[129100] in North American Network Operators' Group
Fwd: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] --
daemon@ATHENA.MIT.EDU (Niko Thome)
Fri Aug 27 04:59:03 2010
Date: Fri, 27 Aug 2010 10:58:52 +0200
From: Niko Thome <niko.thome@1und1.de>
To: <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
for those who missed it...
kind regards,
niko
-------- Original Message --------
Subject: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack
buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by
parsing certain AS paths by BGP update request
Date: Wed, 25 Aug 2010 10:21:59 -0400
From: Josh Bressers <bressers@redhat.com>
Reply-To: oss-security@lists.openwall.com
To: oss-security@lists.openwall.com
CC: CERT-FI Vulnerability Co-ordination <vulncoord@ficora.fi>, Chris
Hall <chris.hall@highwayman.com>, Denis Ovsienko
<infrastation@yandex.ru>, "Steven M. Christey" <coley@linus.mitre.org>
----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:
> Hi Steve, vendors,
>
> Quagga upstream has released latest vQuagga 0.99.17 version,
> addressing two security flaws:
>
> A, Stack buffer overflow by processing certain Route-Refresh messages
>
> A stack buffer overflow flaw was found in the way Quagga's bgpd daemon
> processed Route-Refresh messages. A configured Border Gateway Protocol
> (BGP) peer could send a Route-Refresh message with specially-crafted
> Outbound Route Filtering (ORF) record, which would cause the master
> BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with
> the privileges of the user running bgpd.
>
> Upstream changeset:
> [1]
> http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3
>
> References:
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783
> [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
Use CVE-2010-2948 for this one.
>
> B, DoS (crash) while processing certain BGP update AS path messages
>
> A NULL pointer dereference flaw was found in the way Quagga's bgpd
> daemon parsed paths of autonomous systems (AS). A configured BGP peer
> could send a BGP update AS path request with unknown AS type, which
> could lead to denial of service (bgpd daemon crash).
>
> Upstream changeset:
> [4]
> http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb
>
> References:
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795
> [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
>
Use CVE-2010-2949 for this one.
Thanks.
--
JB
