Bug 18060

Summary: quagga new security issue CVE-2016-2342
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/681279/
Whiteboard: has_procedure MGA5-64-OK advisory
Source RPM: quagga-0.99.22.4-4.mga5.src.rpm CVE:
Status comment:
Attachments: Work log for quagga testing

Description David Walser 2016-03-24 18:33:24 CET 
OpenSuSE has issued an advisory on March 23:
https://lists.opensuse.org/opensuse-updates/2016-03/msg00102.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated quagga packages fix security vulnerability:

A vulnerability was found in a way VPNv4 NLRI parser copied packet data to the
stack. Memcpy to stack data structure based on length field from packet data
whose length field upper-bound was not properly checked (CVE-2016-2342).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2342
https://lists.opensuse.org/opensuse-updates/2016-03/msg00102.html
========================

Updated packages in core/updates_testing:
========================
quagga-0.99.22.4-4.1.mga5
quagga-contrib-0.99.22.4-4.1.mga5
libquagga0-0.99.22.4-4.1.mga5
libquagga-devel-0.99.22.4-4.1.mga5

from quagga-0.99.22.4-4.1.mga5.src.rpm
Comment 1 David Walser 2016-03-24 18:33:47 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6512#c1

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2016-03-25 01:07:26 CET 
x86_64 test under Mate.

Went straight for the updates after installing the pre-update packages and followed the recommended procedure in comment #1.  It all ran smoothly with the exception of babeld.  Stopped services after watchquagga started and restarted them, sometimes after editing a config file.

Unless the babel thing is a problem this looks good for 64-bits.

Some more detailed notes attached.

CC: (none) => tarazed25

Len Lawrence 2016-03-25 01:07:45 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 Len Lawrence 2016-03-25 01:09:23 CET 
Created attachment 7592 [details]
Work log for quagga testing
Dave Hodgins 2016-03-25 07:42:06 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2016-03-26 16:08:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0126.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED