CVE-2021-44038: An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod operations in the suggested spec file allow users (with control of the non-root-owned directory /etc/quagga) to escalate their privileges to root upon package installation or update. Seems there's a non-SUSE specific issue here too?
Quagga is pretty much dead now, i highly doubt that there will be patches for this vulnerability. Looks lime it's time to migrate to net-misc/frr...
commit 660036e8f0ab5fa4c1ee50caefe9ca9ae84d7481 (HEAD -> master) Author: Sergey Popov <pinkbyte@gentoo.org> Date: Tue Nov 23 11:10:06 2021 +0300 profiles/packages.mask: mask net-misc/quagga Signed-off-by: Sergey Popov <pinkbyte@gentoo.org>
I am wondering how painful this migration may be. a similar guide for gentoo users would be handy: https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-37/Layer-3/FRRouting-Overview/Upgrading-from-Quagga-to-FRRouting/
Migration from quagga to frr: not an easy task mainly due to lack of community feedback on such a task I had to move (merge) all the various different config files (bgpd.conf, zebra.conf) into /etc/frr/frr.conf I had to change aggregate-address 10.2.19.0/24 to --> aggregate-address 10.2.19.0/24 summary-only I had to change ip as-path access-list to --> bgp as-path access-list finally, frr bgpd forbids connecting as neighbor to local IP same AS as reported here: https://github.com/FRRouting/frr/issues/10153 First impressions: my network traffic statistics (on the same setup) went from 60 down to 20 connections/per minute
Hi all!!)) Folks, I thinks, for transitition period, we are must have possibility install 2 packages, quagga && frr. For convert config files and experiments. If frr fails of missconfigurations occurs, we are can stop frr and start quagga (with working and tested configs) again for thinking, reading google or yandex. Last chance is the reading manual)))) Now... # emerge -DNuvp net-misc/frr These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild N ] acct-group/frr-0::gentoo 0 KiB [ebuild N ] acct-user/frr-0::gentoo 0 KiB [ebuild N ] dev-python/ipaddr-2.2.0-r1::gentoo PYTHON_TARGETS="python3_9 -python3_8 -python3_10" 26 KiB [ebuild N ] net-libs/libyang-2.0.112::gentoo USE="-doc -test" 1051 KiB [ebuild N ] dev-util/clippy-8.1::gentoo PYTHON_SINGLE_TARGET="python3_9 -python3_8 -python3_10" 8316 KiB [ebuild N ] net-misc/frr-8.1-r1::gentoo USE="ipv6 pam -doc -fpm -grpc -nhrp -ospfapi -rpki -snmp -test" PYTHON_SINGLE_TARGET="python3 _9 -python3_8 -python3_10" 8316 KiB [blocks B ] net-misc/quagga ("net-misc/quagga" is soft blocking net-misc/frr-8.1-r1) Total: 6 packages (6 new), Size of downloads: 17707 KiB Conflict: 1 block (1 unsatisfied) * Error: The above package list contains packages which cannot be * installed at the same time on the same system. (net-misc/quagga-1.2.4-r2:0/0::gentoo, installed) pulled in by net-misc/quagga required by @selected (net-misc/frr-8.1-r1:0/0::gentoo, ebuild scheduled for merge) pulled in by net-misc/frr For more information about Blocked Packages, please refer to the following section of the Gentoo Linux x86 Handbook (architecture is irrelevant): https://wiki.gentoo.org/wiki/Handbook:X86/Working/Portage#Blocked_packages -------------------- With best wishes - YD.
(In reply to Yuriy Dmitriev from comment #5) > Hi all!!)) > > Folks, I thinks, for transitition period, we are must have possibility > install 2 packages, quagga && frr. For convert config files and experiments. > If frr fails of missconfigurations occurs, we are can stop frr and start > quagga (with working and tested configs) again for thinking, reading google > or yandex. Last chance is the reading manual)))) Now... > # emerge -DNuvp net-misc/frr Yes, it would be good, but it is not currently possible due to conflicting names of installed binaries. FRRouting supposed to be direct replacement of Quagga and begin as it's fork, so here we are. You can workaround it by for your installation yourself, by installing frr in different path using ECONF_EXTRA, but this is not supported configuration - so keep in mind, that you will be on your own. Currently we have no plans for removing this blocker, cause it would require some heavy patching of frr sources and init script.
FWIW, frr installs all the binaries & libraries under the /usr/lib/frr/ directory and all the config files under the /etc/frr/ ldd /usr/lib/frr/bgpd linux-gate.so.1 (0xb7f17000) libfrr.so.0 => /usr/lib/frr/libfrr.so.0 (0xb7a84000) libm.so.6 => /lib/libm.so.6 (0xb79b3000) libjson-c.so.5 => /usr/lib/libjson-c.so.5 (0xb79a0000) libc.so.6 => /lib/libc.so.6 (0xb777a000) libcap.so.2 => /lib/libcap.so.2 (0xb776d000) libunwind.so.8 => /usr/lib/libunwind.so.8 (0xb7755000) libyang.so.2 => /usr/lib/libyang.so.2 (0xb7628000) libcrypt.so.2 => /lib/libcrypt.so.2 (0xb75e8000) /lib/ld-linux.so.2 (0xb7f19000) libpcre2-8.so.0 => /usr/lib/libpcre2-8.so.0 (0xb754a000) libpthread.so.0 => /lib/libpthread.so.0 (0xb7545000)
Created attachment 757745 [details, diff] enable bgpd connections from local host
FRR bgpd has a silly restriction that forbids connections to the daemon from the same host as reported here: https://github.com/FRRouting/frr/issues/10153 the attached patch disables this restriction, tested on a production Gentoo system
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0b4caeebfee75547a7525cbe8c3a112402ed395 commit a0b4caeebfee75547a7525cbe8c3a112402ed395 Author: Jakov Smolić <jsmolic@gentoo.org> AuthorDate: 2021-12-22 11:19:51 +0000 Commit: Jakov Smolić <jsmolic@gentoo.org> CommitDate: 2021-12-22 11:23:03 +0000 net-misc/quagga: treeclean Bug: https://bugs.gentoo.org/825358 Signed-off-by: Jakov Smolić <jsmolic@gentoo.org> net-misc/quagga/Manifest | 2 - .../files/quagga-0.99.22.4-ipctl-forwarding.patch | 22 ---- net-misc/quagga/files/quagga-services.init.3 | 43 ------- net-misc/quagga/files/quagga.pam | 26 ---- net-misc/quagga/files/systemd/bgpd.service | 16 --- net-misc/quagga/files/systemd/isisd.service | 16 --- net-misc/quagga/files/systemd/nhrpd.service | 16 --- net-misc/quagga/files/systemd/ospf6d.service | 16 --- net-misc/quagga/files/systemd/ospfd.service | 16 --- net-misc/quagga/files/systemd/pimd.service | 17 --- net-misc/quagga/files/systemd/quagga.conf | 1 - net-misc/quagga/files/systemd/ripd.service | 16 --- net-misc/quagga/files/systemd/ripngd.service | 16 --- net-misc/quagga/files/systemd/zebra.service | 16 --- net-misc/quagga/metadata.xml | 53 -------- net-misc/quagga/quagga-1.2.4-r2.ebuild | 135 --------------------- profiles/package.mask | 7 -- 17 files changed, 434 deletions(-)
commit a0b4caeebfee75547a7525cbe8c3a112402ed395 Author: Jakov Smolić <jsmolic@gentoo.org> Date: Wed Dec 22 12:19:51 2021 +0100 net-misc/quagga: treeclean