Bug 11433

Summary: quagga new security issue CVE-2013-2236
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570016/
Whiteboard: MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: quagga-0.99.20.1-9.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-10 19:10:32 CEST 
Gentoo has issued an advisory today (October 10):
http://www.gentoo.org/security/en/glsa/glsa-201310-08.xml

We have already fixed the 2012 CVEs, but the CVE-2013-2236 is new.

This issue is fixed upstream in quagga-0.99.22.2, but Fedora fixed it by disabling the vulnerable features (ospfapi and ospfclient), as they don't really provide any useful functionality anyway:
http://pkgs.fedoraproject.org/cgit/quagga.git/commit/?id=c17c7f3c42845c0f6d17852a827cd2d71fe74c24

I've disabled those features as well as updating to the newest version in Cauldron in quagga-0.99.22.4-1.mga4.

For Mageia 2 and Mageia 3, I have disabled ospfapi and ospfclient.

Advisory:
========================

Updated quagga packages fix security vulnerability:

Remotely exploitable buffer overflow in ospf_api.c and ospfclient.c when
processing LSA messages in quagga before 0.99.22.2 (CVE-2013-2236).

Note: We have worked around this vulnerability by disabling the ospf_api
and ospfclient features, which did not provide useful functionality.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2236
http://lists.quagga.net/pipermail/quagga-dev/2013-July/010622.html
http://www.gentoo.org/security/en/glsa/glsa-201310-08.xml
========================

Updated packages in core/updates_testing:
========================
quagga-0.99.20.1-3.2.mga2
quagga-contrib-0.99.20.1-3.2.mga2
libquagga0-0.99.20.1-3.2.mga2
libquagga-devel-0.99.20.1-3.2.mga2
quagga-0.99.20.1-9.1.mga3
quagga-contrib-0.99.20.1-9.1.mga3
libquagga0-0.99.20.1-9.1.mga3
libquagga-devel-0.99.20.1-9.1.mga3

from SRPMS:
quagga-0.99.20.1-3.2.mga2.src.rpm
quagga-0.99.20.1-9.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-10 19:11:06 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 claire robinson 2013-10-14 10:23:31 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6512#c1

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 2 claire robinson 2013-10-15 10:09:01 CEST 
Testing complete mga3 64

Quagga displays the same warnings as dropbear, has this been addressed in Cauldron?

1/1: removing quagga-0.99.20.1-9.1.mga3.x86_64
                                 ########################################################################warning: file /etc/rc.d/init.d/zebra: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/watchquagga: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/ripngd: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/ripd: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/ospfd: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/ospf6d: remove failed: No such file or directory
warning: file /etc/rc.d/init.d/bgpd: remove failed: No such file or directory
##################################


Note: these are caused by leftover SysV init scripts which are no longer required and are harmless. See bug 11458

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-64-ok

Comment 3 claire robinson 2013-10-15 12:34:52 CEST 
Testing complete mga2 64

# for name in {bgpd,isisd,ospfd,ospf6d,ripd,ripngd,zebra,watchquagga};do service $name restart; done

Restarting bgpd (via systemctl):         [  OK  ]
Restarting isisd (via systemctl):        [  OK  ]
Restarting ospfd (via systemctl):        [  OK  ]
Restarting ospf6d (via systemctl):       [  OK  ]
Restarting ripd (via systemctl):         [  OK  ]
Restarting ripngd (via systemctl):       [  OK  ]
Restarting zebra (via systemctl):        [  OK  ]
Restarting watchquagga (via systemctl):  [  OK  ]

# tail /var/log/syslog
Oct 15 11:16:42 mga264 watchquagga[9945]: watchquagga 0.99.20.1 watching [zebra bgpd ospfd ospf6d ripd ripngd], mode [monitor]
Oct 15 11:16:42 mga264 watchquagga[9937]: Starting watchquagga: [  OK  ]
Oct 15 11:16:42 mga264 watchquagga[9945]: ospf6d state -> up : connect succeeded
Oct 15 11:16:42 mga264 watchquagga[9945]: zebra state -> up : connect succeeded
Oct 15 11:16:42 mga264 watchquagga[9945]: ripd state -> up : connect succeeded
Oct 15 11:16:42 mga264 watchquagga[9945]: bgpd state -> up : connect succeeded
Oct 15 11:16:42 mga264 watchquagga[9945]: ripngd state -> up : connect succeeded
Oct 15 11:16:42 mga264 watchquagga[9945]: ospfd state -> up : connect succeeded

# netstat -pant | grep :26
tcp        0      0 127.0.0.1:2601     0.0.0.0:*     LISTEN     9900/zebra
tcp        0      0 127.0.0.1:2602     0.0.0.0:*     LISTEN     9774/ripd
tcp        0      0 127.0.0.1:2604     0.0.0.0:*     LISTEN     9649/ospfd
tcp        0      0 127.0.0.1:2605     0.0.0.0:*     LISTEN     9525/bgpd
tcp        0      0 0.0.0.0:2608       0.0.0.0:*     LISTEN     87/isisd
tcp        0      0 ::1:2603           :::*          LISTEN     37/ripngd 
tcp        0      0 ::1:2606           :::*          LISTEN     9712/ospf6d

# telnet localhost 2601 (repeat for 2602,2604,2605,2608)
..etc

# telnet ::1 2603 (repeat for 2606)
..etc

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-64-ok

Comment 4 claire robinson 2013-10-15 12:44:52 CEST 
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok

Comment 5 claire robinson 2013-10-15 12:55:57 CEST 
Testing complete mga2 32

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok

Comment 6 claire robinson 2013-10-15 13:03:47 CEST 
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2013-10-17 22:05:56 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0310.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED