Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Wed, 25 Aug 2010 10:21:59 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>,
        Chris Hall <chris.hall@...hwayman.com>,
        Denis Ovsienko <infrastation@...dex.ru>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Quagga (bgpd) [two ids] -- 1,
 Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr
 deref by parsing certain AS paths by BGP update request

----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:

> Hi Steve, vendors,
> 
>    Quagga upstream has released latest vQuagga 0.99.17 version,
>    addressing two security flaws:
> 
> A, Stack buffer overflow by processing certain Route-Refresh messages
> 
>    A stack buffer overflow flaw was found in the way Quagga's bgpd daemon
>    processed Route-Refresh messages. A configured Border Gateway Protocol
>    (BGP) peer could send a Route-Refresh message with specially-crafted
>    Outbound Route Filtering (ORF) record, which would cause the master
>    BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with
>    the privileges of the user running bgpd.
> 
>    Upstream changeset:
>    [1]
> http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3
> 
>    References:
>    [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783
>    [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

Use CVE-2010-2948 for this one.


> 
> B, DoS (crash) while processing certain BGP update AS path messages
> 
>    A NULL pointer dereference flaw was found in the way Quagga's bgpd
>    daemon parsed paths of autonomous systems (AS). A configured BGP peer
>    could send a BGP update AS path request with unknown AS type, which
>    could lead to denial of service (bgpd daemon crash).
> 
>    Upstream changeset:
>    [4]
> http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb
> 
>    References:
>    [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795
>    [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100
> 

Use CVE-2010-2949 for this one.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ