Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 408507 (CVE-2012-0249)

Summary: <net-misc/quagga-0.99.21: Multiple Vulnerabilities (CVE-2012-{0249,0250,0255,1820})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: asl, chainsaw, flameeyes, gentoo, jason, mrness, pinkbyte
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/48388/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 446289, 446346    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2012-03-16 15:58:49 UTC 
From secunia security advisory at $URL:

Description:
1) Two errors exist within ospfd. No further information is currently available.

2) An error within the "bgp_open_receive()" function (bgpd/bgp_packet.c) when parsing a peer input stream can be exploited to trigger an assertion and cause a crash.

The vulnerabilities are reported in versions prior to 0.99.20.1.


Solution:
Update to version 0.99.20.1.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-04-10 21:25:18 UTC 
CVE-2012-0255 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0255):
  The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly
  use message buffers for OPEN messages, which allows remote attackers to
  cause a denial of service (assertion failure and daemon exit) via a message
  associated with a malformed Four-octet AS Number Capability (aka AS4
  capability).

CVE-2012-0250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0250):
  Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before
  0.99.20.1 allows remote attackers to cause a denial of service (daemon
  crash) via a Link State Update (aka LS Update) packet containing a
  network-LSA link-state advertisement for which the data-structure length is
  smaller than the value in the Length header field.

CVE-2012-0249 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0249):
  Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c in the
  OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote
  attackers to cause a denial of service (assertion failure and daemon exit)
  via a Link State Update (aka LS Update) packet that is smaller than the
  length specified in its header.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:11:44 UTC 
CVE-2012-1820 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1820):
  The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier
  allows remote attackers to cause a denial of service (assertion failure and
  daemon exit) by leveraging a BGP peering relationship and sending a
  malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
Comment 3 Sergey Popov gentoo-dev 2012-12-05 08:05:54 UTC 
0.99.21 is in tree now.

Arches, please test and mark stable =net-misc/quagga-0.99.21

Target keywords: alpha amd64 arm hppa ppc s390 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-05 17:04:21 UTC 
Please get rid of USE=logrotate (see bug #198901).
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-05 17:07:25 UTC 
(In reply to comment #4)
> Please get rid of USE=logrotate (see bug #198901).

Fixed that.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-05 23:53:10 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-07 10:25:05 UTC 
since there are at least 2 compile failures, I'm wondering on how hppa has tested it.
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-08 12:23:22 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-08 12:23:49 UTC 
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2012-12-15 20:14:05 UTC 
alpha/arm/s390/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-12-22 15:20:44 UTC 
ppc stable
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-23 00:18:15 UTC 
Thanks, everyone.

GLSA vote: yes.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 19:09:02 UTC 
GLSA Vote: yes, too. New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-10-10 12:08:06 UTC 
This issue was resolved and addressed in
 GLSA 201310-08 at http://security.gentoo.org/glsa/glsa-201310-08.xml
by GLSA coordinator Sean Amoss (ackle).