Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 384651 (CVE-2011-3323) - <net-misc/quagga-0.99.20 Multiple DoS (CVE-2011-{3323,3324,3325,3326,3327})
Summary: <net-misc/quagga-0.99.20 Multiple DoS (CVE-2011-{3323,3324,3325,3326,3327})
Status: RESOLVED FIXED
Alias: CVE-2011-3323
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46139/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-27 12:41 UTC by Agostino Sarubbo
Modified: 2012-02-21 18:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-09-27 12:41:53 UTC
From secunia security advisory ad $URL:

Description:
1) An error in ospf6d when handling the length of IPv6 prefix structures within Link State Update messages can be exploited to crash the daemon and disrupt IPv6 routing.
2) An assertion error in ospf6d when processing Database Description messages can be exploited to terminate the daemon and disrupt IPv6 routing.
3) An error in ospfd when processing Hello messages can be exploited to crash the daemon and disrupt IPv4 routing.
4) An error in ospfd when processing Link State Advertisement (LSA) types within Link State Update messages can be exploited to crash the daemon and disrupt IPv4 routing.
5) An error in bgpd when handling AS_PATH attributes within UPDATE messages can be exploited to cause a heap-based buffer overflow resulting in a crash of the daemon and disruption of IPv4 routing.

Solution:
Update to version 0.99.19
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-27 13:07:51 UTC
0.9.19 is in tree.
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-27 14:02:22 UTC
Thanks Diego.

Arches, please test and mark stable:

=net-misc/quagga-0.9.19

target KEYWORDS : "alpha amd64 arm hppa ppc s390 sparc x86"
Comment 3 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-27 17:05:21 UTC
is multiple compiling enough to test this package ?
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-27 17:13:37 UTC
I can give it a shot in a moment on amd64/hardened, but just with ripd.
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-27 19:26:29 UTC
Multiple compile tests ok for me on amd64
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 19:33:50 UTC
(In reply to comment #2)
> Thanks Diego.
> 
> Arches, please test and mark stable:
> 
> =net-misc/quagga-0.9.19

That's 0.99.19, right?

> target KEYWORDS : "alpha amd64 arm hppa ppc s390 sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-09-27 19:42:41 UTC
(In reply to comment #6)
> That's 0.99.19, right?
Yes, sorry for typo.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 19:45:24 UTC
/etc.init.d/ripd and its symlinks hang running:

   [ "$(get_service_config log)" = "syslog" ] && \
     use logger

so caching service dependencies never finishes. I can't figure out what package get_service_config belongs to.

# /lib/rc/sh/gendepends.sh
[...]
bacula-fd iuse dns
bacula-sd
bacula-sd ineed net
bacula-sd iuse dns
bgpd
bgpd ineed zebra
[ ..hangs.. ]

Tue Sep 27 21:43:18 CEST 2011
Portage 2.1.10.19 (default/linux/hppa/10.0, gcc-4.4.6, glibc-2.12.2-r0, 3.0.4-JeR parisc)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.0.4-JeR-parisc-PA8700_-PCX-W2-with-gentoo-2.0.3
Timestamp of tree: Tue, 27 Sep 2011 15:15:01 +0000
distcc 3.1 hppa2.0-unknown-linux-gnu [enabled]
app-shells/bash:          4.1_p9
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/cmake:           2.8.5-r2
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.3-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:       2.20.1-r1, 2.21.1-r1
sys-devel/gcc:            4.4.5, 4.4.6-r1, 4.5.1-r1, 4.5.2, 4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo JeR
ACCEPT_KEYWORDS="hppa"
ACCEPT_LICENSE="* -@EULA"
CBUILD="hppa2.0-unknown-linux-gnu"
CFLAGS="-mschedule=8000 -march=2.0 -ggdb -pipe -Wall -Wno-comment -O2"
CHOST="hppa2.0-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/distcc/bin /usr/share/gnupg/qualified.txt /var/bind /var/spool/torque /var/www/localhost/htdocs/wordpress/wp-config.php"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-mschedule=8000 -march=2.0 -ggdb -pipe -Wall -Wno-comment -O2"
DISTDIR="/world/distfiles"
FEATURES="assume-digests binpkg-logs buildpkg distcc distlocks ebuild-locks fixlafiles fixpackages metadata-transfer news notitles parallel-fetch protect-owned sandbox sfperms splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv"
FFLAGS="-mschedule=8000 -march=2.0 -ggdb -pipe -Wall -Wno-comment -O2"
GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo/ http://mirror.netcologne.de/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.tiscali.nl/ "
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed"
LINGUAS="en nl he"
MAKEOPTS="-j6"
PKGDIR="/keeps/gentoo/packages/elmer"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/alt"
PORTDIR="/world/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage"
USE="7zip X Xaw3d a52 aac aalib abyss accessibility acl ads agg alsa amr amrnb amrwb ao aoss apis apng ares artist-screen asf ass assistant async asyncns audiofile audit automount avfs bash-completion berkdb bidi bittorrent bittorrent-external bl bluetooth bzip2 c++ cairo caps captury catalogs cblas cdb cdio cdr chardet cjk clarens cleartype cli colors contrast cpath cracklib crypt cue cups curl custom-cflags custom-cxxflags cxx dbi dbtool dbus designer designer-plugin device-mapper dga dia dirac directfb djbfft djvu domainkeys dri drm dts dv dvd dvdr dvdread ebook edl elf emacs enca encode esd examples exceptions exif expat extras facebook fam fame fastbuild fastcgi fbcon ffmpeg filter fits flac fluidsynth fontconfig foomaticdb fortran fpx frei0r ftp fts3 gadu galago games gcrypt gd gdbm geant4 geoip ggi gif gimp gimpprint glep glib glut gmp gnokii gnutls gphoto2 gpm gps gs gsl gsm gtk gtk2 gtkhtml guidexml guile hal hepmc hesiod hotpixels hppa hwdb i18n ical icecast iconv icu idea idn imagemagick imlib indi inotify inquisitio ipmi ipv6 isc ithreads jabber jack javascript jbig jingle jpeg jpeg2k judy kpathsea lame lapack lasi lastfmradio latex lcms ldap leim lensfun libass libcaca libffi libmms libotf libsamplerate libwww live logrotate logwatch lua lyrics-screen lzma lzo mad manhole matroska mbrola mem-scramble memcache metis mhash midi mikmod mmap mms mng modplug modules motif mozbranding mp3 mpg123 mpi mplayer mssql mudflap multislot musepack musicbrainz mysql nagios-dns nagios-game nagios-ntp nagios-ping nagios-ssh nas ncurses netpbm nettle network-cron nfconntrack nfs nls nntp nova nptl nptlonly nsplugin ntlm objc objc++ objc-gc offensive ogg openal openexr opengl openmp openssl optimization oss ots overlays pam pango pbs pch pcre pdf pdo-external perl php pipe plasma plotutils plugins png policykit portage portaudio postgres povray ppds pppd pulseaudio python pyzord qalculate qdbm qt3support qt4 quotas raw readline recode rle romio rpc rrdtool rtc rtmp ruby ruby18 samba sasl scale0tilt scanner scim sdl seamonkey secure-delete server session sid skk slang slp smi sms sndfile snmp soap song-screen soundex speex spell spoof-source sqlite srt srtp ssh ssl startup-notification strong-optimization subtitles subversion suhosin supernodal svg swat sysfs syslog system-sqlite talkfilters tcl tcpd test tftp tga theora threads thumbnail thunar-vfs tidy tiff timezone timidity tk tokyocabinet tools truetype tslib tunepimp twolame udev unicode unzip urandom usb userlocales utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis watchdog wavpack webdav webinstall webp wildmidi winbind wlan wma wmf xanim xattr xcb xchattext xcomposite xetex xface xlisten xml xml2 xmp xmpi xnest xorg xpm xrandr xscreensaver xsettings xulrunner xv xvfb xvid xvmc zip zip-external zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev joystick keyboard mouse acecad aiptek calcomp citron digitaledge dmc dynapro elo2300 elographics fpit hyperpen jamstudio magellan microtouch mutouch palmax penmount spaceorb summa tek4957 tslib ur98 wacom void" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl he" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="stifb fbdev none dummy" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

sys-apps/openrc-0.9.3-r1 was built with the following:
USE="ncurses pam test unicode -debug (-selinux)"
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 19:49:07 UTC
(In reply to comment #8)
> I can't figure out what package get_service_config belongs to.

Er, that's defined in the same script, of course. :)

OK, so analysing further, the "log" feature has to be defined in every /etc/quagga/* configuration file matching /etc/init.d/ripd or one of its symlinks for service dep generation to properly work, even if you do not intend to ever run those services. I think this is a bug.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 20:12:50 UTC
Index: files/quagga-services.init.2
===================================================================
RCS file: /var/cvsroot/gentoo-x86/net-misc/quagga/files/quagga-services.init.2,v
retrieving revision 1.1
diff -u -B -r1.1 quagga-services.init.2
--- files/quagga-services.init.2        27 Sep 2011 13:07:50 -0000      1.1
+++ files/quagga-services.init.2        27 Sep 2011 20:10:29 -0000
@@ -3,7 +3,7 @@
 # Distributed under the terms of the GNU General Public License v2
 # $Header: /var/cvsroot/gentoo-x86/net-misc/quagga/files/quagga-services.init.2,v 1.1 2011/09/27 13:07:50 flameeyes Exp $
 
-: CFGFILE=/etc/quagga/${SVCNAME}.conf
+CFGFILE=/etc/quagga/${SVCNAME}.conf
 
 get_service_config() {
        awk '$1 == "'$1'" { s=$2 } END { print s }' "$CFGFILE"


This helps, but it still spits out these ugly error message:
 * Caching service dependencies ...
awk: cmd. line:1: fatal: cannot open file `/etc/quagga/bgpd.conf' for reading (No such file or directory)
awk: cmd. line:1: fatal: cannot open file `/etc/quagga/ospf6d.conf' for reading (No such file or directory)
awk: cmd. line:1: fatal: cannot open file `/etc/quagga/ripd.conf' for reading (No such file or directory)
awk: cmd. line:1: fatal: cannot open file `/etc/quagga/ripngd.conf' for reading (No such file or directory)

Also, the same patch would need to be applied to the zebra init.d script.
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-27 21:48:22 UTC
Heck, thanks for catching that up, it worked here because the router had some stray old configs :(
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-27 21:55:29 UTC
Stable for HPPA.

Arch teams, please test and mark stable:
=net-misc/quagga-0.99.19-r1
Target KEYWORDS="alpha amd64 arm hppa ppc s390 sparc x86"
Comment 13 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-28 02:00:36 UTC
amd64: emerge pass
Comment 14 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-28 04:36:42 UTC
ppc stable
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-29 11:45:21 UTC
Looks like the 0.99.19 release has a DoS-able crash when trying to fix this issue, so we're expecting 0.99.20 today.
Comment 16 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-09-29 13:40:18 UTC
Okay 0.99.20 is in tree, which is stable target.

HPPA and PPC are back in the game.
Comment 17 Steve Dibb (RETIRED) gentoo-dev 2011-09-30 21:06:42 UTC
+  30 Sep 2011; Steve Dibb <beandog@gentoo.org> quagga-0.99.20.ebuild:
+  amd64 stable, security bug 384651
Comment 18 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-01 17:57:42 UTC
x86 stable
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2011-10-02 13:40:30 UTC
alpha/arm/s390/sparc stable
Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-03 01:32:18 UTC
Stable for HPPA.
Comment 21 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-03 18:22:29 UTC
ppc stable, last arch done
Comment 22 Agostino Sarubbo gentoo-dev 2011-10-03 18:28:30 UTC
Thanks folks, adding glsa vote request.
Comment 23 Tim Sammut (RETIRED) gentoo-dev 2011-10-03 19:01:36 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 24 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-10-08 13:15:03 UTC
GLSA together with bug 334303, 359903 and 384651
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 18:44:25 UTC
This issue was resolved and addressed in
 GLSA 201202-02 at http://security.gentoo.org/glsa/glsa-201202-02.xml
by GLSA coordinator Tim Sammut (underling).