Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581526 (CVE-2016-4049) - <net-misc/quagga-1.1.0-r2: denial of service vulnerability in BGP routing daemon (CVE-2016-4049)
Summary: <net-misc/quagga-1.1.0-r2: denial of service vulnerability in BGP routing dae...
Status: RESOLVED FIXED
Alias: CVE-2016-4049
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 603430
Blocks:
  Show dependency tree
 
Reported: 2016-04-29 11:33 UTC by Agostino Sarubbo
Modified: 2017-01-24 10:36 UTC (History)
2 users (show)

See Also:
Package list:
=net-misc/quagga-1.1.0-r2 =dev-libs/protobuf-c-1.1.1 hppa =dev-libs/protobuf-2.6.1-r3 hppa =dev-python/google-apputils-0.4.2-r1 hppa
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-29 11:33:10 UTC
From ${URL} :

A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain 
circumstances, an attacker could use a crafted packet to crash the bgpd service.

External References:

http://openwall.com/lists/oss-security/2016/04/27/7


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 16:24:30 UTC
@ Maintainer(s): Please bump to v1.0.20161017 which does contain

> commit 7da28be5bafb31af75f796abb04aa1d09276d66d
> Author: Evgeny Uskov
> Date:   Wed Jan 13 13:58:00 2016 +0300
> 
>     bgpd: Fix buffer overflow error in bgp_dump_routes_func
>     
>     Now if the number of entries for some prefix is too large, multiple
>     TABLE_DUMP_V2 records are created.  In the previous version in such
>     situation bgpd crashed with SIGABRT.

which will fix this vulnerability.
Comment 2 Paul Tobias 2016-11-30 09:00:55 UTC
Quagga 1.0.20161017 was released on 17th October and contains only a handful of commits which are all fixes[1], so it would be really nice to have it updated.

[1] https://savannah.nongnu.org/forum/forum.php?forum_id=8708
Comment 3 Sergey Popov gentoo-dev 2016-12-20 13:56:20 UTC
This vulnerability was fixed in currently unstable quagga-1.1-r1

Arches, please test and mark stable =net-misc/quagga-1.1-r1

Target keywords: alpha amd64 arm hppa ppc sparc x86
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-12-21 08:09:38 UTC
(In reply to Sergey Popov from comment #3)
> This vulnerability was fixed in currently unstable quagga-1.1-r1
> 
> Arches, please test and mark stable =net-misc/quagga-1.1-r1
> 
> Target keywords: alpha amd64 arm hppa ppc sparc x86

Arches, please test and mark stable =net-misc/quagga-1.1.0-r1

Target keywords: alpha amd64 arm hppa ppc sparc x86
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-12-21 08:18:27 UTC
CVE-2016-4049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4049):
  The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not
  perform size checks when dumping data, which might allow remote attackers to
  cause a denial of service (assertion failure and daemon crash) via a large
  BGP packet.
Comment 6 Michael Palimaka (kensington) gentoo-dev 2016-12-21 10:13:25 UTC
An automated check of this bug failed - the following atom is unknown:

net-misc/quagga-1.1-r1

Please verify the atom list.
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-21 19:35:11 UTC
Stable on alpha.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-21 19:43:26 UTC
Stable on amd64.
Comment 9 Michael Palimaka (kensington) gentoo-dev 2016-12-21 20:17:28 UTC
An automated check of this bug failed - the following atom is unknown:

net-misc/quagga-1.1-r1

Please verify the atom list.
Comment 10 Michael Palimaka (kensington) gentoo-dev 2016-12-22 07:51:11 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad net-misc/quagga/quagga-1.1.0-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf:0=']
> dependency.bad net-misc/quagga/quagga-1.1.0-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf:0=']
Comment 11 Michael Palimaka (kensington) gentoo-dev 2016-12-22 09:38:41 UTC
An automated check of this bug failed - the following atom is unknown:

net-misc/quagga-1.1.0-r2

Please verify the atom list.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 00:30:59 UTC
x86 stable
Comment 13 Michael Palimaka (kensington) gentoo-dev 2016-12-23 14:32:37 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad net-misc/quagga/quagga-1.1.0-r2.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf-c:0=']
> dependency.bad net-misc/quagga/quagga-1.1.0-r2.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf-c:0=']
Comment 14 Markus Meier gentoo-dev 2017-01-08 18:28:56 UTC
arm stable
Comment 15 Stabilization helper bot gentoo-dev 2017-01-10 05:32:55 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad net-misc/quagga/quagga-1.1.0-r2.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf-c:0=']
> dependency.bad net-misc/quagga/quagga-1.1.0-r2.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/protobuf-c:0=']
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 13:45:46 UTC
@ HPPA AT:

You need to stabilize =dev-libs/protobuf-c-1.1.1 and =dev-libs/protobuf-2.6.1-r3 as well (bug 603430, added to this list because it looks like that the new stabilization bot helper doesn't recognize that the bug is only assigned to hppa).
Comment 17 Stabilization helper bot gentoo-dev 2017-01-11 09:17:03 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad dev-libs/protobuf/protobuf-2.6.1-r3.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-python/google-apputils[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Comment 18 Stabilization helper bot gentoo-dev 2017-01-11 17:14:41 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad dev-python/google-apputils/google-apputils-0.4.2-r1.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['>=dev-python/python-gflags-1.4[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]', 'dev-python/mox[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
> dependency.bad dev-python/google-apputils/google-apputils-0.4.2-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['>=dev-python/python-gflags-1.4[python_targets_python2_7(-)?,-python_single_target_python2_7(-)]']
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:32:49 UTC
Stable for HPPA.
Comment 20 Stabilization helper bot gentoo-dev 2017-01-14 13:01:51 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 21 Agostino Sarubbo gentoo-dev 2017-01-15 15:53:10 UTC
ppc stable
Comment 22 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:07 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2017-01-21 05:47:32 UTC
This issue was resolved and addressed in
 GLSA 201701-48 at https://security.gentoo.org/glsa/201701-48
by GLSA coordinator Aaron Bauman (b-man).
Comment 24 Aaron Bauman (RETIRED) gentoo-dev 2017-01-21 05:56:50 UTC
reopened for cleanup.

@maintainer, please clean the vulnerable version or let us know if a security mask is needed.
Comment 25 Sergey Popov gentoo-dev 2017-01-24 10:36:24 UTC
Cleanup is done, thanks guys