nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain AS paths by BGP update request

From: Niko Thome <niko.thome () 1und1 de>
Date: Fri, 27 Aug 2010 10:58:52 +0200
for those who missed it...

kind regards,

niko

-------- Original Message --------
Subject: Re: [oss-security] CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack
buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by
parsing certain AS paths by BGP update request
Date: Wed, 25 Aug 2010 10:21:59 -0400
From: Josh Bressers <bressers () redhat com>
Reply-To: oss-security () lists openwall com
To: oss-security () lists openwall com
CC: CERT-FI Vulnerability Co-ordination <vulncoord () ficora fi>,        Chris
Hall <chris.hall () highwayman com>,        Denis Ovsienko
<infrastation () yandex ru>,        "Steven M. Christey" <coley () linus mitre org>

----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:


Hi Steve, vendors,

   Quagga upstream has released latest vQuagga 0.99.17 version,
   addressing two security flaws:

A, Stack buffer overflow by processing certain Route-Refresh messages

   A stack buffer overflow flaw was found in the way Quagga's bgpd daemon
   processed Route-Refresh messages. A configured Border Gateway Protocol
   (BGP) peer could send a Route-Refresh message with specially-crafted
   Outbound Route Filtering (ORF) record, which would cause the master
   BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with
   the privileges of the user running bgpd.

   Upstream changeset:
   [1]
http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3

   References:
   [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783
   [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100


Use CVE-2010-2948 for this one.




B, DoS (crash) while processing certain BGP update AS path messages

   A NULL pointer dereference flaw was found in the way Quagga's bgpd
   daemon parsed paths of autonomous systems (AS). A configured BGP peer
   could send a BGP update AS path request with unknown AS type, which
   could lead to denial of service (bgpd daemon crash).

   Upstream changeset:
   [4]
http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb

   References:
   [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795
   [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100



Use CVE-2010-2949 for this one.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: