Re: CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain AS paths by BGP update request

[Josh Bressers <bressers () redhat com>]

----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:

> Hi Steve, vendors,
>
>    Quagga upstream has released latest vQuagga 0.99.17 version,
>    addressing two security flaws:
>
> A, Stack buffer overflow by processing certain Route-Refresh messages
>
>    A stack buffer overflow flaw was found in the way Quagga's bgpd daemon
>    processed Route-Refresh messages. A configured Border Gateway Protocol
>    (BGP) peer could send a Route-Refresh message with specially-crafted
>    Outbound Route Filtering (ORF) record, which would cause the master
>    BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with
>    the privileges of the user running bgpd.
>
>    Upstream changeset:
>    [1]
> http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3
>
>    References:
>    [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783
>    [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

Use CVE-2010-2948 for this one.


> B, DoS (crash) while processing certain BGP update AS path messages
>
>    A NULL pointer dereference flaw was found in the way Quagga's bgpd
>    daemon parsed paths of autonomous systems (AS). A configured BGP peer
>    could send a BGP update AS path request with unknown AS type, which
>    could lead to denial of service (bgpd daemon crash).
>
>    Upstream changeset:
>    [4]
> http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb
>
>    References:
>    [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795
>    [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

Use CVE-2010-2949 for this one.

Thanks.

-- 
    JB