Hello community, here is the log from the commit of package quagga for openSUSE:Factory checked in at 2018-02-16 21:45:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/quagga (Old) and /work/SRC/openSUSE:Factory/.quagga.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "quagga" Fri Feb 16 21:45:15 2018 rev:53 rq:577176 version:1.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/quagga/quagga.changes 2017-11-25 08:43:34.356260511 +0100 +++ /work/SRC/openSUSE:Factory/.quagga.new/quagga.changes 2018-02-16 21:45:16.633778681 +0100 @@ -1,0 +2,19 @@ +Fri Feb 9 14:05:21 UTC 2018 - mt@suse.de + +- Applied security fix for bgpd DoS via specially crafted BGP + UPDATE messages (CVE-2017-16227,bsc#1065641) + [+ quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch] +- Applied security fix for bgpd bounds check issue via attribute + length (CVE-2018-5378,Quagga-2018-0543,bsc#1079798) + [+ Quagga-2018-0543-bgpd.bsc1079798.patch] +- Applied security fix for bgpd double free when processing UPDATE + message (CVE-2018-5379,Quagga-2018-1114,bsc#1079799) + [+ Quagga-2018-1114-bgpd.bsc1079799.patch] +- Applied security fix for bgpd code-to-string conversion tables + overrun (CVE-2018-5380,Quagga-2018-1550,bsc#1079800) + [+ Quagga-2018-1550-bgpd-bsc1079800.patch] +- Applied security fix for bgpd infinite loop on certain invalid + OPEN messages (CVE-2018-5381,Quagga-2018-1975,bsc#1079801) + [+ Quagga-2018-1975-bdpd.bsc1079801.patch] + +------------------------------------------------------------------- New: ---- Quagga-2018-0543-bgpd.bsc1079798.patch Quagga-2018-1114-bgpd.bsc1079799.patch Quagga-2018-1550-bgpd-bsc1079800.patch Quagga-2018-1975-bdpd.bsc1079801.patch quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ quagga.spec ++++++ --- /var/tmp/diff_new_pack.KRvhcY/_old 2018-02-16 21:45:17.701740164 +0100 +++ /var/tmp/diff_new_pack.KRvhcY/_new 2018-02-16 21:45:17.705740020 +0100 @@ -1,7 +1,7 @@ # # spec file for package quagga # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -57,6 +57,11 @@ Patch1: %{name}-add-ospf6_main-return-value.patch Patch2: %{name}-add-table_test-return-value.patch Patch3: 0001-systemd-change-the-WantedBy-target.patch +Patch4: quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch +Patch5: Quagga-2018-0543-bgpd.bsc1079798.patch +Patch6: Quagga-2018-1114-bgpd.bsc1079799.patch +Patch7: Quagga-2018-1550-bgpd-bsc1079800.patch +Patch8: Quagga-2018-1975-bdpd.bsc1079801.patch BuildRequires: autoconf >= 2.6 BuildRequires: automake >= 1.6 BuildRequires: libtool @@ -148,6 +153,11 @@ %patch1 -p 1 %patch2 -p 1 %patch3 -p 1 +%patch4 -p 1 +%patch5 -p 1 +%patch6 -p 1 +%patch7 -p 1 +%patch8 -p 1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" ++++++ Quagga-2018-0543-bgpd.bsc1079798.patch ++++++
From 6dde85082ca004d590030b2762bd59b0fbd74c93 Mon Sep 17 00:00:00 2001 From: Paul Jakma
Date: Wed, 3 Jan 2018 23:57:33 +0000 Upstream: yes References: CVE-2018-5378,Quagga-2018-0543,bsc#1079798 Subject: bgpd/security: invalid attr length sends NOTIFY with data overrun
Security issue: Quagga-2018-0543 See: https://www.quagga.net/security/Quagga-2018-0543.txt * bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly checked, and a NOTIFY prepared. The NOTIFY can include the incorrect received data with the NOTIFY, for debug purposes. Commit c69698704806a9ac5 modified the code to do that just, and also send the malformed attr with the NOTIFY. However, the invalid attribute length was used as the length of the data to send back. The result is a read past the end of data, which is then written to the NOTIFY message and sent to the peer. A configured BGP peer can use this bug to read up to 64 KiB of memory from the bgpd process, or crash the process if the invalid read is caught by some means (unmapped page and SEGV, or other mechanism) resulting in a DoS. This bug _ought_ /not/ be exploitable by anything other than the connected BGP peer, assuming the underlying TCP transport is secure. For no BGP peer should send on an UPDATE with this attribute. Quagga will not, as Quagga always validates the attr header length, regardless of type. However, it is possible that there are BGP implementations that do not check lengths on some attributes (e.g. optional/transitive ones of a type they do not recognise), and might pass such malformed attrs on. If such implementations exists and are common, then this bug might be triggerable by BGP speakers further hops away. Those peers will not receive the NOTIFY (unless they sit on a shared medium), however they might then be able to trigger a DoS. Fix: use the valid bound to calculate the length. --- bgpd/bgp_attr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 6aab50af..44906922 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -2079,6 +2079,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, memset (seen, 0, BGP_ATTR_BITMAP_SIZE); /* End pointer of BGP attribute. */ + assert (size <= stream_get_size (BGP_INPUT (peer))); + assert (size <= stream_get_endp (BGP_INPUT (peer))); endp = BGP_INPUT_PNT (peer) + size; /* Get attributes to the end of attribute length. */ @@ -2160,7 +2162,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size, bgp_notify_send_with_data (peer, BGP_NOTIFY_UPDATE_ERR, BGP_NOTIFY_UPDATE_ATTR_LENG_ERR, - startp, attr_endp - startp); + startp, endp - startp); return BGP_ATTR_PARSE_ERROR; } -- 2.13.6 ++++++ Quagga-2018-1114-bgpd.bsc1079799.patch ++++++
From acd5857d29e8d74249410569457beba829d7b5c3 Mon Sep 17 00:00:00 2001 From: Paul Jakma
Date: Sat, 6 Jan 2018 19:52:10 +0000 Upstream: yes References: CVE-2018-5379,Quagga-2018-1114,bsc#1079799 Subject: bgpd/security: Fix double free of unknown attribute
Security issue: Quagga-2018-1114 See: https://www.quagga.net/security/Quagga-2018-1114.txt It is possible for bgpd to double-free an unknown attribute. This can happen via bgp_update_receive receiving an UPDATE with an invalid unknown attribute. bgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush, and the latter may try free an already freed unknown attr. * bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage for the (struct transit *), so that transit_unintern can NULL out the caller's reference if the (struct transit) is freed. (cluster_unintern) By inspection, appears to have a similar issue. (bgp_attr_unintern_sub) adjust for above. --- bgpd/bgp_attr.c | 33 +++++++++++++++++++-------------- bgpd/bgp_attr.h | 4 ++-- 2 files changed, 21 insertions(+), 16 deletions(-) diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c index 44906922..43955125 100644 --- a/bgpd/bgp_attr.c +++ b/bgpd/bgp_attr.c @@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster) } void -cluster_unintern (struct cluster_list *cluster) +cluster_unintern (struct cluster_list **cluster) { - if (cluster->refcnt) - cluster->refcnt--; + struct cluster_list *c = *cluster; + if (c->refcnt) + c->refcnt--; - if (cluster->refcnt == 0) + if (c->refcnt == 0) { - hash_release (cluster_hash, cluster); - cluster_free (cluster); + hash_release (cluster_hash, c); + cluster_free (c); + *cluster = NULL; } } @@ -344,15 +346,18 @@ transit_intern (struct transit *transit) } void -transit_unintern (struct transit *transit) +transit_unintern (struct transit **transit) { - if (transit->refcnt) - transit->refcnt--; + struct transit *t = *transit; + + if (t->refcnt) + t->refcnt--; - if (transit->refcnt == 0) + if (t->refcnt == 0) { - hash_release (transit_hash, transit); - transit_free (transit); + hash_release (transit_hash, t); + transit_free (t); + *transit = NULL; } } @@ -793,11 +798,11 @@ bgp_attr_unintern_sub (struct attr *attr) UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES)); if (attr->extra->cluster) - cluster_unintern (attr->extra->cluster); + cluster_unintern (&attr->extra->cluster); UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST)); if (attr->extra->transit) - transit_unintern (attr->extra->transit); + transit_unintern (&attr->extra->transit); } } diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h index 8457f402..d8b7f6a6 100644 --- a/bgpd/bgp_attr.h +++ b/bgpd/bgp_attr.h @@ -184,10 +184,10 @@ extern unsigned long int attr_unknown_count (void); /* Cluster list prototypes. */ extern int cluster_loop_check (struct cluster_list *, struct in_addr); -extern void cluster_unintern (struct cluster_list *); +extern void cluster_unintern (struct cluster_list **); /* Transit attribute prototypes. */ -void transit_unintern (struct transit *); +void transit_unintern (struct transit **); /* Below exported for unit-test purposes only */ struct bgp_attr_parser_args { -- 2.13.6 ++++++ Quagga-2018-1550-bgpd-bsc1079800.patch ++++++
From 195a767216240fe1cc773567d214f2da7ae8bbf7 Mon Sep 17 00:00:00 2001 From: Paul Jakma
Date: Sat, 6 Jan 2018 22:31:52 +0000 Upstream: yes References: CVE-2018-5380,Quagga-2018-1550,bsc#1079800 Subject: bgpd/security: debug print of received NOTIFY data can over-read msg array
Security issue: Quagga-2018-1550 See: https://www.quagga.net/security/Quagga-2018-1550.txt * bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY code/subcode message arrays has their corresponding size variables off by one, as most have 1 as first index. This means (bgp_notify_print) can cause mes_lookup to overread the (struct message) by 1 pointer value if given an unknown index. Fix the bgp_notify_..._msg_max variables to use the compiler to calculate the correct sizes. --- bgpd/bgp_debug.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c index ba797228..43faee7c 100644 --- a/bgpd/bgp_debug.c +++ b/bgpd/bgp_debug.c @@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA #include "log.h" #include "sockunion.h" #include "filter.h" +#include "memory.h" #include "bgpd/bgpd.h" #include "bgpd/bgp_aspath.h" @@ -73,7 +74,8 @@ const struct message bgp_status_msg[] = { Clearing, "Clearing" }, { Deleted, "Deleted" }, }; -const int bgp_status_msg_max = BGP_STATUS_MAX; +#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg) +BGP_DEBUG_MSG_MAX (bgp_status_msg); /* BGP message type string. */ const char *bgp_type_str[] = @@ -84,7 +86,8 @@ const char *bgp_type_str[] = "NOTIFICATION", "KEEPALIVE", "ROUTE-REFRESH", - "CAPABILITY" + "CAPABILITY", + NULL, }; /* message for BGP-4 Notify */ @@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] = { BGP_NOTIFY_CEASE, "Cease"}, { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"}, }; -static const int bgp_notify_msg_max = BGP_NOTIFY_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_msg); static const struct message bgp_notify_head_msg[] = { { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"}, { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"}, - { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"} + { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}, }; -static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_head_msg); static const struct message bgp_notify_open_msg[] = { @@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] = { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"}, { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"}, }; -static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_open_msg); static const struct message bgp_notify_update_msg[] = { @@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] = { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"}, { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"}, }; -static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_update_msg); static const struct message bgp_notify_cease_msg[] = { @@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] = { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"}, { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"}, }; -static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg); static const struct message bgp_notify_capability_msg[] = { @@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] = { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"}, { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"}, }; -static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX; +BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg); /* Origin strings. */ const char *bgp_origin_str[] = {"i","e","?"}; -- 2.13.6 ++++++ Quagga-2018-1975-bdpd.bsc1079801.patch ++++++
From c7c0e5df87ca427cb4d4721b11bd8e707f86420b Mon Sep 17 00:00:00 2001 From: Paul Jakma
Date: Sat, 6 Jan 2018 21:20:51 +0000 Upstream: yes References: CVE-2018-5381,Quagga-2018-1975,bsc#1079801 Subject: bgpd/security: fix infinite loop on certain invalid OPEN messages
Security issue: Quagga-2018-1975 See: https://www.quagga.net/security/Quagga-2018-1975.txt * bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite loop due to checks that issue 'continue' without bumping the input pointer. --- bgpd/bgp_packet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c index f42e544b..56e27dc6 100644 --- a/bgpd/bgp_packet.c +++ b/bgpd/bgp_packet.c @@ -2251,7 +2251,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length) end = pnt + length; - while (pnt < end) + /* XXX: Streamify this */ + for (; pnt < end; pnt += hdr->length + 3) { /* We need at least action, capability code and capability length. */ if (pnt + 3 > end) @@ -2339,7 +2340,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length) zlog_warn ("%s unrecognized capability code: %d - ignored", peer->host, hdr->code); } - pnt += hdr->length + 3; } return 0; } -- 2.13.6 ++++++ quagga-CVE-2017-16227-bgpd-Fix-AS_PATH-size-calculation.patch ++++++
From 7a42b78be9a4108d98833069a88e6fddb9285008 Mon Sep 17 00:00:00 2001 From: Andreas Jaggi
Date: Mon, 2 Oct 2017 19:38:43 +0530 Upstream: yes References: CVE-2017-16227,bsc#1065641 Subject: [PATCH] bgpd: Fix AS_PATH size calculation for long paths
If you have an AS_PATH with more entries than what can be written into a single AS_SEGMENT_MAX it needs to be broken up. The code that noticed that the AS_PATH needs to be broken up was not correctly calculating the size of the resulting message. This patch addresses this issue. --- bgpd/bgp_aspath.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bgpd/bgp_aspath.c b/bgpd/bgp_aspath.c index b7af5e88..d813bfba 100644 --- a/bgpd/bgp_aspath.c +++ b/bgpd/bgp_aspath.c @@ -903,7 +903,7 @@ aspath_put (struct stream *s, struct aspath *as, int use32bit ) assegment_header_put (s, seg->type, AS_SEGMENT_MAX); assegment_data_put (s, seg->as, AS_SEGMENT_MAX, use32bit); written += AS_SEGMENT_MAX; - bytes += ASSEGMENT_SIZE (written, use32bit); + bytes += ASSEGMENT_SIZE (AS_SEGMENT_MAX, use32bit); } /* write the final segment, probably is also the first */ -- 2.13.6