Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 905882 (CVE-2022-40302, CVE-2022-40318, CVE-2022-43681)

Summary: <net-misc/frr-8.4.1: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: alarig, jaco, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-07 16:09:44 UTC 
CVE-2022-43681 (https://forescout.com):

An out-of-bounds read exists in the BGP daemon of FRRouting FRR through 8.4. When sending a malformed BGP OPEN message that ends with the option length octet (or the option length word, in case of an extended OPEN message), the FRR code reads of out of the bounds of the packet, throwing a SIGABRT signal and exiting. This results in a bgpd daemon restart, causing a Denial-of-Service condition.

CVE-2022-40302 (https://github.com/FRRouting/frr/releases):

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case.

CVE-2022-40318 (https://github.com/FRRouting/frr/releases):

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.

The first CVE's reference is obviously advertising, not clear based on
the other references where the fixes are.
Comment 1 Jaco Kroon 2024-10-02 08:21:00 UTC 
None of these versions are in-tree any more, and these are extremely old, no longer relevant I believe.
Comment 2 Hans de Graaff gentoo-dev Security 2024-10-02 09:28:28 UTC 
(In reply to Jaco Kroon from comment #1)
> None of these versions are in-tree any more, and these are extremely old, no
> longer relevant I believe.

Please don't close bugs owned by the security team since the team has a process to follow.

The CVE descriptions mention the versions that are vulnerable, but what indication do we have that the issues are fixed in later versions (specifically the first CVE)?
Comment 3 Jaco Kroon 2024-10-02 09:49:10 UTC 
My apologies.

CVE-2022-43681 it states specifically "through 8.4" so my opinion is that it should be fixed, but as you say, the process is the process.