Page MenuHomeVyOS Platform

DSA-4115-1 quagga -- security update
Closed, WontfixPublic

Description

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2018-5378
It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash).

https://www.quagga.net/security/Quagga-2018-0543.txt

CVE-2018-5379
It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash).

https://www.quagga.net/security/Quagga-2018-1114.txt

CVE-2018-5380
It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables.

https://www.quagga.net/security/Quagga-2018-1550.txt

CVE-2018-5381
It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface).

https://www.quagga.net/security/Quagga-2018-1975.txt

For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2.

We recommend that you upgrade your quagga packages.

Details

Version
-

Event Timeline

duprec created this object in space S1 VyOS Public.
duprec changed the visibility from "Subscribers" to "Public (No Login Required)".

Thanks for sharing. Debian security updates get automatically pulled in every night diring creation of the rolling release ISO.

c-po, does it mean that the fix will be included in an upcoming 1.1 release and in 1.2.0 when released ?

@syncer my bad ... then we have to integrate the fixes manually or better, identify why we have to use a special version and decide if this is still necessary. A lot of patches from the past have been removed in the latest Kernel update, too which were no longer necessary.

I think we can use Debian jessie package for 1.2.0-rolling. But for 1.1, we have to build special version, because there is no upstream package.

syncer triaged this task as Normal priority.May 27 2018, 9:54 AM

@syncer @higebu Yes, stock quagga is missing many things that ours has. We have no choice other than to integrate the patches by hand.

syncer claimed this task.

moved to frr in 1.2