From a95583569926787557dcc65ed5a0b91462b99ba2 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Thu, 20 Oct 2016 17:00:11 +0200 Subject: [PATCH] Rebase to 1.1.0 This rebases fixes following security issues: - CVE-2016-2342 quagga: VPNv4 NLRI parses memcpys to stack on unchecked length (#1316572) - CVE-2016-4049 quagga: denial of service vulnerability in BGP routing daemon (#1331373) - CVE-2016-1245 quagga: Buffer Overflow in IPv6 RA handling (#1386110) Also babeld was dropped by upstream. Resolves: #1316324, #1316572, #1331373, #1386110, #1387654 --- 0001-systemd-change-the-WantedBy-target.patch | 184 ------------------ ...md-various-service-file-improvements.patch | 183 +++++++++++++++++ quagga.spec | 21 +- 3 files changed, 192 insertions(+), 196 deletions(-) delete mode 100644 0001-systemd-change-the-WantedBy-target.patch create mode 100644 0001-systemd-various-service-file-improvements.patch diff --git a/0001-systemd-change-the-WantedBy-target.patch b/0001-systemd-change-the-WantedBy-target.patch deleted file mode 100644 index 4c20c78..0000000 --- a/0001-systemd-change-the-WantedBy-target.patch +++ /dev/null @@ -1,184 +0,0 @@ -diff --git a/redhat/babeld.service b/redhat/babeld.service -index b1ea943..a7ea7fe 100644 ---- a/redhat/babeld.service -+++ b/redhat/babeld.service -@@ -1,14 +1,15 @@ - [Unit] - Description=Babel routing daemon --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/babeld.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/babeld.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/babeld -d $BABELD_OPTS -f /etc/quagga/babeld.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/bgpd.service b/redhat/bgpd.service -index 5040284..af923df 100644 ---- a/redhat/bgpd.service -+++ b/redhat/bgpd.service -@@ -1,14 +1,15 @@ - [Unit] - Description=BGP routing daemon --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/bgpd.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/bgpd.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/isisd.service b/redhat/isisd.service -index 4cdf67d..8687601 100644 ---- a/redhat/isisd.service -+++ b/redhat/isisd.service -@@ -1,14 +1,15 @@ - [Unit] - Description=IS-IS routing daemon --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/isisd.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/isisd.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service -index 3c9c466..d13e970 100644 ---- a/redhat/ospf6d.service -+++ b/redhat/ospf6d.service -@@ -1,14 +1,15 @@ - [Unit] - Description=OSPF routing daemon for IPv6 --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/ospf6d.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/ospf6d.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/ospfd.service b/redhat/ospfd.service -index 5e3de23..959e649 100644 ---- a/redhat/ospfd.service -+++ b/redhat/ospfd.service -@@ -1,14 +1,15 @@ - [Unit] - Description=OSPF routing daemon --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/ospfd.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/ospfd.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/ripd.service b/redhat/ripd.service -index d35dc47..8e7290e 100644 ---- a/redhat/ripd.service -+++ b/redhat/ripd.service -@@ -1,14 +1,15 @@ - [Unit] - Description=RIP routing daemon --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/ripd.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/ripd.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/ripngd.service b/redhat/ripngd.service -index 567e888..1ba6dcf 100644 ---- a/redhat/ripngd.service -+++ b/redhat/ripngd.service -@@ -1,14 +1,15 @@ - [Unit] - Description=RIP routing daemon for IPv6 --BindTo=zebra.service --After=syslog.target network.target zebra.service -+BindsTo=zebra.service -+After=zebra.service - ConditionPathExists=/etc/quagga/ripngd.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/ripngd.pid - EnvironmentFile=/etc/sysconfig/quagga - ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target -diff --git a/redhat/zebra.service b/redhat/zebra.service -index 27c3a52..259fc20 100644 ---- a/redhat/zebra.service -+++ b/redhat/zebra.service -@@ -1,14 +1,16 @@ - [Unit] - Description=GNU Zebra routing manager --After=syslog.target network.target -+Wants=network.target -+Before=network.target - ConditionPathExists=/etc/quagga/zebra.conf - - [Service] - Type=forking -+PIDFile=/run/quagga/zebra.pid - EnvironmentFile=-/etc/sysconfig/quagga - ExecStartPre=/sbin/ip route flush proto zebra - ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf - Restart=on-abort - - [Install] --WantedBy=network.target -+WantedBy=multi-user.target diff --git a/0001-systemd-various-service-file-improvements.patch b/0001-systemd-various-service-file-improvements.patch new file mode 100644 index 0000000..18ae8e2 --- /dev/null +++ b/0001-systemd-various-service-file-improvements.patch @@ -0,0 +1,183 @@ +From 91eddf68ca54ba11a22f58de9a4e8f5deb53cccc Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 20 Oct 2016 12:56:34 +0200 +Subject: [PATCH] systemd: various service file improvements + +(1) network.target is generally used as a synchronization point during +boot up and not as a "boot target" (target where services are actually +enabled). Also as per 'man 7 systemd.special', service implementing +networking should pull network.target into transaction and order itself +before it. Hence, it doesn't make sense for zebra and friends to be +enabled in network.target, because they should actively pull in +network.target into boot transaction. Let's enable them as normal +services in multi-user.target and order against network{,-pre}.target +appropriately. + +(2) All quagga daemons needs zebra to be running at all times and want +to restarted/stopped whenever zebra is. This is expressed by BindsTo= +dependency in a unit file (note "s" in Binds). +--- + redhat/bgpd.service | 8 +++++--- + redhat/isisd.service | 8 +++++--- + redhat/ospf6d.service | 8 +++++--- + redhat/ospfd.service | 8 +++++--- + redhat/ripd.service | 8 +++++--- + redhat/ripngd.service | 8 +++++--- + redhat/zebra.service | 6 ++++-- + 7 files changed, 34 insertions(+), 20 deletions(-) + +diff --git a/redhat/bgpd.service b/redhat/bgpd.service +index 5040284..ef24841 100644 +--- a/redhat/bgpd.service ++++ b/redhat/bgpd.service +@@ -1,7 +1,9 @@ + [Unit] + Description=BGP routing daemon +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/bgpd.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/isisd.service b/redhat/isisd.service +index 4cdf67d..edb6eea 100644 +--- a/redhat/isisd.service ++++ b/redhat/isisd.service +@@ -1,7 +1,9 @@ + [Unit] + Description=IS-IS routing daemon +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/isisd.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service +index 3c9c466..b53b970 100644 +--- a/redhat/ospf6d.service ++++ b/redhat/ospf6d.service +@@ -1,7 +1,9 @@ + [Unit] + Description=OSPF routing daemon for IPv6 +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/ospf6d.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/ospfd.service b/redhat/ospfd.service +index 5e3de23..5d6c5bb 100644 +--- a/redhat/ospfd.service ++++ b/redhat/ospfd.service +@@ -1,7 +1,9 @@ + [Unit] + Description=OSPF routing daemon +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/ospfd.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/ripd.service b/redhat/ripd.service +index d35dc47..ed7f922 100644 +--- a/redhat/ripd.service ++++ b/redhat/ripd.service +@@ -1,7 +1,9 @@ + [Unit] + Description=RIP routing daemon +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/ripd.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/ripngd.service b/redhat/ripngd.service +index 567e888..2519b31 100644 +--- a/redhat/ripngd.service ++++ b/redhat/ripngd.service +@@ -1,7 +1,9 @@ + [Unit] + Description=RIP routing daemon for IPv6 +-BindTo=zebra.service +-After=syslog.target network.target zebra.service ++BindsTo=zebra.service ++Wants=network.target ++After=zebra.service network-pre.target ++Before=network.target + ConditionPathExists=/etc/quagga/ripngd.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +diff --git a/redhat/zebra.service b/redhat/zebra.service +index 27c3a52..f9107f1 100644 +--- a/redhat/zebra.service ++++ b/redhat/zebra.service +@@ -1,6 +1,8 @@ + [Unit] + Description=GNU Zebra routing manager +-After=syslog.target network.target ++Wants=network.target ++Before=network.target ++After=network-pre.target + ConditionPathExists=/etc/quagga/zebra.conf + + [Service] +@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf + Restart=on-abort + + [Install] +-WantedBy=network.target ++WantedBy=multi-user.target +-- +2.7.4 + diff --git a/quagga.spec b/quagga.spec index 20d63cb..7f51838 100644 --- a/quagga.spec +++ b/quagga.spec @@ -6,13 +6,13 @@ %global _hardened_build 1 Name: quagga -Version: 0.99.24.1 -Release: 3%{?dist} +Version: 1.1.0 +Release: 1%{?dist} Summary: Routing daemon License: GPLv2+ Group: System Environment/Daemons URL: http://www.quagga.net -Source0: http://download.savannah.gnu.org/releases/quagga/%{name}-%{version}.tar.xz +Source0: http://download.savannah.gnu.org/releases/quagga/%{name}-%{version}.tar.gz Source1: quagga-filter-perl-requires.sh Source2: quagga-tmpfs.conf BuildRequires: perl-generators @@ -20,6 +20,7 @@ BuildRequires: systemd BuildRequires: net-snmp-devel BuildRequires: texinfo tetex libcap-devel texi2html BuildRequires: readline readline-devel ncurses ncurses-devel +BuildRequires: git Requires: net-snmp ncurses Requires(post): systemd /sbin/install-info Requires(preun): systemd /sbin/install-info @@ -27,7 +28,7 @@ Requires(postun): systemd Provides: routingdaemon = %{version}-%{release} Obsoletes: quagga-sysvinit -Patch0: 0001-systemd-change-the-WantedBy-target.patch +Patch0: 0001-systemd-various-service-file-improvements.patch %define __perl_requires %{SOURCE1} @@ -62,9 +63,7 @@ The quagga-devel package contains the header and object files necessary for developing OSPF-API and quagga applications. %prep -%setup -q - -%patch0 -p1 +%autosetup -S git_am %build %configure \ @@ -109,7 +108,6 @@ install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/isisd.service %{buildro install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ripd.service %{buildroot}%{_unitdir}/ripd.service install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ospfd.service %{buildroot}%{_unitdir}/ospfd.service install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/bgpd.service %{buildroot}%{_unitdir}/bgpd.service -install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/babeld.service %{buildroot}%{_unitdir}/babeld.service install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ospf6d.service %{buildroot}%{_unitdir}/ospf6d.service install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ripngd.service %{buildroot}%{_unitdir}/ripngd.service @@ -136,7 +134,6 @@ getent passwd quagga >/dev/null 2>&1 || useradd -u %quagga_uid -g %quagga_gid -M %systemd_post ripd.service %systemd_post ospfd.service %systemd_post bgpd.service -%systemd_post babeld.service %systemd_post ospf6d.service %systemd_post ripngd.service @@ -163,7 +160,6 @@ fi %systemd_postun_with_restart ripd.service %systemd_postun_with_restart ospfd.service %systemd_postun_with_restart bgpd.service -%systemd_postun_with_restart babeld.service %systemd_postun_with_restart ospf6d.service %systemd_postun_with_restart ripngd.service @@ -177,7 +173,6 @@ fi %systemd_preun ripd.service %systemd_preun ospfd.service %systemd_preun bgpd.service -%systemd_preun babeld.service %systemd_preun ospf6d.service %systemd_preun ripngd.service @@ -189,7 +184,6 @@ fi %doc ripd/ripd.conf.sample %doc bgpd/bgpd.conf.sample* %doc ospfd/ospfd.conf.sample -%doc babeld/babeld.conf.sample %doc ospf6d/ospf6d.conf.sample %doc ripngd/ripngd.conf.sample %doc doc/quagga.html @@ -226,6 +220,9 @@ fi %{_includedir}/quagga/ospfd/*.h %changelog +* Thu Oct 20 2016 Michal Sekletar - 1.1.0-1 +- rebase to 1.1.0 (#1316324, #1316572, #1331373, #1386110) + * Thu Feb 04 2016 Fedora Release Engineering - 0.99.24.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild