Bug 18280

Summary: quagga new security issue CVE-2016-4049
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: makowski.mageia, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/686580/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: quagga-0.99.24.1-3.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-04-27 18:27:55 CEST 
A security issue in quagga has been announced today (April 27):
http://openwall.com/lists/oss-security/2016/04/27/7

A patch to fix the issue has been included in the message above.

Mageia 5 is also affected.
David Walser 2016-04-27 18:28:01 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-04-28 19:59:12 CEST 
(In reply to David Walser from comment #0)
> A security issue in quagga has been announced today (April 27):
> http://openwall.com/lists/oss-security/2016/04/27/7
> 
> A patch to fix the issue has been included in the message above.
> 
> Mageia 5 is also affected.

Assigning to all packagers collectively, since there is no maintainer for this package.

@ Philippem

Do I need to CC you separately when assigning a security bug to pkg-bugs@ml for a package that doesn't have a maintainer?

CC: (none) => makowski.mageia, marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Philippe Makowski 2016-05-02 20:42:35 CEST 
(In reply to Marja van Waes from comment #1)
> (In reply to David Walser from comment #0)
> > A security issue in quagga has been announced today (April 27):
> > http://openwall.com/lists/oss-security/2016/04/27/7
> > 
> > A patch to fix the issue has been included in the message above.
> > 
> > Mageia 5 is also affected.
> 
> Assigning to all packagers collectively, since there is no maintainer for
> this package.
> 
> @ Philippem
> 
> Do I need to CC you separately when assigning a security bug to pkg-bugs@ml
> for a package that doesn't have a maintainer?
You can yes

Assignee: pkg-bugs => makowski.mageia

Comment 3 Philippe Makowski 2016-05-02 22:42:36 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated quagga packages fix security vulnerability:

A denial of dervice vulnerability have been found in BGP daemon
from Quagga routing software (bgpd): if the following conditions are
satisfied:
 - regular dumping is enabled
 - bgpd instance has many BGP peers
then BGP message packets that are big enough cause bgpd to crash.
The situation when the conditions above are satisfied is quite common.
Moreover, it is easy to craft a packet which is much "bigger" than a
typical packet, and hence such crafted packet can much more likely cause
the crash (CVE-2016-4049).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4049
http://openwall.com/lists/oss-security/2016/04/27/7
========================

Updated packages in core/updates_testing:
========================
quagga-0.99.22.4-4.2.mga5
quagga-contrib-0.99.22.4-4.2.mga5
libquagga0-0.99.22.4-4.2.mga5
libquagga-devel-0.99.22.4-4.2.mga5

from quagga-0.99.22.4-4.2.mga5.src.rpm

Assignee: makowski.mageia => qa-bugs
Whiteboard: MGA5TOO => MGA5TOO has_procedure

Comment 4 Philippe Makowski 2016-05-02 22:43:53 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=6512#c1
Comment 5 David Walser 2016-05-02 23:45:03 CEST 
Thanks Philippe!  When fixing in Cauldron and Mageia 5 and assigning to QA, please also remember to set the version to 5 and remove MGA5TOO from the whiteboard.

Version: Cauldron => 5
Whiteboard: MGA5TOO has_procedure => has_procedure

Comment 6 Len Lawrence 2016-05-05 12:34:37 CEST 
Testing on x86_64.  Had tested it before on another bug.

Started a few services.
$ sudo watchquagga -d zebra bgpd ospfd ospf6d ripd
$ tail -40 /var/log/syslog
...................
May  5 10:01:09 vega watchquagga[11287]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ospf6d ripd], mode [monitor]
May  5 10:01:09 vega watchquagga[11287]: ospf6d state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: ripd state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: ospfd state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: zebra state -> up : connect succeeded
May  5 10:01:10 vega watchquagga[11287]: bgpd state -> up : connect succeeded

Stopped ospf6d and checked syslog.
May  5 10:02:45 vega watchquagga[11287]: ospf6d state -> down : read returned EOF

$ systemctl status ospf6d
â ospf6d.service - OSPF routing daemon for IPv6
   Loaded: loaded (/usr/lib/systemd/system/ospf6d.service; enabled)
   Active: inactive (dead) since Thu 2016-05-05 10:02:45 BST; 16min ago
     Docs: man:ospfd(8)
           man:zebra(8)
 Main PID: 10613 (code=exited, status=0/SUCCESS)

$ sudo netstat -tapnl | grep ':260' > quagga.netlog
$ cat quagga.netlog
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN      10556/zebra         
tcp        0      0 0.0.0.0:2602            0.0.0.0:*               LISTEN      10590/ripd          
tcp        0      0 0.0.0.0:2603            0.0.0.0:*               LISTEN      10636/ripngd        
tcp        0      0 0.0.0.0:2604            0.0.0.0:*               LISTEN      10659/ospfd         
tcp        0      0 0.0.0.0:2605            0.0.0.0:*               LISTEN      10682/bgpd          
tcp6       0      0 :::2601                 :::*                    LISTEN      10556/zebra         
tcp6       0      0 :::2602                 :::*                    LISTEN      10590/ripd          
tcp6       0      0 :::2603                 :::*                    LISTEN      10636/ripngd        
tcp6       0      0 :::2604                 :::*                    LISTEN      10659/ospfd         
tcp6       0      0 :::2605                 :::*                    LISTEN      10682/bgpd          
[

Logged in to zebra
$ telnet localhost 2601
Tried ? and list to show commands
Router> show version
Quagga 0.99.22.4 (Router).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
Router> show history
  list
  show history
  show version
Router> show ip mroute
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, enp3s0

Tried the ipv6 services:
$ telnet ::1 2605
bgpd> who
 vty[13] connected from ::1.
bgpd> exit

$ telnet ::1 2604
ospfd> show ip ospf route
============ OSPF network routing table ============
N    192.168.1.0/24        [10] area: 0.0.0.0
                           directly attached to enp3s0
			   
ospfd> exit

Started ospf6d.
$ tail -320 /var/log/syslog | grep ospf6
May  5 11:09:23 vega watchquagga[11287]: ospf6d state -> up : connect succeeded

$ telnet localhost 2606
ospf6d@plant# show ip access-list
OSPF6:
Zebra IP access list access4
    permit 127.0.0.1/32
ospf6d@plant# show ipv6 ospf6
 OSPFv3 Routing Process (0) with Router-ID 255.1.1.1
 Running 00:18:38
 Number of AS scoped LSAs is 0
 Number of areas in this router is 1
 Area 0.0.0.0
     Number of Area scoped LSAs is 0
     Interface attached to this area: fxp0
   CGroup: /system.slice/ospf6d.service
           ââ5878 /usr/sbin/ospf6d -d

This all looks fine.

CC: (none) => tarazed25

Len Lawrence 2016-05-05 12:34:59 CEST

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 7 claire robinson 2016-05-05 17:33:02 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 claire robinson 2016-05-05 18:11:03 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK

Comment 9 Mageia Robot 2016-05-05 18:27:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0165.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-05-07 00:03:03 CEST

URL: (none) => http://lwn.net/Vulnerabilities/686580/