diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-04-06 10:42:06 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-04-06 14:04:00 +0000 |
commit | 380236e60c820594a1e74395d31fb5ae19f913fc (patch) | |
tree | 70383edd07c581149169ec55c7d41bfc38247b7c | |
parent | 87e9b821d19998b97ce7e94884bda2153967dfda (diff) | |
download | aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.bz2 aports-380236e60c820594a1e74395d31fb5ae19f913fc.tar.xz |
main/quagga: security fix (CVE-2016-2342). Fixes #5345
(cherry picked from commit c6a671a8d5628bd7226346d3df7acfbcc7a58973)
-rw-r--r-- | main/quagga/APKBUILD | 11 | ||||
-rw-r--r-- | main/quagga/CVE-2016-2342.patch | 131 | ||||
-rw-r--r-- | main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch | 11 |
3 files changed, 152 insertions, 1 deletions
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD index 82fa25a6ad..1f78c5a5c8 100644 --- a/main/quagga/APKBUILD +++ b/main/quagga/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=quagga pkgver=0.99.23.1 -pkgrel=1 +pkgrel=2 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP." url="http://quagga.net/" arch="all" @@ -15,6 +15,9 @@ pkggroups="quagga" source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz 1001-bgpd-implement-next-hop-self-all.patch bgpd-gr-route-selection-fix.patch + bgpd-fix-useless-call-in-bgpd_mplsvpn.patch + CVE-2016-2342.patch + bgpd.initd zebra.initd zebra.confd @@ -74,18 +77,24 @@ package() { md5sums="da14aed6ae4be582486816f3eac2a46f quagga-0.99.23.1.tar.xz cb97c9d7e192ca05b64c9da909daa97a 1001-bgpd-implement-next-hop-self-all.patch 1fbfcff69bc7df56f9e6682012261004 bgpd-gr-route-selection-fix.patch +0d21bd5e197324ffba95830ecb744a74 bgpd-fix-useless-call-in-bgpd_mplsvpn.patch +f431ae1dc0e568b3f762609622170dc9 CVE-2016-2342.patch e80a3df594eba8b09e19aa28d9283698 bgpd.initd 33d0e34f11460881161ab930d3d3b987 zebra.initd 34e06a1d2bc602ce691abc9ed169dd15 zebra.confd" sha256sums="202e8b7fbec810f28a84e3fbb6aafdaf08a3b51527c258807abc8a74ed617eb8 quagga-0.99.23.1.tar.xz cd1a3cebe2e666fe95036dac5fe0b4c19772dc1d39859f5390c5c5d84695b8b3 1001-bgpd-implement-next-hop-self-all.patch 66de5b7c097aeb1767001547e219af51e43f968bd241dec7f0c71b68b54855de bgpd-gr-route-selection-fix.patch +a34704790013154a97262a9d4c6a82cc97ad1288a3eca477227d6bd4cd5452ba bgpd-fix-useless-call-in-bgpd_mplsvpn.patch +b01d40dac0d5ac1d8e6df38fe8bc76aa5bae351ff8e35387690ae3b76608a922 CVE-2016-2342.patch 41471bfda120cb57bc0f40e87ec23a4f150d2b97c97ececdda6c408eab7cf9a3 bgpd.initd d6cc9280df63859ba711ad2071b38b9ce317d718c34840a2b101debef3fa7b56 zebra.initd f7a52d383f60270a5a8fee5d4ac522c5c0ec2b7c4b5252cff54e260f32d9b323 zebra.confd" sha512sums="7a222d4a5aa41deeb233f2e9ce922e5c29787c2f74c1b99177089e3183b69d3c0e4db5846676485a1990b728e007e687070ba4cecab67aa61f8be6c0851581cc quagga-0.99.23.1.tar.xz a8b7c2f8c4e31841b735f17e2476adfc5d0b9caee4808ade19774fedf8abf935f0afda1bf43e79606dd5aca821a11435b69c84eec3cd6860c24e35775ff0bc3e 1001-bgpd-implement-next-hop-self-all.patch 3e3e1862739ed47da38720d87669ee0bfa2d6e2c2c65388727c92a22cad8b5bf9f4c302701cbd0cf3ac0186eeb1498aefed74c85d8f43ced41c78680fdbbc2ac bgpd-gr-route-selection-fix.patch +b64c5f1c9c96720899b6868724b37a95729926fea6513be5a7f4faac19cb76bb7016dd0ca76bd5d26472cd28313f24068fc75a28c086f54e4b46bb1080f83fcb bgpd-fix-useless-call-in-bgpd_mplsvpn.patch +eb8cc77ae674b2448b25f7ad04895c95cfd9ba7479074fbb5728cdb3bd92b5d06e6394b530ad684c5ae67b31d74e01f1823f00e9a0d15be13a59df768a69e0ab CVE-2016-2342.patch d2bf7e8f2da49d0b039e72e76a77860b5b49d41a80550d6dc84791bbdec1d52e579393c5d42b45aa615991742421fef53ec1b92a5e740779b6060e20f5dd0413 bgpd.initd a4955fe54729ec8cb17b72f3d2205d0a4ba814a51a5eb3635a85339de9a2d2342e4814ef8b1e011803fa1dc3c6f9a23b178848e0812576876343104854feb723 zebra.initd 900972c6f98e561dfacf384111251db262326e8764b8c763a5ef639fa11c7949c03eef5e3bce324a4b1964fe45416d2db74ae1b6bc967f7d4ba48c2eeda017c4 zebra.confd" diff --git a/main/quagga/CVE-2016-2342.patch b/main/quagga/CVE-2016-2342.patch new file mode 100644 index 0000000000..774f0cb2f2 --- /dev/null +++ b/main/quagga/CVE-2016-2342.patch @@ -0,0 +1,131 @@ +From a3bc7e9400b214a0f078fdb19596ba54214a1442 Mon Sep 17 00:00:00 2001 +From: Donald Sharp <sharpd@cumulusnetworks.com> +Date: Wed, 27 Jan 2016 16:54:45 +0000 +Subject: bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length + +Address CERT vulnerability report VU#270232, memcpy to stack data structure +based on length field from packet data whose length field upper-bound was +not properly checked. + +This likely allows BGP peers that are enabled to send Labeled-VPN SAFI +routes to Quagga bgpd to remotely exploit Quagga bgpd. + +Mitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours. + +Impact: Labeled-VPN SAFI is not enabled by default. + +* bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for + lower-bound, but not for upper-bound against received data length. + The packet data is then memcpy'd to the stack based on the prefixlen. + + Extend the prefixlen check to ensure it is within the bound of the NLRI + packet data AND the on-stack prefix structure AND the maximum size for the + address family. + +Reported-by: Kostya Kortchinsky <kostyak@google.com> + +This commit a joint effort between: + +Lou Berger <lberger@labn.net> +Donald Sharp <sharpd@cumulusnetworks.com> +Paul Jakma <paul.jakma@hpe.com> / <paul@jakma.org> +--- +diff --git a/bgpd/bgp_mplsvpn.c b/bgpd/bgp_mplsvpn.c +index a72d5ed..75c90cd 100644 +--- a/bgpd/bgp_mplsvpn.c ++++ b/bgpd/bgp_mplsvpn.c +@@ -101,6 +101,7 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr, + pnt = packet->nlri; + lim = pnt + packet->length; + ++#define VPN_PREFIXLEN_MIN_BYTES (3 + 8) /* label + RD */ + for (; pnt < lim; pnt += psize) + { + /* Clear prefix structure. */ +@@ -108,17 +109,38 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr, + + /* Fetch prefix length. */ + prefixlen = *pnt++; +- p.family = AF_INET; ++ p.family = afi2family (packet->afi); + psize = PSIZE (prefixlen); +- +- if (prefixlen < 88) +- { +- zlog_err ("prefix length is less than 88: %d", prefixlen); +- return -1; +- } +- ++ ++ /* sanity check against packet data */ ++ if (prefixlen < VPN_PREFIXLEN_MIN_BYTES*8 || (pnt + psize) > lim) ++ { ++ zlog_err ("prefix length (%d) is less than 88" ++ " or larger than received (%u)", ++ prefixlen, (uint)(lim-pnt)); ++ return -1; ++ } ++ ++ /* sanity check against storage for the IP address portion */ ++ if ((psize - VPN_PREFIXLEN_MIN_BYTES) > (ssize_t) sizeof(p.u)) ++ { ++ zlog_err ("prefix length (%d) exceeds prefix storage (%zu)", ++ prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, sizeof(p.u)); ++ return -1; ++ } ++ ++ /* Sanity check against max bitlen of the address family */ ++ if ((psize - VPN_PREFIXLEN_MIN_BYTES) > prefix_blen (&p)) ++ { ++ zlog_err ("prefix length (%d) exceeds family (%u) max byte length (%u)", ++ prefixlen - VPN_PREFIXLEN_MIN_BYTES*8, ++ p.family, prefix_blen (&p)); ++ return -1; ++ ++ } ++ + /* Copyr label to prefix. */ +- tagpnt = pnt;; ++ tagpnt = pnt; + + /* Copy routing distinguisher to rd. */ + memcpy (&prd.val, pnt + 3, 8); +@@ -137,8 +159,9 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr, + return -1; + } + +- p.prefixlen = prefixlen - 88; +- memcpy (&p.u.prefix, pnt + 11, psize - 11); ++ p.prefixlen = prefixlen - VPN_PREFIXLEN_MIN_BYTES*8; ++ memcpy (&p.u.prefix, pnt + VPN_PREFIXLEN_MIN_BYTES, ++ psize - VPN_PREFIXLEN_MIN_BYTES); + + #if 0 + if (type == RD_TYPE_AS) +@@ -149,9 +172,6 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr, + rd_ip.val, inet_ntoa (p.u.prefix4), p.prefixlen); + #endif /* 0 */ + +- if (pnt + psize > lim) +- return -1; +- + if (attr) + bgp_update (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN, + ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt, 0); +@@ -159,12 +179,12 @@ bgp_nlri_parse_vpnv4 (struct peer *peer, struct attr *attr, + bgp_withdraw (peer, &p, attr, AFI_IP, SAFI_MPLS_VPN, + ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, &prd, tagpnt); + } +- + /* Packet length consistency check. */ + if (pnt != lim) + return -1; +- ++ + return 0; ++#undef VPN_PREFIXLEN_MIN_BYTES + } + + int +-- +cgit v0.9.0.2 diff --git a/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch b/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch new file mode 100644 index 0000000000..7a95d80095 --- /dev/null +++ b/main/quagga/bgpd-fix-useless-call-in-bgpd_mplsvpn.patch @@ -0,0 +1,11 @@ +--- a/bgpd/bgp_mplsvpn.c ++++ b/bgpd/bgp_mplsvpn.c +@@ -118,8 +118,6 @@ + return -1; + } + +- label = decode_label (pnt); +- + /* Copyr label to prefix. */ + tagpnt = pnt;; + |