Debian Bug report logs - #730513
CVE-2013-6051 - bgpd crash on valid BGP updates

version graph

Package: quagga; Maintainer for quagga is Christian Hammers <ch@debian.org>; Source for quagga is src:quagga.

Reported by: Christian Hammers <ch@debian.org>

Date: Mon, 25 Nov 2013 23:54:02 UTC

Severity: grave

Tags: security

Found in versions 0.99.21-3~bpo60+1, quagga/0.99.21-4+wheezy1

Fixed in version quagga/0.99.22.4-1+wheezy1

Done: Christian Hammers <ch@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#730513; Package quagga. (Mon, 25 Nov 2013 23:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Hammers <ch@debian.org>:
New Bug report received and forwarded. (Mon, 25 Nov 2013 23:54:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2013-6051 - bgpd crash on valid BGP updates
Date: Tue, 26 Nov 2013 00:45:32 +0100
[Message part 1 (text/plain, inline)]
Package: quagga
Severity: grave
Tags: security
Version: 0.99.21-4+wheezy1

CVE-2013-6051 was assigned to this issue. DSA is coming soon.

Best Regards

-christian-

On Tue, 19 Nov 2013 16:25:27 +0100
David Lamparter <equinox@opensourcerouting.org> wrote:

> Note that 0.99.21 has another open issue that I don't see the fix for
> in the Debian package, being
> http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408
> which can crash bgpd on receiving normal, valid BGP updates.  (No idea
> if it's exploitable.)  There is no CVE number for this, the severity
> was only discovered after 0.99.22, containing the fix, was already
> out. 0.99.20 is not affected.
[signature.asc (application/pgp-signature, attachment)]

Marked as found in versions 0.99.21-3~bpo60+1. Request was from Christian Hammers <ch@debian.org> to control@bugs.debian.org. (Tue, 26 Nov 2013 00:12:05 GMT) Full text and rfc822 format available.

Reply sent to Christian Hammers <ch@debian.org>:
You have taken responsibility. (Thu, 28 Nov 2013 22:21:38 GMT) Full text and rfc822 format available.

Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer. (Thu, 28 Nov 2013 22:21:38 GMT) Full text and rfc822 format available.

Message #12 received at 730513-close@bugs.debian.org (full text, mbox):

From: Christian Hammers <ch@debian.org>
To: 730513-close@bugs.debian.org
Subject: Bug#730513: fixed in quagga 0.99.22.4-1+wheezy1
Date: Thu, 28 Nov 2013 22:17:20 +0000
Source: quagga
Source-Version: 0.99.22.4-1+wheezy1

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 730513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Nov 2013 00:32:42 +0100
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 0.99.22.4-1+wheezy1
Distribution: stable-security
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 681088 687124 690013 694852 710147 726724 730513
Changes: 
 quagga (0.99.22.4-1+wheezy1) stable-security; urgency=high
 .
   * SECURITY:
     CVE-2013-6051 - a bug in Quagga 0.99.21 that could let bgpd crash on
     receiving normal, valid BGP updates. Closes: #730513
 .
 quagga (0.99.22.4-1) unstable; urgency=high
 .
   * SECURITY:
     "ospfd: CVE-2013-2236, stack overrun in apiserver
 .
     the OSPF API-server (exporting the LSDB and allowing announcement of
     Opaque-LSAs) writes past the end of fixed on-stack buffers.  This leads
     to an exploitable stack overflow.
 .
     For this condition to occur, the following two conditions must be true:
     - Quagga is configured with --enable-opaque-lsa
     - ospfd is started with the "-a" command line option
 .
     If either of these does not hold, the relevant code is not executed and
     the issue does not get triggered."
     Closes: #726724
 .
   * New upstream release
     - ospfd: protect vs. VU#229804 (malformed Router-LSA)
       (Quagga is said to be non-vulnerable but still adds some protection)
 .
 quagga (0.99.22.1-2) unstable; urgency=low
 .
   * Added autopkgtests (thanks to Yolanda Robla). Closes: #710147
   * Added "status" command to init script (thanks to James Andrewartha).
     Closes: #690013
   * Added "libsnmp-dev" to Build-Deps. There not needed for the official
     builds but for people who compile Quagga themselves to activate the
     SNMP feature (which for licence reasons cannot be done by Debian).
     Thanks to Ben Winslow). Closes: #694852
   * Changed watchquagga_options to an array so that quotes can finally
     be used as expected. Closes: #681088
   * Fixed bug that prevented restarting only the watchquagga daemon
     (thanks to Harald Kappe). Closes: #687124
 .
 quagga (0.99.22.1-1) unstable; urgency=low
 .
   * New upstream release
     - ospfd restore nexthop IP for p2p interfaces
     - ospfd: fix LSA initialization for build without opaque LSA
     - ripd: correctly redistribute ifindex routes (BZ#664)
     - bgpd: fix lost passwords of grouped neighbors
   * Removed 91_ld_as_needed.diff as it was found in the upstream source.
 .
 quagga (0.99.22-1) unstable; urgency=low
 .
   * New upstream release.
     - [bgpd] The semantics of default-originate route-map have changed.
       The route-map is now used to advertise the default route conditionally.
       The old behaviour which allowed to set attributes on the originated
       default route is no longer supported.
     - [bgpd] this version of bgpd implements draft-idr-error-handling.  This was
       added in 0.99.21 and may not be desirable.  If you need a version
       without this behaviour, please use 0.99.20.1.  There will be a
       runtime configuration switch for this in future versions.
     - [isisd] is in "beta" state.
     - [ospf6d] is in "alpha/experimental" state
     - More changes are documented in the upstream changelog!
   * debian/watch: Adjusted to new savannah.gnu.org site, thanks to Bart
     Martens.
   * debian/patches/99_CVE-2012-1820_bgp_capability_orf.diff removed as its
     in the changelog.
   * debian/patches/99_distribute_list.diff removed as its in the changelog.
   * debian/patches/10_doc__Makefiles__makeinfo-force.diff removed as it
     was just for Debian woody.
Checksums-Sha1: 
 9f71d94454e158536db8e8cee80e9cd9cc292d6f 1516 quagga_0.99.22.4-1+wheezy1.dsc
 73019bf915ff4fe7cd497f11579c05f35fe09df5 2352406 quagga_0.99.22.4.orig.tar.gz
 f151836b02ac08545f4de2339cabffe8ebb32c74 39757 quagga_0.99.22.4-1+wheezy1.debian.tar.gz
 7bf5f1511d24727c0307e340e8b0e9174f05d50c 1723840 quagga_0.99.22.4-1+wheezy1_amd64.deb
 5076fd8dc65147c51842776777b8933bfd52246c 2527312 quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb
 b5ac416e25f732b77ec1ada0cebac5f2fecdffa7 656250 quagga-doc_0.99.22.4-1+wheezy1_all.deb
Checksums-Sha256: 
 5953f2cc0d7cf8eb73c7d2eec34728735983c0afe66d0196ca372570a6651de5 1516 quagga_0.99.22.4-1+wheezy1.dsc
 cbe48d5cc57bbaa07cfd8362ba598447dc94aa866ddc5794e57172709d36ba79 2352406 quagga_0.99.22.4.orig.tar.gz
 a15a24ea871281abe588830ff5e1828b0ddea7b5e582f1b8180d172be78a28c9 39757 quagga_0.99.22.4-1+wheezy1.debian.tar.gz
 1cf2610d17801d863efcdeddaf93bed6fa4a9289a5897f5e58b56bc447a807e2 1723840 quagga_0.99.22.4-1+wheezy1_amd64.deb
 2da21382eb241b0224e273ea63c76d735c7947d9854b96296634d6701c497caa 2527312 quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb
 fc9dd49c9d755e01ad96688e45815883d822b6baaa1a7460185bea1292d61b89 656250 quagga-doc_0.99.22.4-1+wheezy1_all.deb
Files: 
 de9f16b9374a6b4167b246599712dd23 1516 net optional quagga_0.99.22.4-1+wheezy1.dsc
 27ef98abb1820bae19eb71f631a10853 2352406 net optional quagga_0.99.22.4.orig.tar.gz
 0266632837c85abab719901a734808a4 39757 net optional quagga_0.99.22.4-1+wheezy1.debian.tar.gz
 e088c7c7893e8a1abd1bcd5bb4b77572 1723840 net optional quagga_0.99.22.4-1+wheezy1_amd64.deb
 6b40bc9eb9d00eb7a2a7f34eec311d74 2527312 debug extra quagga-dbg_0.99.22.4-1+wheezy1_amd64.deb
 b9972e2d123a2d9c225bfcca63573c2a 656250 net optional quagga-doc_0.99.22.4-1+wheezy1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKT+l4ACgkQkR9K5oahGOa3rwCgu/31CsDttTdxHGTiU8xwm+/j
tK0AoIQyt1bNAmtyK26GtiZAM4K3PPYM
=sZX6
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 27 Dec 2013 07:26:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:01:13 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.