Bug 2924 - Security issues on quagga: CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, CVE-2011-3326, CVE-2011-3327
Summary: Security issues on quagga: CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-10-03 19:50 CEST by Nicolas Vigier
Modified: 2011-10-09 17:05 CEST (History)
5 users (show)

See Also:
Source RPM: quagga
CVE:
Status comment:


Attachments

Comment 1 Manuel Hiebel 2011-10-03 19:59:33 CEST
(add the three commiters of this package.)

CC: (none) => ennael1, misc, olav

Comment 2 Michael Scherer 2011-10-03 21:24:48 CEST
Ok, I take it.
/me is downloading patch one by one
Comment 3 Michael Scherer 2011-10-03 22:47:51 CEST
I pushed it to updates/testing. I just need to find a advisory text.
Comment 4 Dave Hodgins 2011-10-04 04:07:36 CEST
Do we have anyone who requested the package, who can help with testing it?
I've confirmed that it installs cleanly, but from the looks of it, that's
about all I can do.  I'll also post a request for testers to the general
discussion mailing list.

CC: (none) => davidwhodgins

Comment 5 Manuel Hiebel 2011-10-04 12:35:38 CEST
Assign to the QA (and remove the other people in CC)
quagga-0.99.18-1.1.mga1.src.rpm

CC: ennael1, olav => (none)
Assignee: bugsquad => qa-bugs

Comment 6 claire robinson 2011-10-04 13:01:09 CEST
I wonder if they could have helped? :P
Comment 7 Michael Scherer 2011-10-05 23:38:18 CEST
Quagga is quite a specialized software, and if you do not have a router and a client, that's hard to test ( ie, you need 2 computer, one with 2 network card, and some faily advanced network knowledge ). And I do not even mention testing the exploits, as this would requires some specific code ( but then would be fairly easy, just run the exploit and check if it crash ). ( and yes, still need a advisory )
Comment 8 Dave Hodgins 2011-10-06 01:16:55 CEST
If I understand correctly, testing would require 4 computers, two of which
would have to have 2 nics.  The two nic systems would both running quagga
to provide router functionality (the two nic systems are connected directly,
or via a switch, not a router), and the testing would require that the two
single nic systems are able to reach each other, by ip address, through the
two systems acting as routers.

The software is intended to be used by isps, on there systems connecting them
to their peers.

Even if we could find a user, that is actually using the program, convincing
them to run software from the updates_testing repository may not be easy,
even if it means they will later be running untested software from the updates
repository, effectively still running the tests for us.

This isn't a good situation, but we just don't have the hardware to test
it, and these are security updates.

For qa, I think we'll have to be satisfied with confirming that the software
installs (and uninstalls) ok, to confirm there are no missing rpm signatures,
etc.  That's done on i586.  Has it been done on x86-64?
Comment 9 Samuel Verschelde 2011-10-07 23:47:59 CEST
The update installs fine on x86_64. I'm not able to test further.

depcheck says there's no extra dep linking to do.

CC: (none) => stormi

Comment 10 Dave Hodgins 2011-10-08 00:34:45 CEST
Validating the update.

Can someone from the sysadmin team push the srpm
quagga-0.99.18-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates

Advisory:
This security update to quagga fixes several vulnerabilities.

CVE-2011-3323 Quagga (ospf6d): Stack-based buffer overflow while decoding Link State Update packet with malformed Inter Area Prefix LSA

CVE-2011-3324 Quagga (ospf6d): Denial of service by decoding malformed Database Description packet headers

CVE-2011-3325 Quagga (ospfd): Denial of service by decoding too short Hello packet or Hello packet with invalid OSPFv2 header type

CVE-2011-3326 Quagga (ospfd): Denial of service by decoding Link State Update LSAs of unknown type

CVE-2011-3327 Quagga (bgpd): Heap-based buffer overflow by decoding BGP UPDATE message with unknown AS_PATH attributes

Note:  Due to lack of hardware, this security update has only been tested to
the point of confirming it installs cleanly.  Anyone with the knowledge
and resources to test this type of module is welcome to join the Mageia
QA Team, to help test future updates.
http://www.mageia.org/wiki/doku.php?id=qateam

https://bugs.mageia.org/show_bug.cgi?id=2924
Comment 11 Dave Hodgins 2011-10-08 00:53:38 CEST
Sorry, forgot to add sysadmin to cc list, and keyword.

Please see comment 10 for srpm/advisory.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 D Morgan 2011-10-08 23:34:16 CEST
update pushed.

Status: NEW => RESOLVED
CC: (none) => dmorganec
Resolution: (none) => FIXED

Comment 13 Michael Scherer 2011-10-09 17:05:48 CEST
The problem is not lack of hardware, since this would work fine with just 2 virtual machines ( you do not really need clients , you can lookup routes using 'route' or 'ip route' to check everything is working, at least for small setup  ). The problem is mainly a lack of time on the few people that know quagga, and a lack of quagga knoledge for those that have time. 
( and some people use quagga without being ISP, for example, I do run it on my lan ).

Not to mention that testing that the security fix are ok would requires working exploits or way to reproduce ( or consistant way, since I guess that sending lots of random packet might be sufficient to crash quagga, with enough luck ).

Note You need to log in before you can comment on or make changes to this bug.