Fix CVE-2018-5379, CVE-2018-5380, CVE-2018-5381, CVE-2018-5378

Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code Resolves: rhbz#1546008 Fixed CVE-2018-5380 - bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash Resolves: rhbz#1546006 Fixed CVE-2018-5381 - Infinite loop issue triggered by invalid OPEN message allows denial-of-service Resolves: rhbz#1546004 Fixed CVE-2018-5378 - bgpd does not properly bounds check the data sent with a NOTIFY allowing leak of sensitive data or crash Resolves: rhbz#1546009
rebase to 1.2.2(#1504420 )
2018-02-22 12:19:17 +01:00 · 2017-11-14 12:48:19 +01:00 · 2017-05-30 14:39:59 +02:00
8 changed files with 363 additions and 189 deletions
--- a/.gitignore
+++ b/.gitignore
@ -15,5 +15,3 @@ quagga-0.99.17.tar.gz
 /quagga-1.2.1.tar.gz
 /quagga-1.2.2.tar.gz
 /quagga-1.2.2.tar.gz.asc
-/quagga-1.2.4.tar.gz
-/quagga-1.2.4.tar.gz.asc
--- a/0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch
+++ b/0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch
@ -0,0 +1,110 @@
+From e69b535f92eafb599329bf725d9b4c6fd5d7fded Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 19:52:10 +0000
+Subject: [PATCH] bgpd/security: Fix double free of unknown attribute
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+It is possible for bgpd to double-free an unknown attribute. This can happen
+via bgp_update_receive receiving an UPDATE with an invalid unknown attribute.
+bgp_update_receive then will call bgp_attr_unintern_sub and bgp_attr_flush,
+and the latter may try free an already freed unknown attr.
+
+* bgpd/bgp_attr.c: (transit_unintern) Take a pointer to the caller's storage
+  for the (struct transit *), so that transit_unintern can NULL out the
+  caller's reference if the (struct transit) is freed.
+  (cluster_unintern) By inspection, appears to have a similar issue.
+  (bgp_attr_unintern_sub) adjust for above.
+---
+ bgpd/bgp_attr.c | 33 +++++++++++++++++++--------------
+ bgpd/bgp_attr.h |  4 ++--
+ 2 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 9564637e..0c2806b5 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -199,15 +199,17 @@ cluster_intern (struct cluster_list *cluster)
+ }
+ 
+ void
+-cluster_unintern (struct cluster_list *cluster)
+cluster_unintern (struct cluster_list **cluster)
+ {
+-  if (cluster->refcnt)
+-    cluster->refcnt--;
+  struct cluster_list *c = *cluster;
+  if (c->refcnt)
+    c->refcnt--;
+ 
+-  if (cluster->refcnt == 0)
+  if (c->refcnt == 0)
+     {
+-      hash_release (cluster_hash, cluster);
+-      cluster_free (cluster);
+      hash_release (cluster_hash, c);
+      cluster_free (c);
+      *cluster = NULL;
+     }
+ }
+ 
+@@ -357,15 +359,18 @@ transit_intern (struct transit *transit)
+ }
+ 
+ void
+-transit_unintern (struct transit *transit)
+transit_unintern (struct transit **transit)
+ {
+-  if (transit->refcnt)
+-    transit->refcnt--;
+  struct transit *t = *transit;
+  
+  if (t->refcnt)
+    t->refcnt--;
+ 
+-  if (transit->refcnt == 0)
+  if (t->refcnt == 0)
+     {
+-      hash_release (transit_hash, transit);
+-      transit_free (transit);
+      hash_release (transit_hash, t);
+      transit_free (t);
+      *transit = NULL;
+     }
+ }
+ 
+@@ -820,11 +825,11 @@ bgp_attr_unintern_sub (struct attr *attr)
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_LARGE_COMMUNITIES));
+       
+       if (attr->extra->cluster)
+-        cluster_unintern (attr->extra->cluster);
+        cluster_unintern (&attr->extra->cluster);
+       UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
+       
+       if (attr->extra->transit)
+-        transit_unintern (attr->extra->transit);
+        transit_unintern (&attr->extra->transit);
+     }
+ }
+ 
+diff --git a/bgpd/bgp_attr.h b/bgpd/bgp_attr.h
+index 9ff074b2..052acc7d 100644
+--- a/bgpd/bgp_attr.h
+++ b/bgpd/bgp_attr.h
+@@ -187,10 +187,10 @@ extern unsigned long int attr_unknown_count (void);
+ 
+ /* Cluster list prototypes. */
+ extern int cluster_loop_check (struct cluster_list *, struct in_addr);
+-extern void cluster_unintern (struct cluster_list *);
+extern void cluster_unintern (struct cluster_list **);
+ 
+ /* Transit attribute prototypes. */
+-void transit_unintern (struct transit *);
+void transit_unintern (struct transit **);
+ 
+ /* Below exported for unit-test purposes only */
+ struct bgp_attr_parser_args {
+-- 
+2.14.3
+
--- a/0001-bgpd-security-debug-print-of-received-NOTIFY-data-ca.patch
+++ b/0001-bgpd-security-debug-print-of-received-NOTIFY-data-ca.patch
@ -0,0 +1,112 @@
+From 9e5251151894aefdf8e9392a2371615222119ad8 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 22:31:52 +0000
+Subject: [PATCH] bgpd/security: debug print of received NOTIFY data can
+ over-read msg array
+
+Security issue: Quagga-2018-1550
+See: https://www.quagga.net/security/Quagga-2018-1550.txt
+
+* bgpd/bgp_debug.c: (struct message) Nearly every one of the NOTIFY
+  code/subcode message arrays has their corresponding size variables off
+  by one, as most have 1 as first index.
+
+  This means (bgp_notify_print) can cause mes_lookup to overread the (struct
+  message) by 1 pointer value if given an unknown index.
+
+  Fix the bgp_notify_..._msg_max variables to use the compiler to calculate
+  the correct sizes.
+---
+ bgpd/bgp_debug.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c
+index ba797228..43faee7c 100644
+--- a/bgpd/bgp_debug.c
+++ b/bgpd/bgp_debug.c
+@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ #include "log.h"
+ #include "sockunion.h"
+ #include "filter.h"
+#include "memory.h"
+ 
+ #include "bgpd/bgpd.h"
+ #include "bgpd/bgp_aspath.h"
+@@ -73,7 +74,8 @@ const struct message bgp_status_msg[] =
+   { Clearing,    "Clearing"    },
+   { Deleted,     "Deleted"     },
+ };
+-const int bgp_status_msg_max = BGP_STATUS_MAX;
+#define BGP_DEBUG_MSG_MAX(msg) const int msg ## _max = array_size (msg)
+BGP_DEBUG_MSG_MAX (bgp_status_msg);
+ 
+ /* BGP message type string. */
+ const char *bgp_type_str[] =
+@@ -84,7 +86,8 @@ const char *bgp_type_str[] =
+   "NOTIFICATION",
+   "KEEPALIVE",
+   "ROUTE-REFRESH",
+-  "CAPABILITY"
+  "CAPABILITY",
+  NULL,
+ };
+ 
+ /* message for BGP-4 Notify */
+@@ -98,15 +101,15 @@ static const struct message bgp_notify_msg[] =
+   { BGP_NOTIFY_CEASE, "Cease"},
+   { BGP_NOTIFY_CAPABILITY_ERR, "CAPABILITY Message Error"},
+ };
+-static const int bgp_notify_msg_max = BGP_NOTIFY_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_msg);
+ 
+ static const struct message bgp_notify_head_msg[] = 
+ {
+   { BGP_NOTIFY_HEADER_NOT_SYNC, "/Connection Not Synchronized"},
+   { BGP_NOTIFY_HEADER_BAD_MESLEN, "/Bad Message Length"},
+-  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"}
+  { BGP_NOTIFY_HEADER_BAD_MESTYPE, "/Bad Message Type"},
+ };
+-static const int bgp_notify_head_msg_max = BGP_NOTIFY_HEADER_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_head_msg);
+ 
+ static const struct message bgp_notify_open_msg[] = 
+ {
+@@ -119,7 +122,7 @@ static const struct message bgp_notify_open_msg[] =
+   { BGP_NOTIFY_OPEN_UNACEP_HOLDTIME, "/Unacceptable Hold Time"}, 
+   { BGP_NOTIFY_OPEN_UNSUP_CAPBL, "/Unsupported Capability"},
+ };
+-static const int bgp_notify_open_msg_max = BGP_NOTIFY_OPEN_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_open_msg);
+ 
+ static const struct message bgp_notify_update_msg[] = 
+ {
+@@ -136,7 +139,7 @@ static const struct message bgp_notify_update_msg[] =
+   { BGP_NOTIFY_UPDATE_INVAL_NETWORK, "/Invalid Network Field"},
+   { BGP_NOTIFY_UPDATE_MAL_AS_PATH, "/Malformed AS_PATH"},
+ };
+-static const int bgp_notify_update_msg_max = BGP_NOTIFY_UPDATE_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_update_msg);
+ 
+ static const struct message bgp_notify_cease_msg[] =
+ {
+@@ -150,7 +153,7 @@ static const struct message bgp_notify_cease_msg[] =
+   { BGP_NOTIFY_CEASE_COLLISION_RESOLUTION, "/Connection collision resolution"},
+   { BGP_NOTIFY_CEASE_OUT_OF_RESOURCE, "/Out of Resource"},
+ };
+-static const int bgp_notify_cease_msg_max = BGP_NOTIFY_CEASE_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_cease_msg);
+ 
+ static const struct message bgp_notify_capability_msg[] = 
+ {
+@@ -159,7 +162,7 @@ static const struct message bgp_notify_capability_msg[] =
+   { BGP_NOTIFY_CAPABILITY_INVALID_LENGTH, "/Invalid Capability Length"},
+   { BGP_NOTIFY_CAPABILITY_MALFORMED_CODE, "/Malformed Capability Value"},
+ };
+-static const int bgp_notify_capability_msg_max = BGP_NOTIFY_CAPABILITY_MAX;
+BGP_DEBUG_MSG_MAX (bgp_notify_capability_msg);
+ 
+ /* Origin strings. */
+ const char *bgp_origin_str[] = {"i","e","?"};
+-- 
+2.14.3
+
--- a/0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch
+++ b/0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch
@ -0,0 +1,41 @@
+From ce07207c50a3d1f05d6dd49b5294282e59749787 Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Sat, 6 Jan 2018 21:20:51 +0000
+Subject: [PATCH] bgpd/security: fix infinite loop on certain invalid OPEN
+ messages
+
+Security issue: Quagga-2018-1975
+See: https://www.quagga.net/security/Quagga-2018-1975.txt
+
+* bgpd/bgp_packet.c: (bgp_capability_msg_parse) capability parser can infinite
+  loop due to checks that issue 'continue' without bumping the input
+  pointer.
+---
+ bgpd/bgp_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index b3d601fc..f9338d8d 100644
+--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
+@@ -2328,7 +2328,8 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
+ 
+   end = pnt + length;
+ 
+-  while (pnt < end)
+  /* XXX: Streamify this */
+  for (; pnt < end; pnt += hdr->length + 3)
+     {      
+       /* We need at least action, capability code and capability length. */
+       if (pnt + 3 > end)
+@@ -2416,7 +2417,6 @@ bgp_capability_msg_parse (struct peer *peer, u_char *pnt, bgp_size_t length)
+           zlog_warn ("%s unrecognized capability code: %d - ignored",
+                      peer->host, hdr->code);
+         }
+-      pnt += hdr->length + 3;
+     }
+   return 0;
+ }
+-- 
+2.14.3
+
--- a/0001-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch
+++ b/0001-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch
@ -0,0 +1,67 @@
+From cc2e6770697e343f4af534114ab7e633d5beabec Mon Sep 17 00:00:00 2001
+From: Paul Jakma <paul@jakma.org>
+Date: Wed, 3 Jan 2018 23:57:33 +0000
+Subject: [PATCH] bgpd/security: invalid attr length sends NOTIFY with data
+ overrun
+
+Security issue: Quagga-2018-0543
+
+See: https://www.quagga.net/security/Quagga-2018-0543.txt
+
+* bgpd/bgp_attr.c: (bgp_attr_parse) An invalid attribute length is correctly
+  checked, and a NOTIFY prepared.  The NOTIFY can include the incorrect
+  received data with the NOTIFY, for debug purposes.  Commit
+  c69698704806a9ac5 modified the code to do that just, and also send the
+  malformed attr with the NOTIFY.  However, the invalid attribute length was
+  used as the length of the data to send back.
+
+  The result is a read past the end of data, which is then written to the
+  NOTIFY message and sent to the peer.
+
+  A configured BGP peer can use this bug to read up to 64 KiB of memory from
+  the bgpd process, or crash the process if the invalid read is caught by
+  some means (unmapped page and SEGV, or other mechanism) resulting in a DoS.
+
+  This bug _ought_ /not/ be exploitable by anything other than the connected
+  BGP peer, assuming the underlying TCP transport is secure.  For no BGP
+  peer should send on an UPDATE with this attribute.  Quagga will not, as
+  Quagga always validates the attr header length, regardless of type.
+
+  However, it is possible that there are BGP implementations that do not
+  check lengths on some attributes (e.g.  optional/transitive ones of a type
+  they do not recognise), and might pass such malformed attrs on.  If such
+  implementations exists and are common, then this bug might be triggerable
+  by BGP speakers further hops away.  Those peers will not receive the
+  NOTIFY (unless they sit on a shared medium), however they might then be
+  able to trigger a DoS.
+
+  Fix: use the valid bound to calculate the length.
+---
+ bgpd/bgp_attr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index ef58beb1..9564637e 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -2147,6 +2147,8 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
+   memset (seen, 0, BGP_ATTR_BITMAP_SIZE);
+ 
+   /* End pointer of BGP attribute. */
+  assert (size <= stream_get_size (BGP_INPUT (peer)));
+  assert (size <= stream_get_endp (BGP_INPUT (peer)));
+   endp = BGP_INPUT_PNT (peer) + size;
+   
+   /* Get attributes to the end of attribute length. */
+@@ -2228,7 +2230,7 @@ bgp_attr_parse (struct peer *peer, struct attr *attr, bgp_size_t size,
+           bgp_notify_send_with_data (peer,
+                                      BGP_NOTIFY_UPDATE_ERR,
+                                      BGP_NOTIFY_UPDATE_ATTR_LENG_ERR,
+-                                     startp, attr_endp - startp);
+                                     startp, endp - startp);
+ 	  return BGP_ATTR_PARSE_ERROR;
+ 	}
+ 	
+-- 
+2.14.3
+
--- a/0001-service-file-braces.patch
+++ b/0001-service-file-braces.patch
@ -1,120 +0,0 @@
-From: Michal Ruprich <mruprich@redhat.com>
-diff --git a/redhat/bgpd.service b/redhat/bgpd.service
-index a50bfff..2eda1b8 100644
--- a/redhat/bgpd.service
-+++ b/redhat/bgpd.service
-@@ -11,7 +11,7 @@ Documentation=man:bgpd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/bgpd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/bgpd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/bgpd.conf
- ExecStart=/usr/sbin/bgpd -d $BGPD_OPTS -f /etc/quagga/bgpd.conf
- Restart=on-abort
- 
-diff --git a/redhat/isisd.service b/redhat/isisd.service
-index 93663aa..db33281 100644
--- a/redhat/isisd.service
-+++ b/redhat/isisd.service
-@@ -11,7 +11,7 @@ Documentation=man:isisd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/isisd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/isisd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/isisd.conf
- ExecStart=/usr/sbin/isisd -d $ISISD_OPTS -f /etc/quagga/isisd.conf
- Restart=on-abort
- 
-diff --git a/redhat/nhrpd.service b/redhat/nhrpd.service
-index 5b4120d..043c220 100644
--- a/redhat/nhrpd.service
-+++ b/redhat/nhrpd.service
-@@ -11,7 +11,7 @@ Documentation=man:nhrpd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/nhrpd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/nhrpd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/nhrpd.conf
- ExecStart=/usr/sbin/nhrpd -d $NHRPD_OPTS -f /etc/quagga/nhrpdd.conf
- Restart=on-abort
- 
-diff --git a/redhat/ospf6d.service b/redhat/ospf6d.service
-index 3c1c978..a0d6223 100644
--- a/redhat/ospf6d.service
-+++ b/redhat/ospf6d.service
-@@ -11,7 +11,7 @@ Documentation=man:ospf6d
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospf6d.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospf6d.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/ospf6d.conf
- ExecStart=/usr/sbin/ospf6d -d $OSPF6D_OPTS -f /etc/quagga/ospf6d.conf
- Restart=on-abort
- 
-diff --git a/redhat/ospfd.service b/redhat/ospfd.service
-index 0084b6c..ffc048a 100644
--- a/redhat/ospfd.service
-+++ b/redhat/ospfd.service
-@@ -11,7 +11,7 @@ Documentation=man:ospfd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ospfd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ospfd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/ospfd.conf
- ExecStart=/usr/sbin/ospfd -d $OSPFD_OPTS -f /etc/quagga/ospfd.conf
- Restart=on-abort
- 
-diff --git a/redhat/pimd.service b/redhat/pimd.service
-index 1916846..ae30f16 100644
--- a/redhat/pimd.service
-+++ b/redhat/pimd.service
-@@ -9,7 +9,7 @@ Documentation=man:pimd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/pimd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/pimd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/pimd.conf
- ExecStart=/usr/sbin/pimd -d $PIMD_OPTS -f /etc/quagga/pimd.conf
- Restart=on-abort
- 
-diff --git a/redhat/ripd.service b/redhat/ripd.service
-index 103b5a9..56e885a 100644
--- a/redhat/ripd.service
-+++ b/redhat/ripd.service
-@@ -11,7 +11,7 @@ Documentation=man:ripd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/ripd.conf
- ExecStart=/usr/sbin/ripd -d $RIPD_OPTS -f /etc/quagga/ripd.conf
- Restart=on-abort
- 
-diff --git a/redhat/ripngd.service b/redhat/ripngd.service
-index 6fe6ba8..c0defa0 100644
--- a/redhat/ripngd.service
-+++ b/redhat/ripngd.service
-@@ -11,7 +11,7 @@ Documentation=man:ripngd
- Type=forking
- EnvironmentFile=/etc/sysconfig/quagga
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/ripngd.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /etc/quagga/ripngd.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /etc/quagga/ripngd.conf
- ExecStart=/usr/sbin/ripngd -d $RIPNGD_OPTS -f /etc/quagga/ripngd.conf
- Restart=on-abort
- 
-diff --git a/redhat/zebra.service b/redhat/zebra.service
-index fa5a004..d4ba5ea 100644
--- a/redhat/zebra.service
-+++ b/redhat/zebra.service
-@@ -11,8 +11,8 @@ Type=forking
- EnvironmentFile=-/etc/sysconfig/quagga
- ExecStartPre=/sbin/ip route flush proto zebra
- ExecStartPre=-/bin/chmod -f 640 /etc/quagga/vtysh.conf /etc/quagga/zebra.conf
-ExecStartPre=-/bin/chown -f $QUAGGA_USER:$QUAGGA_GROUP /run/quagga /etc/quagga/zebra.conf
-ExecStartPre=-/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} quaggavty /etc/quagga/vtysh.conf
-+ExecStartPre=-/bin/chown -f ${QUAGGA_USER}:${QUAGGA_GROUP} /run/quagga /etc/quagga/zebra.conf
-+ExecStartPre=-/bin/sh -c '/bin/chown -f ${QUAGGA_USER}${VTY_GROUP:+":$VTY_GROUP"} /etc/quagga/vtysh.conf'
- ExecStart=/usr/sbin/zebra -d $ZEBRA_OPTS -f /etc/quagga/zebra.conf
- Restart=on-abort
- 
--- a/quagga.spec
+++ b/quagga.spec
@ -6,10 +6,11 @@
 %global _hardened_build 1

 Name: quagga
-Version: 1.2.4
-Release: 11%{?dist}
+Version: 1.2.2
+Release: 2%{?dist}
 Summary: Routing daemon
 License: GPLv2+
+Group: System Environment/Daemons
 URL: http://www.quagga.net
 Source0: http://download.savannah.gnu.org/releases/quagga/%{name}-%{version}.tar.gz
 Source1: quagga-filter-perl-requires.sh
@ -17,20 +18,25 @@ Source2: quagga-tmpfs.conf
 BuildRequires: perl-generators pkgconfig
 BuildRequires: systemd
 BuildRequires: net-snmp-devel
-BuildRequires: texinfo libcap-devel texi2html
+BuildRequires: texinfo tetex libcap-devel texi2html
 BuildRequires: readline readline-devel ncurses ncurses-devel
 BuildRequires: git
 BuildRequires: c-ares-devel
-BuildRequires: gcc
 Requires: net-snmp ncurses c-ares
-Requires(post): systemd
-Requires(preun): systemd
+Requires(post): systemd /sbin/install-info
+Requires(preun): systemd /sbin/install-info
 Requires(postun): systemd
 Provides: routingdaemon = %{version}-%{release}
 Obsoletes: quagga-sysvinit
-Conflicts: frr

-Patch0001: 0001-service-file-braces.patch
+# Upstream patch:
+Patch0: 0001-bgpd-security-Fix-double-free-of-unknown-attribute.patch
+# Upstream patch:
+Patch1: 0001-bgpd-security-debug-print-of-received-NOTIFY-data-ca.patch
+# Upstream patch:
+Patch2: 0001-bgpd-security-fix-infinite-loop-on-certain-invalid-O.patch
+# Upstream patch:
+Patch3: 0001-bgpd-security-invalid-attr-length-sends-NOTIFY-with-.patch

 %define __perl_requires %{SOURCE1}

@ -50,12 +56,14 @@ Quagga is a fork of GNU Zebra.

 %package contrib
 Summary: Contrib tools for quagga
+Group: System Environment/Daemons

 %description contrib
 Contributed/3rd party tools which may be of use with quagga.

 %package devel
 Summary: Header and object files for quagga development
+Group: System Environment/Daemons
 Requires: %{name} = %{version}-%{release}

 %description devel
@ -141,6 +149,11 @@ usermod -a -G %vty_group quagga
 %systemd_post ospf6d.service
 %systemd_post ripngd.service

+ls %{_infodir}/%{name}.inf* > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+    install-info %{_infodir}/quagga.info %{_infodir}/dir || :
+fi
+
 # Create dummy files if they don't exist so basic functions can be used.
 if [ ! -e %{_sysconfdir}/quagga/zebra.conf ]; then
    echo "hostname `hostname`" > %{_sysconfdir}/quagga/zebra.conf
@ -163,6 +176,11 @@ fi
 %systemd_postun_with_restart ospf6d.service
 %systemd_postun_with_restart ripngd.service

+ls %{_infodir}/%{name}.inf* > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+    install-info --delete %{_infodir}/quagga.info %{_infodir}/dir || :
+fi
+
 %preun
 %systemd_preun zebra.service
 %systemd_preun isisd.service
@ -173,6 +191,7 @@ fi
 %systemd_preun ripngd.service

 %files
+%defattr(-,root,root)
 %doc AUTHORS COPYING
 %doc zebra/zebra.conf.sample
 %doc isisd/isisd.conf.sample
@ -201,9 +220,11 @@ fi
 %{_unitdir}/*.service

 %files contrib
+%defattr(-,root,root)
 %doc AUTHORS COPYING %attr(0644,root,root) tools

 %files devel
+%defattr(-,root,root)
 %doc AUTHORS COPYING
 %dir %{_libdir}/quagga/
 %{_libdir}/quagga/*.so
@ -213,41 +234,7 @@ fi
 %{_includedir}/quagga/ospfd/*.h

 %changelog
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Jul 21 2019 Michal Ruprich <mruprich@redhat.com> - 1.2.4-10
- Adding conflict with frr
-
-* Mon Jun 10 22:13:22 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.4-9
- Rebuild for RPM 4.15
-
-* Mon Jun 10 15:42:05 CET 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.4-8
- Rebuild for RPM 4.15
-
-* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.4-7
- Rebuild for readline 8.0
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1.2.4-5
- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Mon Dec 10 2018 Michal Ruprich <mruprich@redhat.com> - 1.2.4-4
- Resolves: #1611589 - Need to use {} around the environment variables in unit files
-
-* Wed Jul 25 2018 Michal Ruprich <mruprich@redhat.com> - 1.2.4-3
- Removing tetex from dependencies
- Adding gcc to BuildRequires
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Fri May 04 2018 Michal Ruprich <mruprich@redhat.com> - 1.2.4-1
- New version 1.2.4
-
-* Thu Feb 22 2018 Ondřej Lysoněk <olysonek@redhat.com> - 1.2.2-4
+* Thu Feb 22 2018 Ondřej Lysoněk <olysonek@redhat.com> - 1.2.2-2
 - Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing
  certain forms of UPDATE message allowing to crash or potentially execute
  arbitrary code
@ -262,32 +249,11 @@ fi
  a NOTIFY allowing leak of sensitive data or crash
 - Resolves: rhbz#1546009

-* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.2.2-3
- Escape macros in %%changelog
-
-* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1.2.2-2
- Rebuilt for switch to libxcrypt
-
 * Tue Nov 14 2017 Michal Ruprich <mruprich@redhat.com> - 1.2.2-1
 - rebase to 1.2.2(#1504420)
 - resolves #1462426 - Installing with dnf produces error /var/tmp/rpm-tmp.jMe0EE: line 44 [: too many arguments
 - resolves #1509292 - CVE-2017-16227 quagga: Incorrect AS_PATH size calculation for long paths

-* Fri Aug 11 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.2.1-6
- Rebuilt after RPM update (№ 3)
-
-* Thu Aug 10 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.2.1-5
- Rebuilt for RPM soname bump
-
-* Thu Aug 10 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.2.1-4
- Rebuilt for RPM soname bump
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
 * Mon May 29 2017 Michal Ruprich <mruprich@redhat.com> - 1.2.1-1
 - rebase to 1.2.1(#1431309)
 - added quagga to quaggavt group - resolves #1434028
@ -468,7 +434,7 @@ fi
 - #656681 - using tmpfiles.d

 * Thu Dec 02 2010 Jiri Skala <jskala@redhat.com> - 0.99.17-3
- fixes #656681 - using %%ghost on files in /var/run and /var/lock
+- fixes #656681 - using %ghost on files in /var/run and /var/lock
 - removed unused script from spec
 - corrected installing /etc/pam.d

--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (quagga-1.2.4.tar.gz) = 3e72440bcccfd3c1a449a62b7ff8623441256399a2bee0a39fa0a19694a5a78ac909c5c2128a24735bc034ea8b0811827293b480a2584a3a4c8ae36be9cf1fcd
-SHA512 (quagga-1.2.4.tar.gz.asc) = 054f6159bf3e2ea396e696d6297b026d1322b17eba31826cf3ac42b5a43e924caef1d87bba481cc3c272b56aa5c64b3d5537a67693f99cafb560d216870fede3
+SHA512 (quagga-1.2.2.tar.gz) = 861f6524bcdc01d1a895762bf1904744c12ae4dfc7c3583ecb7e55b3978c98187bde76df0ff85093c744139be9d5cf324fec75b5ba86cf1fdbce70d923710d14
+SHA512 (quagga-1.2.2.tar.gz.asc) = bb88e1a598f585255700bd7362ffed8ce3a0697c7df22747da27ba28ed43b400ee8ce5920cc90229359cc217cb6bac41bf546c259b1cfbab2943680cb177e52d