Bugzilla – Bug 977012
VUL-0: CVE-2016-4049: quagga: Missing size check in bgp_dump_routes_func in bgpd/bgp_dump.c allowing DoS
Last modified: 2017-06-08 13:33:10 UTC
Created attachment 674355 [details] Patch for CVE-2016-4049 From: Evgeny Uskov About 3 months ago we have found the following vulnerability in BGP daemon from Quagga routing software (bgpd): if the following conditions are satisfied: - regular dumping is enabled - bgpd instance has many BGP peers then BGP message packets that are big enough cause bgpd to crash. The situation when the conditions above are satisfied is quite common. Moreover, it is easy to craft a packet which is much "bigger" than a typical packet, and hence such crafted packet can much more likely cause the crash. The reason of such behavior is as follows. The function bgp_dump_routes_func in bgpd/bgp_dump.c does not perform any size checks when writing data to bgp_dump_obuf. For each bgp_node table record it tries to dump all data to bgp_dump_obuf stream which is of limited size. If there is no free space in this stream, the assertion fails and bgpd crashes. The problem seems to be quite serious since it may occur if bgpd has many BGP peers announcing the same prefix (e.g. if bgpd is used as BGP reflector, on Internet Exchanges etc), and regular dumping is enabled. In our case "many" was equal to 20. The easiest way to reproduce the problem: 1) add 150 BGP neighbors announcing the same prefix 2) write "dump bgp routes-mrt bview.dat" command to the telnet console. The easiest way to eliminate the problem is to create multiple MRT records if there is too much data for a prefix. Please see the attached file dump_fix.patch implementing such solution. We contacted Quagga developers and sent them patches of this vulnerability. They responded that they are going to apply these patches in the next patching round. However, the vulnerability is still not patched and it is unclear how long to wait. The related correspondence is forwarded with this message. This issue has been assigned the name CVE-2016-4049. We are going to disclose the vulnerability publicly on April, 27, 2016. CRD: 2016-04-27
bugbot adjusting priority
is public https://lists.quagga.net/pipermail/quagga-dev/2016-January/014699.html https://lists.quagga.net/pipermail/quagga-dev/2016-April/015241.html
This is an autogenerated message for OBS integration: This bug (977012) was mentioned in https://build.opensuse.org/request/show/393642 42.1 / quagga
This is an autogenerated message for OBS integration: This bug (977012) was mentioned in https://build.opensuse.org/request/show/393659 Factory / quagga https://build.opensuse.org/request/show/393701 13.2 / quagga
openSUSE-SU-2016:1313-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977012 CVE References: CVE-2016-4049 Sources used: openSUSE Leap 42.1 (src): quagga-0.99.24.1-11.1 openSUSE 13.2 (src): quagga-0.99.23-2.9.1
SUSE-SU-2016:1482-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977012 CVE References: CVE-2016-4049 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): quagga-0.99.22.1-12.1 SUSE Linux Enterprise Software Development Kit 12 (src): quagga-0.99.22.1-12.1 SUSE Linux Enterprise Server 12-SP1 (src): quagga-0.99.22.1-12.1 SUSE Linux Enterprise Server 12 (src): quagga-0.99.22.1-12.1
SUSE-SU-2016:1483-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 977012 CVE References: CVE-2016-4049 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): quagga-0.99.15-0.24.2 SUSE Linux Enterprise Server 11-SP4 (src): quagga-0.99.15-0.24.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): quagga-0.99.15-0.24.2
released