Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 903757 (CVE-2022-36440, CVE-2022-37032)

Summary: <net-misc/frr-8.4.1: DoS vulnerability via reachable assertion
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: alarig, jaco, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/FRRouting/frr/issues/13202
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-04 04:22:14 UTC 
CVE-2022-36440 (https://github.com/spwpun/pocs):
https://github.com/spwpun/pocs/blob/main/frr-bgpd.md

A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS.

Looks like there's another unpublished "vulnerability" irresponsibly
disclosed in this person's Github account, a heap buffer overread:

https://github.com/spwpun/CVE-2022-37032/blob/main/poc.py

Reported upstream at: https://github.com/FRRouting/frr/issues/13202
Comment 1 Larry the Git Cow gentoo-dev 2023-04-04 08:07:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d73e4bec2216ced5da63e04932f79f1f5b8468c4

commit d73e4bec2216ced5da63e04932f79f1f5b8468c4
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2023-04-04 08:03:36 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2023-04-04 08:06:18 +0000

    net-misc/frr: add 8.5
    
    Bug: https://bugs.gentoo.org/903757
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 net-misc/frr/Manifest       |   1 +
 net-misc/frr/frr-8.5.ebuild | 149 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 150 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-16 18:29:45 UTC 
Fixed in 8.4 onwards according to upstream.
Comment 3 Alarig Le Lay 2024-10-02 14:49:36 UTC 
8.5 isn’t in the tree anymore, to maybe we can close this one?