subject:"UPDATE\: net\/quagga\-1.2.3"

Re: UPDATE: net/quagga-1.2.3

2018-02-16 Thread Stuart Henderson

On 2018/02/16 19:11, Gleydson Soares wrote:
> > yep, one of these is particularly nasty: use-after-free in a transitive
> > BGP attribute. this is one of those "one update message can kill all
> > quaggas on the internet" bugs.
> 
> i've backported the security patches to -stable

ah sorry for the dup work, I just committed Quagga-2018-1114 fix
to stable before I saw this ..

> potentially severe:
> "bgpd/security: Fix double free of unknown attribute"
> https://www.quagga.net/security/Quagga-2018-1114.txt
> 
> also fixes:
> https://www.quagga.net/security/Quagga-2018-1550.txt
> https://www.quagga.net/security/Quagga-2018-1975.txt 

I skipped those, could pull them across but they're relatively minor.

> the following is not needed for -stable, only affects >1.1.x
> https://www.quagga.net/security/Quagga-2018-0543.txt
> 
> OK?

> Index: Makefile
> ===
> RCS file: /cvs/ports/net/quagga/Makefile,v
> retrieving revision 1.52
> diff -u -p -r1.52 Makefile
> --- Makefile  27 Jun 2016 19:55:48 -  1.52
> +++ Makefile  16 Feb 2018 22:07:00 -
> @@ -3,7 +3,7 @@
>  COMMENT= multi-threaded routing daemon
>  
>  DISTNAME=quagga-1.0.20160315
> -REVISION=1
> +REVISION=2
>  CATEGORIES=  net
>  MASTER_SITES=http://download.savannah.gnu.org/releases/quagga/
>  EXTRACT_SUFX=.tar.xz
> Index: patches/patch-bgpd_bgp_attr_c
> ===
> RCS file: patches/patch-bgpd_bgp_attr_c
> diff -N patches/patch-bgpd_bgp_attr_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-bgpd_bgp_attr_c 16 Feb 2018 22:07:00 -
> @@ -0,0 +1,71 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1114
> +See: https://www.quagga.net/security/Quagga-2018-1114.txt
> +
> +Index: bgpd/bgp_attr.c
> +--- bgpd/bgp_attr.c.orig
>  bgpd/bgp_attr.c
> +@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster)
> + }
> + 
> + void
> +-cluster_unintern (struct cluster_list *cluster)
> ++cluster_unintern (struct cluster_list **cluster)
> + {
> +-  if (cluster->refcnt)
> +-cluster->refcnt--;
> ++  struct cluster_list *c = *cluster;
> ++  if (c->refcnt)
> ++c->refcnt--;
> + 
> +-  if (cluster->refcnt == 0)
> ++  if (c->refcnt == 0)
> + {
> +-  hash_release (cluster_hash, cluster);
> +-  cluster_free (cluster);
> ++  hash_release (cluster_hash, c);
> ++  cluster_free (c);
> ++  *cluster = NULL;
> + }
> + }
> + 
> +@@ -344,15 +346,18 @@ transit_intern (struct transit *transit)
> + }
> + 
> + void
> +-transit_unintern (struct transit *transit)
> ++transit_unintern (struct transit **transit)
> + {
> +-  if (transit->refcnt)
> +-transit->refcnt--;
> ++  struct transit *t = *transit;
> ++  
> ++  if (t->refcnt)
> ++t->refcnt--;
> + 
> +-  if (transit->refcnt == 0)
> ++  if (t->refcnt == 0)
> + {
> +-  hash_release (transit_hash, transit);
> +-  transit_free (transit);
> ++  hash_release (transit_hash, t);
> ++  transit_free (t);
> ++  *transit = NULL;
> + }
> + }
> + 
> +@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr)
> +   UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES));
> +   
> +   if (attr->extra->cluster)
> +-cluster_unintern (attr->extra->cluster);
> ++cluster_unintern (>extra->cluster);
> +   UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
> +   
> +   if (attr->extra->transit)
> +-transit_unintern (attr->extra->transit);
> ++transit_unintern (>extra->transit);
> + }
> + }
> + 
> Index: patches/patch-bgpd_bgp_attr_h
> ===
> RCS file: patches/patch-bgpd_bgp_attr_h
> diff -N patches/patch-bgpd_bgp_attr_h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-bgpd_bgp_attr_h 16 Feb 2018 22:07:00 -
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +
> +Security issue: Quagga-2018-1114
> +See: https://www.quagga.net/security/Quagga-2018-1114.txt
> +
> +Index: bgpd/bgp_attr.h
> +--- bgpd/bgp_attr.h.orig
>  bgpd/bgp_attr.h
> +@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void);
> + 
> + /* Cluster list prototypes. */
> + extern int cluster_loop_check (struct cluster_list *, struct in_addr);
> +-extern void cluster_unintern (struct cluster_list *);
> ++extern void cluster_unintern (struct cluster_list **);
> + 
> + /* Transit attribute prototypes. */
> +-void transit_unintern (struct transit *);
> ++void transit_unintern (struct transit **);
> + 
> + /* Below exported for unit-test purposes only */
> + struct bgp_attr_parser_args {
> Index: patches/patch-bgpd_bgp_debug_c
> ===
> RCS file: patches/patch-bgpd_bgp_debug_c
> diff -N patches/patch-bgpd_bgp_debug_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-bgpd_bgp_debug_c16 Feb 2018 22:07:00

Re: UPDATE: net/quagga-1.2.3

2018-02-16 Thread Gleydson Soares

> yep, one of these is particularly nasty: use-after-free in a transitive
> BGP attribute. this is one of those "one update message can kill all
> quaggas on the internet" bugs.

i've backported the security patches to -stable

potentially severe:
"bgpd/security: Fix double free of unknown attribute"
https://www.quagga.net/security/Quagga-2018-1114.txt

also fixes:
https://www.quagga.net/security/Quagga-2018-1550.txt
https://www.quagga.net/security/Quagga-2018-1975.txt 

the following is not needed for -stable, only affects >1.1.x
https://www.quagga.net/security/Quagga-2018-0543.txt

OK?
Index: Makefile
===
RCS file: /cvs/ports/net/quagga/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile27 Jun 2016 19:55:48 -  1.52
+++ Makefile16 Feb 2018 22:07:00 -
@@ -3,7 +3,7 @@
 COMMENT=   multi-threaded routing daemon
 
 DISTNAME=  quagga-1.0.20160315
-REVISION=  1
+REVISION=  2
 CATEGORIES=net
 MASTER_SITES=  http://download.savannah.gnu.org/releases/quagga/
 EXTRACT_SUFX=  .tar.xz
Index: patches/patch-bgpd_bgp_attr_c
===
RCS file: patches/patch-bgpd_bgp_attr_c
diff -N patches/patch-bgpd_bgp_attr_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-bgpd_bgp_attr_c   16 Feb 2018 22:07:00 -
@@ -0,0 +1,71 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+Index: bgpd/bgp_attr.c
+--- bgpd/bgp_attr.c.orig
 bgpd/bgp_attr.c
+@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster)
+ }
+ 
+ void
+-cluster_unintern (struct cluster_list *cluster)
++cluster_unintern (struct cluster_list **cluster)
+ {
+-  if (cluster->refcnt)
+-cluster->refcnt--;
++  struct cluster_list *c = *cluster;
++  if (c->refcnt)
++c->refcnt--;
+ 
+-  if (cluster->refcnt == 0)
++  if (c->refcnt == 0)
+ {
+-  hash_release (cluster_hash, cluster);
+-  cluster_free (cluster);
++  hash_release (cluster_hash, c);
++  cluster_free (c);
++  *cluster = NULL;
+ }
+ }
+ 
+@@ -344,15 +346,18 @@ transit_intern (struct transit *transit)
+ }
+ 
+ void
+-transit_unintern (struct transit *transit)
++transit_unintern (struct transit **transit)
+ {
+-  if (transit->refcnt)
+-transit->refcnt--;
++  struct transit *t = *transit;
++  
++  if (t->refcnt)
++t->refcnt--;
+ 
+-  if (transit->refcnt == 0)
++  if (t->refcnt == 0)
+ {
+-  hash_release (transit_hash, transit);
+-  transit_free (transit);
++  hash_release (transit_hash, t);
++  transit_free (t);
++  *transit = NULL;
+ }
+ }
+ 
+@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr)
+   UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES));
+   
+   if (attr->extra->cluster)
+-cluster_unintern (attr->extra->cluster);
++cluster_unintern (>extra->cluster);
+   UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST));
+   
+   if (attr->extra->transit)
+-transit_unintern (attr->extra->transit);
++transit_unintern (>extra->transit);
+ }
+ }
+ 
Index: patches/patch-bgpd_bgp_attr_h
===
RCS file: patches/patch-bgpd_bgp_attr_h
diff -N patches/patch-bgpd_bgp_attr_h
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-bgpd_bgp_attr_h   16 Feb 2018 22:07:00 -
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1114
+See: https://www.quagga.net/security/Quagga-2018-1114.txt
+
+Index: bgpd/bgp_attr.h
+--- bgpd/bgp_attr.h.orig
 bgpd/bgp_attr.h
+@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void);
+ 
+ /* Cluster list prototypes. */
+ extern int cluster_loop_check (struct cluster_list *, struct in_addr);
+-extern void cluster_unintern (struct cluster_list *);
++extern void cluster_unintern (struct cluster_list **);
+ 
+ /* Transit attribute prototypes. */
+-void transit_unintern (struct transit *);
++void transit_unintern (struct transit **);
+ 
+ /* Below exported for unit-test purposes only */
+ struct bgp_attr_parser_args {
Index: patches/patch-bgpd_bgp_debug_c
===
RCS file: patches/patch-bgpd_bgp_debug_c
diff -N patches/patch-bgpd_bgp_debug_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-bgpd_bgp_debug_c  16 Feb 2018 22:07:00 -
@@ -0,0 +1,91 @@
+$OpenBSD$
+
+Security issue: Quagga-2018-1550
+See: https://www.quagga.net/security/Quagga-2018-1550.txt
+
+Index: bgpd/bgp_debug.c
+--- bgpd/bgp_debug.c.orig
 bgpd/bgp_debug.c
+@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330
+ #include "log.h"
+ #include "sockunion.h"
+ #include "filter.h"
++#include "memory.h"
+ 
+ #include "bgpd/bgpd.h"
+ #include "bgpd/bgp_aspath.h"
+@@ -69,7 +70,8 @@ const struct message bgp_status_msg[] =

Re: UPDATE: net/quagga-1.2.3

2018-02-16 Thread Stuart Henderson

On 2018/02/16 17:48, Gleydson Soares wrote:
> Here's an update for quagga-1.2.3. this release includes security fixes.

yep, one of these is particularly nasty: use-after-free in a transitive
BGP attribute. this is one of those "one update message can kill all
quaggas on the internet" bugs.

> OK?

please remove termcap from WANTLIB, then ok with me.

reminder to readers: I am still looking for positive or negative
reports about OSPF and RIP following simplification of the diff
to multicast that went in with the previous update.

UPDATE: net/quagga-1.2.3

2018-02-16 Thread Gleydson Soares

Here's an update for quagga-1.2.3. this release includes security fixes.

https://www.quagga.net/security/Quagga-2018-0543.txt
https://www.quagga.net/security/Quagga-2018-1114.txt
https://www.quagga.net/security/Quagga-2018-1550.txt
https://www.quagga.net/security/Quagga-2018-1975.txt

full changelog at:
https://savannah.nongnu.org/forum/forum.php?forum_id=9095

OK?

Index: Makefile
===
RCS file: /cvs/ports/net/quagga/Makefile,v
retrieving revision 1.56
diff -u -p -r1.56 Makefile
--- Makefile11 Jan 2018 19:27:07 -  1.56
+++ Makefile16 Feb 2018 20:39:11 -
@@ -2,8 +2,7 @@
 
 COMMENT=   multi-threaded routing daemon
 
-DISTNAME=  quagga-1.2.2
-REVISION=  1
+DISTNAME=  quagga-1.2.3
 CATEGORIES=net
 MASTER_SITES=  http://download.savannah.gnu.org/releases/quagga/
 
Index: distinfo
===
RCS file: /cvs/ports/net/quagga/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo3 Nov 2017 14:28:43 -   1.22
+++ distinfo16 Feb 2018 20:39:11 -
@@ -1,2 +1,2 @@
-SHA256 (quagga-1.2.2.tar.gz) = Ui4i8r7uZOPwws3j0BVfO4ED9Pb8ir75LLQLw6TMKTE=
-SIZE (quagga-1.2.2.tar.gz) = 2986142
+SHA256 (quagga-1.2.3.tar.gz) = 7iwJB6EGkCq73K9jtPKMZyQcTzOWmJ7VTae0l27srTE=
+SIZE (quagga-1.2.3.tar.gz) = 2925444
Index: patches/patch-configure_ac
===
RCS file: /cvs/ports/net/quagga/patches/patch-configure_ac,v
retrieving revision 1.6
diff -u -p -r1.6 patch-configure_ac
--- patches/patch-configure_ac  3 Nov 2017 14:28:43 -   1.6
+++ patches/patch-configure_ac  16 Feb 2018 20:39:11 -
@@ -6,7 +6,7 @@ ip_mreq.imr_interface.
 Index: configure.ac
 --- configure.ac.orig
 +++ configure.ac
-@@ -1053,7 +1053,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [],
+@@ -1054,7 +1054,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [],
  AC_MSG_CHECKING([for BSD struct ip_mreq hack])
  AC_TRY_COMPILE([#ifdef HAVE_SYS_PARAM_H
  #include

Re: UPDATE: net/quagga-1.2.3

Re: UPDATE: net/quagga-1.2.3

Re: UPDATE: net/quagga-1.2.3

UPDATE: net/quagga-1.2.3

4 matches

Site Navigation

Mail list logo

Footer information