Bugzilla – Bug 970952
VUL-0: CVE-2016-2342 quagga: VPNv4 NLRI parses memcpys to stack on unchecked length
Last modified: 2016-06-16 14:49:51 UTC
rh#1316571 bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length A vulnerability was found in a way VPNv4 NLRI parser copied packet data to the stack. Memcpy to stack data structure based on length field from packet data whose length field upper-bound was not properly checked. This likely allows BGP peers that are enabled to send Labeled-VPN SAFI routes to Quagga bgpd to remotely exploit Quagga bgpd. Mitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours. Impact: Labeled-VPN SAFI is not enabled by default. * bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for lower-bound, but not for upper-bound against received data length. The packet data is then memcpy'd to the stack based on the prefixlen. Extend the prefixlen check to ensure it is within the bound of the NLRI packet data AND the on-stack prefix structure AND the maximum size for the address family. Upstream fix: a3bc7e9400b214a0f078fdb19596ba54214a1442 from git://git.sv.gnu.org/quagga.git External references: http://mirror.easyname.at/nongnu//quagga/quagga-1.0.20160309.changelog.txt References: https://bugzilla.redhat.com/show_bug.cgi?id=1316571 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2342
This is an autogenerated message for OBS integration: This bug (970952) was mentioned in https://build.opensuse.org/request/show/372903 13.2 / quagga
leap 42.1 goit a newer version from factory , so it needs a seperate fix szubmitted
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-03-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62563
This is an autogenerated message for OBS integration: This bug (970952) was mentioned in https://build.opensuse.org/request/show/373701 42.1 / quagga
openSUSE-SU-2016:0863-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 970952 CVE References: CVE-2016-2342 Sources used: openSUSE 13.2 (src): quagga-0.99.23-2.3.1
openSUSE-SU-2016:0888-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 970952 CVE References: CVE-2016-2342 Sources used: openSUSE Leap 42.1 (src): quagga-0.99.24.1-5.1
SUSE-SU-2016:0936-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 970952 CVE References: CVE-2016-2342 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): quagga-0.99.22.1-5.1 SUSE Linux Enterprise Software Development Kit 12 (src): quagga-0.99.22.1-5.1 SUSE Linux Enterprise Server 12-SP1 (src): quagga-0.99.22.1-5.1 SUSE Linux Enterprise Server 12 (src): quagga-0.99.22.1-5.1
SUSE-SU-2016:0946-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 970952 CVE References: CVE-2016-2342 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): quagga-0.99.15-0.16.1 SUSE Linux Enterprise Server 11-SP4 (src): quagga-0.99.15-0.16.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): quagga-0.99.15-0.16.1
reelased