A, Stack buffer overflow by processing certain Route-Refresh messages A stack buffer overflow flaw was found in the way Quagga's bgpd daemon processed Route-Refresh messages. A configured Border Gateway Protocol (BGP) peer could send a Route-Refresh message with specially-crafted Outbound Route Filtering (ORF) record, which would cause the master BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. Upstream changeset: [1] http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3 References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783 [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100 B, DoS (crash) while processing certain BGP update AS path messages A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to denial of service (bgpd daemon crash). Upstream changeset: [4] http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb References: [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795 [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
CVEs assigned. A, Stack buffer overflow by processing certain Route-Refresh messages CVE-2010-2948 B, DoS (crash) while processing certain BGP update AS path messages CVE-2010-2949
I'll be taking care of the bump; please give me a bit more time though because I actually want to give it a bit of lifting.
CVE-2010-2948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948): Stack-based buffer overflow in the bgp_route_refresh_receive function in bgp_packet.c in bgpd in Quagga before 0.99.17 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a malformed Outbound Route Filtering (ORF) record in a BGP ROUTE-REFRESH (RR) message. CVE-2010-2949 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949): bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message.
(In reply to comment #2) > I'll be taking care of the bump; please give me a bit more time though because > I actually want to give it a bit of lifting. > Hi, Diego. How is you testing going? Should we move forward with stabilization? thanks! t
Sorry, I forgot to advise here; I've been running 0.99.17 on my home router for a while and all the bugs reported have been fixed, so it's fine for me to mark 0.99.17-r2 stable.
Thanks! Arches, please test and mark stable: =net-misc/quagga-0.99.17-r2 Target keywords : "alpha amd64 arm hppa ppc s390 sparc x86"
Stable on alpha.
x86 stable
amd64 done
arm/s390/sparc stable
Stable for HPPA PPC.
Thanks, folks. GLSA request filed.
This issue was resolved and addressed in GLSA 201202-02 at http://security.gentoo.org/glsa/glsa-201202-02.xml by GLSA coordinator Tim Sammut (underling).
