rpms/quagga
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 0.99.22

Browse Source 
- quagga-CVE-2012-1820.patch has been merged
- explicitly enable SMNP AgentX interface

Signed-off-by: Adam Tkac <atkac@redhat.com>
This commit is contained in:
Adam Tkac 2013-02-20 14:49:18 +01:00
parent ed23ed1175
commit a26f9aeab4
4 changed files with 10 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@ quagga-0.99.17.tar.gz
/quagga-0.99.19.tar.gz /quagga-0.99.19.tar.gz
/quagga-0.99.20.tar.gz /quagga-0.99.20.tar.gz
/quagga-0.99.20.1.tar.gz /quagga-0.99.20.1.tar.gz
/quagga-0.99.22.tar.xz

74
quagga-CVE-2012-1820.patch
View File

@ -1,74 +0,0 @@
@@ -, +, @@
bgpd: CVE-2012-1820, DoS in bgp_capability_orf()
An ORF (code 3) capability TLV is defined to contain exactly one
AFI/SAFI block. Function bgp_capability_orf(), which parses ORF
capability TLV, uses do-while cycle to call its helper function
bgp_capability_orf_entry(), which actually processes the AFI/SAFI data
block. The call is made at least once and repeated as long as the input
buffer has enough data for the next call.
The helper function, bgp_capability_orf_entry(), uses "Number of ORFs"
field of the provided AFI/SAFI block to verify, if it fits the input
buffer. However, the check is made based on the total length of the ORF
TLV regardless of the data already consumed by the previous helper
function call(s). This way, the check condition is only valid for the
first AFI/SAFI block inside an ORF capability TLV.
For the subsequent calls of the helper function, if any are made, the
check condition may erroneously tell, that the current "Number of ORFs"
field fits the buffer boundary, where in fact it does not. This makes it
possible to trigger an assertion by feeding an OPEN message with a
specially-crafted malformed ORF capability TLV.
This commit fixes the vulnerability by making the implementation follow
the spec.
--- a/bgpd/bgp_open.c
+++ a/bgpd/bgp_open.c
@@ -231,7 +231,7 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
}
/* validate number field */
- if (sizeof (struct capability_orf_entry) + (entry.num * 2) > hdr->length)
+ if (sizeof (struct capability_orf_entry) + (entry.num * 2) != hdr->length)
{
zlog_info ("%s ORF Capability entry length error,"
" Cap length %u, num %u",
@@ -335,28 +335,6 @@ bgp_capability_orf_entry (struct peer *peer, struct capability_header *hdr)
}
static int
-bgp_capability_orf (struct peer *peer, struct capability_header *hdr)
-{
- struct stream *s = BGP_INPUT (peer);
- size_t end = stream_get_getp (s) + hdr->length;
-
- assert (stream_get_getp(s) + sizeof(struct capability_orf_entry) <= end);
-
- /* We must have at least one ORF entry, as the caller has already done
- * minimum length validation for the capability code - for ORF there must
- * at least one ORF entry (header and unknown number of pairs of bytes).
- */
- do
- {
- if (bgp_capability_orf_entry (peer, hdr) == -1)
- return -1;
- }
- while (stream_get_getp(s) + sizeof(struct capability_orf_entry) < end);
-
- return 0;
-}
-
-static int
bgp_capability_restart (struct peer *peer, struct capability_header *caphdr)
{
struct stream *s = BGP_INPUT (peer);
@@ -573,7 +551,7 @@ bgp_capability_parse (struct peer *peer, size_t length, int *mp_capability,
break;
case CAPABILITY_CODE_ORF:
case CAPABILITY_CODE_ORF_OLD:
- if (bgp_capability_orf (peer, &caphdr))
+ if (bgp_capability_orf_entry (peer, &caphdr))
return -1;
break;
case CAPABILITY_CODE_RESTART:

15
quagga.spec
View File

@ -31,8 +31,8 @@
Summary: Routing daemon Summary: Routing daemon
Name: quagga Name: quagga
Version: 0.99.21 Version: 0.99.22
Release: 5%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: http://www.quagga.net/download/%{name}-%{version}.tar.xz Source0: http://www.quagga.net/download/%{name}-%{version}.tar.xz
@ -70,8 +70,6 @@ Requires(postun): systemd-units
Provides: routingdaemon = %{version}-%{release} Provides: routingdaemon = %{version}-%{release}
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0: quagga-CVE-2012-1820.patch
%description %description
Quagga is free software that operates TCP/IP-based routing protocols. It takes Quagga is free software that operates TCP/IP-based routing protocols. It takes
a multi-server and multi-threaded approach to resolving the current complexity a multi-server and multi-threaded approach to resolving the current complexity
@ -115,8 +113,6 @@ developing OSPF-API and quagga applications.
%prep %prep
%setup -q %setup -q
%patch0 -p1 -b .CVE-2012-1820
%build %build
# FC5+ automatic -fstack-protector-all switch # FC5+ automatic -fstack-protector-all switch
export RPM_OPT_FLAGS=${RPM_OPT_FLAGS//-fstack-protector/-fstack-protector-all} export RPM_OPT_FLAGS=${RPM_OPT_FLAGS//-fstack-protector/-fstack-protector-all}
@ -133,7 +129,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS $CPPFLAGS -fno-strict-aliasing"
--enable-isisd=yes \ --enable-isisd=yes \
%endif %endif
%if %with_snmp %if %with_snmp
--enable-snmp=yes \ --enable-snmp=agentx \
%endif %endif
%if %with_multipath %if %with_multipath
--enable-multipath=%with_multipath \ --enable-multipath=%with_multipath \
@ -436,6 +432,11 @@ rm -rf $RPM_BUILD_ROOT
%endif %endif
%changelog %changelog
* Wed Feb 20 2013 Adam Tkac <atkac redhat com> - 0.99.22-1
- update to 0.99.22
- quagga-CVE-2012-1820.patch has been merged
- explicitly enable SMNP AgentX interface
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.99.21-5 * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.99.21-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
0980758b1865b9aa0c60975120bf3453 quagga-0.99.21.tar.xz 0a8b01d01a1e02a7a6ec90a781fb774c quagga-0.99.22.tar.xz