main/quagga: security fix (CVE-2016-2342). Fixes #5345

(cherry picked from commit c6a671a8d5628bd7226346d3df7acfbcc7a58973)
author: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-06 10:42:06 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2016-04-06 14:04:00 +0000
commit: 380236e60c820594a1e74395d31fb5ae19f913fc (patch)
tree: 70383edd07c581149169ec55c7d41bfc38247b7c
parent: 87e9b821d19998b97ce7e94884bda2153967dfda (diff)
download: aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.bz2
aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.xz
3 files changed, 152 insertions, 1 deletions
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 82fa25a6ad..1f78c5a5c8 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=quagga
 pkgver=0.99.23.1
-pkgrel=1
+pkgrel=2
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
 url="http://quagga.net/"
 arch="all"
@@ -15,6 +15,9 @@ pkggroups="quagga"
 source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	1001-bgpd-implement-next-hop-self-all.patch
 	bgpd-gr-route-selection-fix.patch
+	bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+	CVE-2016-2342.patch
+
 	bgpd.initd
 	zebra.initd
 	zebra.confd
@@ -74,18 +77,24 @@ package() {
 md5sums="da14aed6ae4be582486816f3eac2a46f  quagga-0.99.23.1.tar.xz
 cb97c9d7e192ca05b64c9da909daa97a  1001-bgpd-implement-next-hop-self-all.patch
 1fbfcff69bc7df56f9e6682012261004  bgpd-gr-route-selection-fix.patch
+0d21bd5e197324ffba95830ecb744a74  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+f431ae1dc0e568b3f762609622170dc9  CVE-2016-2342.patch
 e80a3df594eba8b09e19aa28d9283698  bgpd.initd
 33d0e34f11460881161ab930d3d3b987  zebra.initd
 34e06a1d2bc602ce691abc9ed169dd15  zebra.confd"
 sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8  quagga-0.99.23.1.tar.xz
 cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3  1001-bgpd-implement-next-hop-self-all.patch
 66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de  bgpd-gr-route-selection-fix.patch
+a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922  CVE-2016-2342.patch
 41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3  bgpd.initd
 d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56  zebra.initd
 f7a52d383f60270a5a8fee5d4ac522c5c0ec2b7c4b5252cff54e260f32d9b323  zebra.confd"
 sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4db5846676485a1990b728e007e687070ba4cecab67aa61f8be6c0851581cc  quagga-0.99.23.1.tar.xz
 a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e  1001-bgpd-implement-next-hop-self-all.patch
 3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac  bgpd-gr-route-selection-fix.patch
+b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb  bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
+eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab  CVE-2016-2342.patch
 d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413  bgpd.initd
 a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723  zebra.initd
 900972c6f98e561dfacf384111251db262326e8764b8c763a5ef639fa11c7949c03eef5e3bce324a4b1964fe45416d2db74ae1b6bc967f7d4ba48c2eeda017c4  zebra.confd"
diff --git a/main/quagga/CVE-2016-2342.patch b/main/quagga/CVE-2016-2342.patch
new file mode 100644
index 0000000000..774f0cb2f2
--- /dev/null
+++ b/main/quagga/CVE-2016-2342.patch
@@ -0,0 +1,131 @@
+From a3bc7e9400b214a0f078fdb19596ba54214a1442 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@cumulusnetworks.com>
+Date: Wed, 27 Jan 2016 16:54:45 +0000
+Subject: bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length
+
+Address CERT vulnerability report VU#270232, memcpy to stack data structure
+based on length field from packet data whose length field upper-bound was
+not properly checked.
+
+This likely allows BGP peers that are enabled to send Labeled-VPN SAFI
+routes to Quagga bgpd to remotely exploit Quagga bgpd.
+
+Mitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours.
+
+Impact: Labeled-VPN SAFI is not enabled by default.
+
+* bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for
+  lower-bound, but not for upper-bound against received data length.
+  The packet data is then memcpy'd to the stack based on the prefixlen.
+
+  Extend the prefixlen check to ensure it is within the bound of the NLRI
+  packet data AND the on-stack prefix structure AND the maximum size for the
+  address family.
+
+Reported-by: Kostya Kortchinsky <kostyak@google.com>
+
+This commit a joint effort between:
+
+Lou Berger <lberger@labn.net>
+Donald Sharp <sharpd@cumulusnetworks.com>
+Paul Jakma <paul.jakma@hpe.com> / <paul@jakma.org>
+---
+diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c
+index a72d5ed..75c90cd 100644
+--- a/bgpd/bgp_mplsvpn.c
++++ b/bgpd/bgp_mplsvpn.c
+@@ -101,6 +101,7 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr,
+   pnt = packet->nlri;
+   lim = pnt + packet->length;
+ 
++#define VPN_PREFIXLEN_MIN_BYTES (3 + 8) /* label + RD */
+   for (; pnt < lim; pnt += psize)
+     {
+       /* Clear prefix structure. */
+@@ -108,17 +109,38 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr,
+ 
+       /* Fetch prefix length. */
+       prefixlen = *pnt++;
+-      p.family = AF_INET;
++      p.family = afi2family (packet->afi);
+       psize = PSIZE (prefixlen);
+-
+-      if (prefixlen < 88)
+-	{
+-	  zlog_err ("prefix length is less than 88: %d", prefixlen);
+-	  return -1;
+-	}
+-
++      
++      /* sanity check against packet data */
++      if (prefixlen < VPN_PREFIXLEN_MIN_BYTES*8 || (pnt + psize) > lim)
++        {
++          zlog_err ("prefix length (%d) is less than 88"
++                    " or larger than received (%u)",
++                    prefixlen, (uint)(lim-pnt));
++          return -1;
++        }
++      
++      /* sanity check against storage for the IP address portion */
++      if ((psize - VPN_PREFIXLEN_MIN_BYTES) > (ssize_t) sizeof(p.u))
++        {
++          zlog_err ("prefix length (%d) exceeds prefix storage (%zu)",
++                    prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, sizeof(p.u));
++          return -1;
++        }
++      
++      /* Sanity check against max bitlen of the address family */
++      if ((psize - VPN_PREFIXLEN_MIN_BYTES) > prefix_blen (&p))
++        {
++          zlog_err ("prefix length (%d) exceeds family (%u) max byte length (%u)",
++                    prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, 
++                    p.family, prefix_blen (&p));
++          return -1;
++                  
++        }
++
+       /* Copyr label to prefix. */
+-      tagpnt = pnt;;
++      tagpnt = pnt;
+
+       /* Copy routing distinguisher to rd. */
+       memcpy (&prd.val, pnt + 3, 8);
+@@ -137,8 +159,9 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr,
+ 	  return -1;
+ 	}
+ 
+-      p.prefixlen = prefixlen - 88;
+-      memcpy (&p.u.prefix, pnt + 11, psize - 11);
++      p.prefixlen = prefixlen - VPN_PREFIXLEN_MIN_BYTES*8;
++      memcpy (&p.u.prefix, pnt + VPN_PREFIXLEN_MIN_BYTES, 
++              psize - VPN_PREFIXLEN_MIN_BYTES);
+ 
+ #if 0
+       if (type == RD_TYPE_AS)
+@@ -149,9 +172,6 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr,
+ 		   rd_ip.val, inet_ntoa (p.u.prefix4), p.prefixlen);
+ #endif /* 0 */
+ 
+-      if (pnt + psize > lim)
+-	return -1;
+-
+       if (attr)
+ 	bgp_update (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN,
+ 		    ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt, 0);
+@@ -159,12 +179,12 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr,
+ 	bgp_withdraw (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN,
+ 		      ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt);
+     }
+-
+   /* Packet length consistency check. */
+   if (pnt != lim)
+     return -1;
+-
++  
+   return 0;
++#undef VPN_PREFIXLEN_MIN_BYTES
+ }
+ 
+ int
+--
+cgit v0.9.0.2
diff --git a/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch b/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
new file mode 100644
index 0000000000..7a95d80095
--- /dev/null
+++ b/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch
@@ -0,0 +1,11 @@
+--- a/bgpd/bgp_mplsvpn.c
++++ b/bgpd/bgp_mplsvpn.c
+@@ -118,8 +118,6 @@
+ 	  return -1;
+ 	}
+ 
+-      label = decode_label (pnt);
+-
+       /* Copyr label to prefix. */
+       tagpnt = pnt;;
+
author	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-06 10:42:06 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2016-04-06 14:04:00 +0000
commit	380236e60c820594a1e74395d31fb5ae19f913fc (patch)
tree	70383edd07c581149169ec55c7d41bfc38247b7c
parent	87e9b821d19998b97ce7e94884bda2153967dfda (diff)
download	aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.bz2 aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.xz