Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4C73C848.1030300@redhat.com>
Date: Tue, 24 Aug 2010 15:25:28 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
CC: oss-security <oss-security@...ts.openwall.com>,
        CERT-FI Vulnerability Co-ordination <vulncoord@...ora.fi>,
        Chris Hall <chris.hall@...hwayman.com>,
        Denis Ovsienko <infrastation@...dex.ru>
Subject: CVE Request -- Quagga (bgpd) [two ids] -- 1, Stack buffer overflow
 by processing crafted Refresh-Route msgs 2, NULL ptr deref by parsing certain
 AS paths by BGP update request

Hi Steve, vendors,

   Quagga upstream has released latest vQuagga 0.99.17 version, addressing two security flaws:

A, Stack buffer overflow by processing certain Route-Refresh messages

   A stack buffer overflow flaw was found in the way Quagga's bgpd daemon
   processed Route-Refresh messages. A configured Border Gateway Protocol
   (BGP) peer could send a Route-Refresh message with specially-crafted
   Outbound Route Filtering (ORF) record, which would cause the master BGP
   daemon (bgpd) to crash or, possibly, execute arbitrary code with the
   privileges of the user running bgpd.

   Upstream changeset:
   [1] http://code.quagga.net/?p=quagga.git;a=commit;h=d64379e8f3c0636df53ed08d5b2f1946cfedd0e3

   References:
   [2] https://bugzilla.redhat.com/show_bug.cgi?id=626783
   [3] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

B, DoS (crash) while processing certain BGP update AS path messages

   A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon
   parsed paths of autonomous systems (AS). A configured BGP peer could send
   a BGP update AS path request with unknown AS type, which could lead to
   denial of service (bgpd daemon crash).

   Upstream changeset:
   [4] http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb

   References:
   [5] https://bugzilla.redhat.com/show_bug.cgi?id=626795
   [6] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

Could you allocate CVE ids for these?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.