Fix CVE-2018-5379, CVE-2018-5380, CVE-2018-5381, CVE-2018-5378

Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing
  certain forms of UPDATE message allowing to crash or potentially execute
  arbitrary code
Resolves: rhbz#1546008

Fixed CVE-2018-5380 - bgpd can overrun internal BGP code-to-string
  conversion tables potentially allowing crash
Resolves: rhbz#1546006

Fixed CVE-2018-5381 - Infinite loop issue triggered by invalid OPEN message
  allows denial-of-service
Resolves: rhbz#1546004

Fixed CVE-2018-5378 - bgpd does not properly bounds check the data sent with
  a NOTIFY allowing leak of sensitive data or crash
Resolves: rhbz#1546009

.gitignore

@@ -12,3 +12,6 @@ quagga-0.99.17.tar.gz
 /quagga-0.99.24.1.tar.xz
 /quagga-1.1.0.tar.gz
 /quagga-1.1.1.tar.gz
+/quagga-1.2.1.tar.gz
+/quagga-1.2.2.tar.gz
+/quagga-1.2.2.tar.gz.asc

0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch

@@ -0,0 +1,110 @@
+From e69b535f92eafb599329bf725d9b4c6fd5d7fded Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 19:52:10 +0000
+Subject: [PATCH] bgpd/security: Fix double free of unknown attribute
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+It is possible for bgpd to double-free an unknown attribute. This can happen
+via bgp_update_receive receiving an UPDATE with an invalid unknown attribute.
+bgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush,
+and the latter may try free an already freed unknown attr.
+
+* bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage
+  for the (struct transit *), so that transit_unintern can NULL out the
+  caller's reference if the (struct transit) is freed.
+  (cluster_unintern) By inspection, appears to have a similar issue.
+  (bgp_attr_unintern_sub) adjust for above.
+---
+ bgpd/bgp_attr.c | 33 +++++++++++++++++++--------------
+ bgpd/bgp_attr.h |  4 ++--
+ 2 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 9564637e..0c2806b5 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -199,15 +199,17 @@ cluster_intern (struct cluster_list *cluster)
+ }
+ 
+ void
+-cluster_unintern (struct cluster_list *cluster)
++cluster_unintern (struct cluster_list **cluster)
+ {
+-  if (cluster->refcnt)
+-    cluster->refcnt--;
++  struct cluster_list *c = *cluster;
++  if (c->refcnt)
++    c->refcnt--;
+ 
+-  if (cluster->refcnt == 0)
++  if (c->refcnt == 0)
+     {
+-      hash_release (cluster_hash, cluster);
+-      cluster_free (cluster);
++      hash_release (cluster_hash, c);
++      cluster_free (c);
++      *cluster = NULL;
+     }
+ }
+ 
+@@ -357,15 +359,18 @@ transit_intern (struct transit *transit)
+ }
+ 
+ void
+-transit_unintern (struct transit *transit)
++transit_unintern (struct transit **transit)
+ {
+-  if (transit->refcnt)
+-    transit->refcnt--;
++  struct transit *t = *transit;
++  
++  if (t->refcnt)
++    t->refcnt--;
+ 
+-  if (transit->refcnt == 0)
++  if (t->refcnt == 0)
+     {
+-      hash_release (transit_hash, transit);
+-      transit_free (transit);
++      hash_release (transit_hash, t);
++      transit_free (t);
++      *transit = NULL;
+     }
+ }
+ 
+@@ -820,11 +825,11 @@ bgp_attr_unintern_sub (struct attr *attr)
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_LARGE_COMMUNITIES));
+       
+       if (attr->extra->cluster)
+-        cluster_unintern (attr->extra->cluster);
++        cluster_unintern (&attr->extra->cluster);
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
+       
+       if (attr->extra->transit)
+-        transit_unintern (attr->extra->transit);
++        transit_unintern (&attr->extra->transit);
+     }
+ }
+ 
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 9ff074b2..052acc7d 100644
+--- a/bgpd/bgp_attr.h
++++ b/bgpd/bgp_attr.h
+@@ -187,10 +187,10 @@ extern unsigned long int attr_unknown_count (void);
+ 
+ /* Cluster list prototypes. */
+ extern int cluster_loop_check (struct cluster_list *, struct in_addr);
+-extern void cluster_unintern (struct cluster_list *);
++extern void cluster_unintern (struct cluster_list **);
+ 
+ /* Transit attribute prototypes. */
+-void transit_unintern (struct transit *);
++void transit_unintern (struct transit **);
+ 
+ /* Below exported for unit-test purposes only */
+ struct bgp_attr_parser_args {
+-- 
+2.14.3
+

0001-bgpd-security-debug-print-of-received-NOTIFY-data-ca.patch

@@ -0,0 +1,112 @@
+From 9e5251151894aefdf8e9392a2371615222119ad8 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 22:31:52 +0000
+Subject: [PATCH] bgpd/security: debug print of received NOTIFY data can
+ over-read msg array
+
+Security issue: Quagga-2018-1550
+See: https://www.quagga.net/security/Quagga-2018-1550.txt
+
+* bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY
+  code/subcode message arrays has their corresponding size variables off
+  by one, as most have 1 as first index.
+
+  This means (bgp_notify_print) can cause mes_lookup to overread the (struct
+  message) by 1 pointer value if given an unknown index.
+
+  Fix the bgp_notify_..._msg_max variables to use the compiler to calculate
+  the correct sizes.
+---
+ bgpd/bgp_debug.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
+index ba797228..43faee7c 100644
+--- a/bgpd/bgp_debug.c
++++ b/bgpd/bgp_debug.c
+@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ #include "log.h"
+ #include "sockunion.h"
+ #include "filter.h"
++#include "memory.h"
+ 
+ #include "bgpd/bgpd.h"
+ #include "bgpd/bgp_aspath.h"
+@@ -73,7 +74,8 @@ const struct message bgp_status_msg[] =
+   { Clearing,    "Clearing"    },
+   { Deleted,     "Deleted"     },
+ };
+-const int bgp_status_msg_max = BGP_STATUS_MAX;
++#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
++BGP_DEBUG_MSG_MAX (bgp_status_msg);
+ 
+ /* BGP message type string. */
+ const char *bgp_type_str[] =
+@@ -84,7 +86,8 @@ const char *bgp_type_str[] =
+   "NOTIFICATION",
+   "KEEPALIVE",
+   "ROUTE-REFRESH",
+-  "CAPABILITY"
++  "CAPABILITY",
++  NULL,
+ };
+ 
+ /* message for BGP-4 Notify */
+@@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] =
+   { BGP_NOTIFY_CEASE, "Cease"},
+   { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
+ };
+-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_msg);
+ 
+ static const struct message bgp_notify_head_msg[] = 
+ {
+   { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
+   { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
+-  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
++  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
+ };
+-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
+ 
+ static const struct message bgp_notify_open_msg[] = 
+ {
+@@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] =
+   { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"}, 
+   { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
+ };
+-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
+ 
+ static const struct message bgp_notify_update_msg[] = 
+ {
+@@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] =
+   { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
+   { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
+ };
+-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
+ 
+ static const struct message bgp_notify_cease_msg[] =
+ {
+@@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] =
+   { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
+   { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
+ };
+-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
+ 
+ static const struct message bgp_notify_capability_msg[] = 
+ {
+@@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] =
+   { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
+   { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
+ };
+-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
++BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
+ 
+ /* Origin strings. */
+ const char *bgp_origin_str[] = {"i","e","?"};
+-- 
+2.14.3
+

0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch

@@ -0,0 +1,41 @@
+From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 21:20:51 +0000
+Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN
+ messages
+
+Security issue: Quagga-2018-1975
+See: https://www.quagga.net/security/Quagga-2018-1975.txt
+
+* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
+  loop due to checks that issue 'continue' without bumping the input
+  pointer.
+---
+ bgpd/bgp_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b3d601fc..f9338d8d 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
+ 
+   end = pnt + length;
+ 
+-  while (pnt < end)
++  /* XXX: Streamify this */
++  for (; pnt < end; pnt += hdr->length + 3)
+     {      
+       /* We need at least action, capability code and capability length. */
+       if (pnt + 3 > end)
+@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
+           zlog_warn ("%s unrecognized capability code: %d - ignored",
+                      peer->host, hdr->code);
+         }
+-      pnt += hdr->length + 3;
+     }
+   return 0;
+ }
+-- 
+2.14.3
+

0001-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch

@@ -0,0 +1,67 @@
+From cc2e6770697e343f4af534114ab7e633d5beabec Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Wed, 3 Jan 2018 23:57:33 +0000
+Subject: [PATCH] bgpd/security: invalid attr length sends NOTIFY with data
+ overrun
+
+Security issue: Quagga-2018-0543
+
+See: https://www.quagga.net/security/Quagga-2018-0543.txt
+
+* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
+  checked, and a NOTIFY prepared.  The NOTIFY can include the incorrect
+  received data with the NOTIFY, for debug purposes.  Commit
+  c69698704806a9ac5 modified the code to do that just, and also send the
+  malformed attr with the NOTIFY.  However, the invalid attribute length was
+  used as the length of the data to send back.
+
+  The result is a read past the end of data, which is then written to the
+  NOTIFY message and sent to the peer.
+
+  A configured BGP peer can use this bug to read up to 64 KiB of memory from
+  the bgpd process, or crash the process if the invalid read is caught by
+  some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
+
+  This bug _ought_ /not/ be exploitable by anything other than the connected
+  BGP peer, assuming the underlying TCP transport is secure.  For no BGP
+  peer should send on an UPDATE with this attribute.  Quagga will not, as
+  Quagga always validates the attr header length, regardless of type.
+
+  However, it is possible that there are BGP implementations that do not
+  check lengths on some attributes (e.g.  optional/transitive ones of a type
+  they do not recognise), and might pass such malformed attrs on.  If such
+  implementations exists and are common, then this bug might be triggerable
+  by BGP speakers further hops away.  Those peers will not receive the
+  NOTIFY (unless they sit on a shared medium), however they might then be
+  able to trigger a DoS.
+
+  Fix: use the valid bound to calculate the length.
+---
+ bgpd/bgp_attr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index ef58beb1..9564637e 100644
+--- a/bgpd/bgp_attr.c
++++ b/bgpd/bgp_attr.c
+@@ -2147,6 +2147,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
+   memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
+ 
+   /* End pointer of BGP attribute. */
++  assert (size <= stream_get_size (BGP_INPUT (peer)));
++  assert (size <= stream_get_endp (BGP_INPUT (peer)));
+   endp = BGP_INPUT_PNT (peer) + size;
+   
+   /* Get attributes to the end of attribute length. */
+@@ -2228,7 +2230,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
+           bgp_notify_send_with_data (peer,
+                                      BGP_NOTIFY_UPDATE_ERR,
+                                      BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+-                                     startp, attr_endp - startp);
++                                     startp, endp - startp);
+ 	  return BGP_ATTR_PARSE_ERROR;
+ 	}
+ 	
+-- 
+2.14.3
+

0001-systemd-various-service-file-improvements.patch

@@ -1,183 +0,0 @@
-From 91eddf68ca54ba11a22f58de9a4e8f5deb53cccc Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Thu, 20 Oct 2016 12:56:34 +0200
-Subject: [PATCH] systemd: various service file improvements
-
-(1) network.target is generally used as a synchronization point during
-boot up and not as a "boot target" (target where services are actually
-enabled). Also as per 'man 7 systemd.special', service implementing
-networking should pull network.target into transaction and order itself
-before it. Hence, it doesn't make sense for zebra and friends to be
-enabled in network.target, because they should actively pull in
-network.target into boot transaction. Let's enable them as normal
-services in multi-user.target and order against network{,-pre}.target
-appropriately.
-
-(2) All quagga daemons needs zebra to be running at all times and want
-to restarted/stopped whenever zebra is. This is expressed by BindsTo=
-dependency in a unit file (note "s" in Binds).
----
- redhat/bgpd.service   | 8 +++++---
- redhat/isisd.service  | 8 +++++---
- redhat/ospf6d.service | 8 +++++---
- redhat/ospfd.service  | 8 +++++---
- redhat/ripd.service   | 8 +++++---
- redhat/ripngd.service | 8 +++++---
- redhat/zebra.service  | 6 ++++--
- 7 files changed, 34 insertions(+), 20 deletions(-)
-
-diff --git a/redhat/bgpd.service b/redhat/bgpd.service
-index 5040284..ef24841 100644
---- a/redhat/bgpd.service
-+++ b/redhat/bgpd.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=BGP routing daemon
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/bgpd.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/isisd.service b/redhat/isisd.service
-index 4cdf67d..edb6eea 100644
---- a/redhat/isisd.service
-+++ b/redhat/isisd.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=IS-IS routing daemon
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/isisd.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service
-index 3c9c466..b53b970 100644
---- a/redhat/ospf6d.service
-+++ b/redhat/ospf6d.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=OSPF routing daemon for IPv6
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/ospf6d.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/ospfd.service b/redhat/ospfd.service
-index 5e3de23..5d6c5bb 100644
---- a/redhat/ospfd.service
-+++ b/redhat/ospfd.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=OSPF routing daemon
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/ospfd.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/ripd.service b/redhat/ripd.service
-index d35dc47..ed7f922 100644
---- a/redhat/ripd.service
-+++ b/redhat/ripd.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=RIP routing daemon
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/ripd.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/ripngd.service b/redhat/ripngd.service
-index 567e888..2519b31 100644
---- a/redhat/ripngd.service
-+++ b/redhat/ripngd.service
-@@ -1,7 +1,9 @@
- [Unit]
- Description=RIP routing daemon for IPv6
--BindTo=zebra.service
--After=syslog.target network.target zebra.service
-+BindsTo=zebra.service
-+Wants=network.target
-+After=zebra.service network-pre.target
-+Before=network.target
- ConditionPathExists=/etc/quagga/ripngd.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
-diff --git a/redhat/zebra.service b/redhat/zebra.service
-index 27c3a52..f9107f1 100644
---- a/redhat/zebra.service
-+++ b/redhat/zebra.service
-@@ -1,6 +1,8 @@
- [Unit]
- Description=GNU Zebra routing manager
--After=syslog.target network.target
-+Wants=network.target
-+Before=network.target
-+After=network-pre.target
- ConditionPathExists=/etc/quagga/zebra.conf
- 
- [Service]
-@@ -11,4 +13,4 @@ ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
- Restart=on-abort
- 
- [Install]
--WantedBy=network.target
-+WantedBy=multi-user.target
--- 
-2.7.4
-

quagga.spec

@@ -6,7 +6,7 @@
 %global _hardened_build 1
 
 Name: quagga
-Version: 1.1.1
+Version: 1.2.2
 Release: 2%{?dist}
 Summary: Routing daemon
 License: GPLv2+
@@ -15,20 +15,28 @@ URL: http://www.quagga.net
 Source0: http://download.savannah.gnu.org/releases/quagga/%{name}-%{version}.tar.gz
 Source1: quagga-filter-perl-requires.sh
 Source2: quagga-tmpfs.conf
-BuildRequires: perl-generators
+BuildRequires: perl-generators pkgconfig
 BuildRequires: systemd
 BuildRequires: net-snmp-devel
 BuildRequires: texinfo tetex libcap-devel texi2html
 BuildRequires: readline readline-devel ncurses ncurses-devel
 BuildRequires: git
-Requires: net-snmp ncurses
+BuildRequires: c-ares-devel
+Requires: net-snmp ncurses c-ares
 Requires(post): systemd /sbin/install-info
 Requires(preun): systemd /sbin/install-info
 Requires(postun): systemd
 Provides: routingdaemon = %{version}-%{release}
 Obsoletes: quagga-sysvinit
 
-Patch0: 0001-systemd-various-service-file-improvements.patch
+# Upstream patch:
+Patch0: 0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch
+# Upstream patch:
+Patch1: 0001-bgpd-security-debug-print-of-received-NOTIFY-data-ca.patch
+# Upstream patch:
+Patch2: 0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch
+# Upstream patch:
+Patch3: 0001-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch
 
 %define __perl_requires %{SOURCE1}
 
@@ -38,7 +46,7 @@ a multi-server and multi-threaded approach to resolving the current complexity
 of the Internet.
 
 Quagga supports Babel, BGP4, BGP4+, BGP4-, IS-IS (experimental), OSPFv2,
-OSPFv3, RIPv1, RIPv2, and RIPng.
+OSPFv3, RIPv1, RIPv2, RIPng, PIM-SSM and NHRP.
 
 Quagga is intended to be used as a Route Server and a Route Reflector. It is
 not a toolkit; it provides full routing power under a new architecture.
@@ -85,7 +93,8 @@ developing OSPF-API and quagga applications.
     --enable-vty-group=%vty_group \
     --enable-rtadv \
     --disable-exampledir \
-    --enable-netlink
+    --enable-netlink \
+    --enable-nhrpd
 
 make %{?_smp_mflags} MAKEINFO="makeinfo --no-split" CFLAGS="%{optflags} -fno-strict-aliasing"
 
@@ -110,6 +119,8 @@ install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ospfd.service %{buildro
 install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/bgpd.service %{buildroot}%{_unitdir}/bgpd.service
 install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ospf6d.service %{buildroot}%{_unitdir}/ospf6d.service
 install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/ripngd.service %{buildroot}%{_unitdir}/ripngd.service
+install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/pimd.service %{buildroot}%{_unitdir}/pimd.service
+install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/nhrpd.service %{buildroot}%{_unitdir}/nhrpd.service
 
 install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/quagga.sysconfig %{buildroot}/etc/sysconfig/quagga
 install -p -m 644 %{_builddir}/%{name}-%{version}/redhat/quagga.logrotate %{buildroot}/etc/logrotate.d/quagga
@@ -127,6 +138,7 @@ getent group %vty_group >/dev/null 2>&1 || groupadd -r -g %vty_gid %vty_group >/
 getent group quagga >/dev/null 2>&1 || groupadd -g %quagga_gid quagga >/dev/null 2>&1 || :
 getent passwd quagga >/dev/null 2>&1 || useradd -u %quagga_uid -g %quagga_gid -M -r -s /sbin/nologin \
  -c "Quagga routing suite" -d %{_localstatedir}/run/quagga quagga >/dev/null 2>&1 || :
+usermod -a -G %vty_group quagga 
 
 %post
 %systemd_post zebra.service
@@ -137,7 +149,8 @@ getent passwd quagga >/dev/null 2>&1 || useradd -u %quagga_uid -g %quagga_gid -M
 %systemd_post ospf6d.service
 %systemd_post ripngd.service
 
-if [ -f %{_infodir}/%{name}.inf* ]; then
+ls %{_infodir}/%{name}.inf* > /dev/null 2>&1
+if [ $? -eq 0 ]; then
     install-info %{_infodir}/quagga.info %{_infodir}/dir || :
 fi
 
@@ -163,7 +176,8 @@ fi
 %systemd_postun_with_restart ospf6d.service
 %systemd_postun_with_restart ripngd.service
 
-if [ -f %{_infodir}/%{name}.inf* ]; then
+ls %{_infodir}/%{name}.inf* > /dev/null 2>&1
+if [ $? -eq 0 ]; then
     install-info --delete %{_infodir}/quagga.info %{_infodir}/dir || :
 fi
 
@@ -220,6 +234,32 @@ fi
 %{_includedir}/quagga/ospfd/*.h
 
 %changelog
+* Thu Feb 22 2018 Ondřej Lysoněk <olysonek@redhat.com> - 1.2.2-2
+- Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing
+  certain forms of UPDATE message allowing to crash or potentially execute
+  arbitrary code
+- Resolves: rhbz#1546008
+- Fixed CVE-2018-5380 - bgpd can overrun internal BGP code-to-string
+  conversion tables potentially allowing crash
+- Resolves: rhbz#1546006
+- Fixed CVE-2018-5381 - Infinite loop issue triggered by invalid OPEN message
+  allows denial-of-service
+- Resolves: rhbz#1546004
+- Fixed CVE-2018-5378 - bgpd does not properly bounds check the data sent with
+  a NOTIFY allowing leak of sensitive data or crash
+- Resolves: rhbz#1546009
+
+* Tue Nov 14 2017 Michal Ruprich <mruprich@redhat.com> - 1.2.2-1
+- rebase to 1.2.2(#1504420)
+- resolves #1462426 - Installing with dnf produces error /var/tmp/rpm-tmp.jMe0EE: line 44 [: too many arguments
+- resolves #1509292 - CVE-2017-16227 quagga: Incorrect AS_PATH size calculation for long paths
+
+* Mon May 29 2017 Michal Ruprich <mruprich@redhat.com> - 1.2.1-1
+- rebase to 1.2.1(#1431309)
+- added quagga to quaggavt group - resolves #1434028
+- enabled pimd and nhrpd
+- fix bogus date in changelog
+
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 
@@ -253,7 +293,7 @@ fi
 * Mon May 26 2014 Michal Sekletar <msekleta@redhat.com> - 0.99.22.4-4
 - raise privileges before creating netlink socket (#1097684)
 
-* Thu Jan 29 2014 Michal Sekletar <msekleta@redhat.com> - 0.99.22.4-3
+* Wed Jan 29 2014 Michal Sekletar <msekleta@redhat.com> - 0.99.22.4-3
 - fix source url
 - fix date in the changelog
 

sources

@@ -1 +1,2 @@
-SHA512 (quagga-1.1.1.tar.gz) = 51eb64ada07b42c663705cedf56be5b8b54143a5543b472e3dc7c703a4ab0542f39cfbeed64d1c33ceee6a15ea8d25ef84616fa40b6bf9cc32023f7241c18c58
+SHA512 (quagga-1.2.2.tar.gz) = 861f6524bcdc01d1a895762bf1904744c12ae4dfc7c3583ecb7e55b3978c98187bde76df0ff85093c744139be9d5cf324fec75b5ba86cf1fdbce70d923710d14
+SHA512 (quagga-1.2.2.tar.gz.asc) = bb88e1a598f585255700bd7362ffed8ce3a0697c7df22747da27ba28ed43b400ee8ce5920cc90229359cc217cb6bac41bf546c259b1cfbab2943680cb177e52d