nanog mailing list archives
Fwd: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain AS paths by BGP update request
From: Niko Thome <niko.thome () 1und1 de>
Date: Fri, 27 Aug 2010 10:58:52 +0200
for those who missed it... kind regards, niko -------- Original Message -------- Subject: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain AS paths by BGP update request Date: Wed, 25 Aug 2010 10:21:59 -0400 From: Josh Bressers <bressers () redhat com> Reply-To: oss-security () lists openwall com To: oss-security () lists openwall com CC: CERT-FI Vulnerability Co-ordination <vulncoord () ficora fi>, Chris Hall <chris.hall () highwayman com>, Denis Ovsienko <infrastation () yandex ru>, "Steven M. Christey" <coley () linus mitre org> ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Hi Steve, vendors, Quagga upstream has released latest vQuagga 0.99.17 version, addressing two security flaws: A, Stack buffer overflow by processing certain Route-Refresh messages A stack buffer overflow flaw was found in the way Quagga's bgpd daemon processed Route-Refresh messages. A configured Border Gateway Protocol (BGP) peer could send a Route-Refresh message with specially-crafted Outbound Route Filtering (ORF) record, which would cause the master BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. Upstream changeset: [1] http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3 References: [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783 [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
Use CVE-2010-2948 for this one.
B, DoS (crash) while processing certain BGP update AS path messages A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to denial of service (bgpd daemon crash). Upstream changeset: [4] http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb References: [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795 [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
Use CVE-2010-2949 for this one. Thanks. -- JB
Current thread:
- Fwd: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain AS paths by BGP update request Niko Thome (Aug 27)