Bug 21967

Summary: quagga new security issue CVE-2017-16227
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, jackal.j, marja11, sysadmin-bugs, wilcal.int
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-32-OK
Source RPM: quagga-0.99.24.1-6.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-10-30 23:41:07 CET 
A security issue fixed upstream in quagga has been announced:
http://openwall.com/lists/oss-security/2017/10/30/4

The commit that fixed the issue is linked in the message above.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-30 23:55:13 CET

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-10-31 10:23:20 CET 
Assigning to all packagers collectively, since there is no registered maintainer for quagga.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Jack M 2017-11-02 10:20:29 CET

CC: (none) => jackal.j
Assignee: pkg-bugs => jackal.j

Comment 2 David Walser 2017-11-03 16:46:43 CET 
Debian has issued an advisory for this on October 30:
https://www.debian.org/security/2017/dsa-4011
Comment 3 Jack M 2017-11-04 09:54:22 CET 
I have submitted the latest version 1.2.2 to cauldron, which contains the patch. Will submit the patch for mga5 and mga6 later.
Comment 4 Jack M 2017-11-04 13:46:56 CET 
All submissions done

Assigning it to QA.

Suggested Advisory:
==============================

Updated quagga packages to resolve security vulnerabilities:

The bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity (CVE-2017-16227).

References:
====================
http://openwall.com/lists/oss-security/2017/10/30/4
https://www.debian.org/security/2017/dsa-4011
https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008

Updated packages in core/updates_testing:
--------------------------------------------------

RPMS:

quagga
quagga-contrib
lib(64)quagga0
lib(64)quagga-devel

SRPMs:
quagga.src.rpm

For Mageia 5 the version-release is 0.99.22.4-4.5
For Mageia 6 the version-release is 0.99.24.1-6.1
For Cauldron the version-release is 1.2.2-1

Assignee: jackal.j => qa-bugs

David Walser 2017-11-04 16:41:24 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Lewis Smith 2017-11-05 13:46:14 CET

Keywords: (none) => advisory

Comment 5 Herman Viaene 2017-11-07 16:39:44 CET 
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed bug 20271 Comment 1, but problems
# systemctl start zebra
# systemctl start bgpd.service
# systemctl start ospfd
# systemctl start ripd
# systemctl start isisd
# systemctl start ripngd
# watchquagga zebra bgpd ospfd ospf6d ripd isisd ripngd
2017/11/07 16:19:40 NONE: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ospf6d ripd isisd ripngd], mode [monitor]
2017/11/07 16:19:40 NONE: bgpd state -> down : initial connection attempt failed
2017/11/07 16:19:40 NONE: ripngd state -> down : initial connection attempt failed
2017/11/07 16:19:41 NONE: ospfd state -> down : initial connection attempt failed
2017/11/07 16:19:41 NONE: ospf6d state -> down : initial connection attempt failed
2017/11/07 16:19:41 NONE: zebra state -> up : connect succeeded
2017/11/07 16:19:41 NONE: ripd state -> down : initial connection attempt failed
2017/11/07 16:19:41 NONE: isisd state -> down : initial connection attempt failed
and subsequently 
# systemctl start ospf6d
did not produce any quagga output
and
# netstat -tapnl | grep ':26'
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN      9298/zebra          
tcp6       0      0 :::2601                 :::*                    LISTEN      9298/zebra  
Found then in bug 20271 Comment 2 that editing is needed in /etc/quagga conf files.
Found only zebra.conf (just my hostname in it) and vtysh.conf (empty), for all the others just the sample files.
I will need some time to study this, but not right now.

CC: (none) => herman.viaene

Comment 6 Herman Viaene 2017-11-09 10:53:23 CET 
Found tutorial on https://openmaniak.com/quagga_tutorial.php
First snag: there is /etc/quagga/daemons file in the installation.
Comment 7 Herman Viaene 2017-11-10 17:33:39 CET 
Had another llok at the tutorial, but apparently it is not in line anymore with the current package.It installs cleanly, so OK enough

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 8 William Kenney 2017-11-18 22:52:15 CET 
In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
quagga lib64quagga0

default install of quagga & lib64quagga0

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.22.4-4.4.mga5.x86_64 is already 
[root@localhost wilcal]# urpmi lib64quagga0
Package lib64quagga0-0.99.22.4-4.4.mga5.x86_64 is already installed

No errors on install

install quagga & lib64quagga0 from updates_testing

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.22.4-4.5.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64quagga0
Package lib64quagga0-0.99.22.4-4.5.mga5.x86_64 is already installed

No errors on update

CC: (none) => wilcal.int

William Kenney 2017-11-18 22:52:29 CET

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK

Comment 9 William Kenney 2017-11-18 23:04:00 CET 
In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
quagga libquagga0

default install of quagga & libquagga0

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.24.1-6.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libquagga0
Package libquagga0-0.99.24.1-6.mga6.i586 is already installed

No errors on install

install quagga & libquagga0 from updates_testing

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.24.1-6.1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi libquagga0
Package libquagga0-0.99.24.1-6.1.mga6.i586 is already installed

No errors on update

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK

Comment 10 William Kenney 2017-11-18 23:12:27 CET 
In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
quagga lib64quagga0

default install of quagga & lib64quagga0

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.24.1-6.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64quagga0
Package lib64quagga0-0.99.24.1-6.mga6.x86_64 is already installed

No errors on install

install quagga & lib64quagga0 from updates_testing

[root@localhost wilcal]# urpmi quagga
Package quagga-0.99.24.1-6.1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64quagga0
Package lib64quagga0-0.99.24.1-6.1.mga6.x86_64 is already installed

No errors on update
Comment 11 William Kenney 2017-11-18 23:13:42 CET 
We've tested this as best we can
Testing complete for MGA5 & MGA6, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

CC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-32-OK
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2017-11-19 11:24:30 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0416.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED