Bug 443026 (CVE-2012-5521)

Summary:	net-misc/quagga: Assertion failure when removing routes (CVE-2012-5521)
Product:	Gentoo Security	Reporter:	Sean Amoss (RETIRED) <ackle>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED WONTFIX
Severity:	minor	CC:	pinkbyte
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2012/11/13/7
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description Sean Amoss (RETIRED) gentoo-dev

2012-11-13 23:44:33 UTC

From the oss-security mailing list at $URL:

  Marco d'Itri in Debian bug [1] has reported the following deficiency,
being present in 0.99.21 and possibly earlier versions of the Quagga 
routing suite:

A denial of service flaw was found in the way Quagga's ospf6d daemon
performed routes removal. In certain circumstances when removing the
route the ospf6d daemon terminated with assertion failure when trying
to determine / find, which route to remove. An OSPF6 router could use
this flaw to cause ospf6d on an adjacent router to abort.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693102
[2] https://bugzilla.redhat.com/show_bug.cgi?id=876197

Upstream bug report:
[3] https://bugzilla.quagga.net/show_bug.cgi?id=747

Comment 1 Sergey Popov gentoo-dev

2013-04-02 16:34:21 UTC

This issue is not fixed with 0.99.22, as upstream says

Comment 2 Sergey Popov gentoo-dev

2015-07-23 14:07:21 UTC

still not fixed in 0.99.24.1 :-(

Comment 3 Michael Boyle 2017-06-14 02:34:29 UTC

@maintainers is this bug stable? Can we send to glsa?

Mike Boyle
Security Padawan

Comment 4 Sergey Popov gentoo-dev

2017-07-03 07:38:39 UTC

No, this is still not fixed upstream

Comment 5 Aaron Bauman Gentoo Infrastructure

2018-01-30 00:51:27 UTC

Still nothing from the original reporter following multiple releases of quagga and questions from upstream. Upstream is unable to produce still.  Minimal security impact.