aggregator_addr.s_addr);
}
-
- /* AS-Pathlimit */
- if (attr->pathlimit.ttl)
- {
- u_int32_t as = attr->pathlimit.as;
-
- /* should already have been done in announce_check(),
- * but just in case..
- */
- if (!as)
- as = peer->local_as;
-
- stream_putc (s, BGP_ATTR_FLAG_OPTIONAL|BGP_ATTR_FLAG_TRANS);
- stream_putc (s, BGP_ATTR_AS_PATHLIMIT);
- stream_putc (s, 5);
- stream_putc (s, attr->pathlimit.ttl);
- stream_putl (s, as);
- }
-
+
/* Unknown transit attribute. */
if (attr->extra && attr->extra->transit)
stream_put (s, attr->extra->transit->val, attr->extra->transit->length);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org