Re: UPDATE: net/quagga-1.2.3
On 2018/02/16 19:11, Gleydson Soares wrote: > > yep, one of these is particularly nasty: use-after-free in a transitive > > BGP attribute. this is one of those "one update message can kill all > > quaggas on the internet" bugs. > > i've backported the security patches to -stable ah sorry for the dup work, I just committed Quagga-2018-1114 fix to stable before I saw this .. > potentially severe: > "bgpd/security: Fix double free of unknown attribute" > https://www.quagga.net/security/Quagga-2018-1114.txt > > also fixes: > https://www.quagga.net/security/Quagga-2018-1550.txt > https://www.quagga.net/security/Quagga-2018-1975.txt I skipped those, could pull them across but they're relatively minor. > the following is not needed for -stable, only affects >1.1.x > https://www.quagga.net/security/Quagga-2018-0543.txt > > OK? > Index: Makefile > === > RCS file: /cvs/ports/net/quagga/Makefile,v > retrieving revision 1.52 > diff -u -p -r1.52 Makefile > --- Makefile 27 Jun 2016 19:55:48 - 1.52 > +++ Makefile 16 Feb 2018 22:07:00 - > @@ -3,7 +3,7 @@ > COMMENT= multi-threaded routing daemon > > DISTNAME=quagga-1.0.20160315 > -REVISION=1 > +REVISION=2 > CATEGORIES= net > MASTER_SITES=http://download.savannah.gnu.org/releases/quagga/ > EXTRACT_SUFX=.tar.xz > Index: patches/patch-bgpd_bgp_attr_c > === > RCS file: patches/patch-bgpd_bgp_attr_c > diff -N patches/patch-bgpd_bgp_attr_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-bgpd_bgp_attr_c 16 Feb 2018 22:07:00 - > @@ -0,0 +1,71 @@ > +$OpenBSD$ > + > +Security issue: Quagga-2018-1114 > +See: https://www.quagga.net/security/Quagga-2018-1114.txt > + > +Index: bgpd/bgp_attr.c > +--- bgpd/bgp_attr.c.orig > bgpd/bgp_attr.c > +@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster) > + } > + > + void > +-cluster_unintern (struct cluster_list *cluster) > ++cluster_unintern (struct cluster_list **cluster) > + { > +- if (cluster->refcnt) > +-cluster->refcnt--; > ++ struct cluster_list *c = *cluster; > ++ if (c->refcnt) > ++c->refcnt--; > + > +- if (cluster->refcnt == 0) > ++ if (c->refcnt == 0) > + { > +- hash_release (cluster_hash, cluster); > +- cluster_free (cluster); > ++ hash_release (cluster_hash, c); > ++ cluster_free (c); > ++ *cluster = NULL; > + } > + } > + > +@@ -344,15 +346,18 @@ transit_intern (struct transit *transit) > + } > + > + void > +-transit_unintern (struct transit *transit) > ++transit_unintern (struct transit **transit) > + { > +- if (transit->refcnt) > +-transit->refcnt--; > ++ struct transit *t = *transit; > ++ > ++ if (t->refcnt) > ++t->refcnt--; > + > +- if (transit->refcnt == 0) > ++ if (t->refcnt == 0) > + { > +- hash_release (transit_hash, transit); > +- transit_free (transit); > ++ hash_release (transit_hash, t); > ++ transit_free (t); > ++ *transit = NULL; > + } > + } > + > +@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr) > + UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES)); > + > + if (attr->extra->cluster) > +-cluster_unintern (attr->extra->cluster); > ++cluster_unintern (>extra->cluster); > + UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST)); > + > + if (attr->extra->transit) > +-transit_unintern (attr->extra->transit); > ++transit_unintern (>extra->transit); > + } > + } > + > Index: patches/patch-bgpd_bgp_attr_h > === > RCS file: patches/patch-bgpd_bgp_attr_h > diff -N patches/patch-bgpd_bgp_attr_h > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-bgpd_bgp_attr_h 16 Feb 2018 22:07:00 - > @@ -0,0 +1,21 @@ > +$OpenBSD$ > + > +Security issue: Quagga-2018-1114 > +See: https://www.quagga.net/security/Quagga-2018-1114.txt > + > +Index: bgpd/bgp_attr.h > +--- bgpd/bgp_attr.h.orig > bgpd/bgp_attr.h > +@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void); > + > + /* Cluster list prototypes. */ > + extern int cluster_loop_check (struct cluster_list *, struct in_addr); > +-extern void cluster_unintern (struct cluster_list *); > ++extern void cluster_unintern (struct cluster_list **); > + > + /* Transit attribute prototypes. */ > +-void transit_unintern (struct transit *); > ++void transit_unintern (struct transit **); > + > + /* Below exported for unit-test purposes only */ > + struct bgp_attr_parser_args { > Index: patches/patch-bgpd_bgp_debug_c > === > RCS file: patches/patch-bgpd_bgp_debug_c > diff -N patches/patch-bgpd_bgp_debug_c > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-bgpd_bgp_debug_c16 Feb 2018 22:07:00
Re: UPDATE: net/quagga-1.2.3
> yep, one of these is particularly nasty: use-after-free in a transitive > BGP attribute. this is one of those "one update message can kill all > quaggas on the internet" bugs. i've backported the security patches to -stable potentially severe: "bgpd/security: Fix double free of unknown attribute" https://www.quagga.net/security/Quagga-2018-1114.txt also fixes: https://www.quagga.net/security/Quagga-2018-1550.txt https://www.quagga.net/security/Quagga-2018-1975.txt the following is not needed for -stable, only affects >1.1.x https://www.quagga.net/security/Quagga-2018-0543.txt OK? Index: Makefile === RCS file: /cvs/ports/net/quagga/Makefile,v retrieving revision 1.52 diff -u -p -r1.52 Makefile --- Makefile27 Jun 2016 19:55:48 - 1.52 +++ Makefile16 Feb 2018 22:07:00 - @@ -3,7 +3,7 @@ COMMENT= multi-threaded routing daemon DISTNAME= quagga-1.0.20160315 -REVISION= 1 +REVISION= 2 CATEGORIES=net MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/ EXTRACT_SUFX= .tar.xz Index: patches/patch-bgpd_bgp_attr_c === RCS file: patches/patch-bgpd_bgp_attr_c diff -N patches/patch-bgpd_bgp_attr_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-bgpd_bgp_attr_c 16 Feb 2018 22:07:00 - @@ -0,0 +1,71 @@ +$OpenBSD$ + +Security issue: Quagga-2018-1114 +See: https://www.quagga.net/security/Quagga-2018-1114.txt + +Index: bgpd/bgp_attr.c +--- bgpd/bgp_attr.c.orig bgpd/bgp_attr.c +@@ -186,15 +186,17 @@ cluster_intern (struct cluster_list *cluster) + } + + void +-cluster_unintern (struct cluster_list *cluster) ++cluster_unintern (struct cluster_list **cluster) + { +- if (cluster->refcnt) +-cluster->refcnt--; ++ struct cluster_list *c = *cluster; ++ if (c->refcnt) ++c->refcnt--; + +- if (cluster->refcnt == 0) ++ if (c->refcnt == 0) + { +- hash_release (cluster_hash, cluster); +- cluster_free (cluster); ++ hash_release (cluster_hash, c); ++ cluster_free (c); ++ *cluster = NULL; + } + } + +@@ -344,15 +346,18 @@ transit_intern (struct transit *transit) + } + + void +-transit_unintern (struct transit *transit) ++transit_unintern (struct transit **transit) + { +- if (transit->refcnt) +-transit->refcnt--; ++ struct transit *t = *transit; ++ ++ if (t->refcnt) ++t->refcnt--; + +- if (transit->refcnt == 0) ++ if (t->refcnt == 0) + { +- hash_release (transit_hash, transit); +- transit_free (transit); ++ hash_release (transit_hash, t); ++ transit_free (t); ++ *transit = NULL; + } + } + +@@ -788,11 +793,11 @@ bgp_attr_unintern_sub (struct attr *attr) + UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_EXT_COMMUNITIES)); + + if (attr->extra->cluster) +-cluster_unintern (attr->extra->cluster); ++cluster_unintern (>extra->cluster); + UNSET_FLAG(attr->flag, ATTR_FLAG_BIT (BGP_ATTR_CLUSTER_LIST)); + + if (attr->extra->transit) +-transit_unintern (attr->extra->transit); ++transit_unintern (>extra->transit); + } + } + Index: patches/patch-bgpd_bgp_attr_h === RCS file: patches/patch-bgpd_bgp_attr_h diff -N patches/patch-bgpd_bgp_attr_h --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-bgpd_bgp_attr_h 16 Feb 2018 22:07:00 - @@ -0,0 +1,21 @@ +$OpenBSD$ + +Security issue: Quagga-2018-1114 +See: https://www.quagga.net/security/Quagga-2018-1114.txt + +Index: bgpd/bgp_attr.h +--- bgpd/bgp_attr.h.orig bgpd/bgp_attr.h +@@ -182,10 +182,10 @@ extern unsigned long int attr_unknown_count (void); + + /* Cluster list prototypes. */ + extern int cluster_loop_check (struct cluster_list *, struct in_addr); +-extern void cluster_unintern (struct cluster_list *); ++extern void cluster_unintern (struct cluster_list **); + + /* Transit attribute prototypes. */ +-void transit_unintern (struct transit *); ++void transit_unintern (struct transit **); + + /* Below exported for unit-test purposes only */ + struct bgp_attr_parser_args { Index: patches/patch-bgpd_bgp_debug_c === RCS file: patches/patch-bgpd_bgp_debug_c diff -N patches/patch-bgpd_bgp_debug_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-bgpd_bgp_debug_c 16 Feb 2018 22:07:00 - @@ -0,0 +1,91 @@ +$OpenBSD$ + +Security issue: Quagga-2018-1550 +See: https://www.quagga.net/security/Quagga-2018-1550.txt + +Index: bgpd/bgp_debug.c +--- bgpd/bgp_debug.c.orig bgpd/bgp_debug.c +@@ -29,6 +29,7 @@ Software Foundation, Inc., 59 Temple Place - Suite 330 + #include "log.h" + #include "sockunion.h" + #include "filter.h" ++#include "memory.h" + + #include "bgpd/bgpd.h" + #include "bgpd/bgp_aspath.h" +@@ -69,7 +70,8 @@ const struct message bgp_status_msg[] =
Re: UPDATE: net/quagga-1.2.3
On 2018/02/16 17:48, Gleydson Soares wrote: > Here's an update for quagga-1.2.3. this release includes security fixes. yep, one of these is particularly nasty: use-after-free in a transitive BGP attribute. this is one of those "one update message can kill all quaggas on the internet" bugs. > OK? please remove termcap from WANTLIB, then ok with me. reminder to readers: I am still looking for positive or negative reports about OSPF and RIP following simplification of the diff to multicast that went in with the previous update.
UPDATE: net/quagga-1.2.3
Here's an update for quagga-1.2.3. this release includes security fixes. https://www.quagga.net/security/Quagga-2018-0543.txt https://www.quagga.net/security/Quagga-2018-1114.txt https://www.quagga.net/security/Quagga-2018-1550.txt https://www.quagga.net/security/Quagga-2018-1975.txt full changelog at: https://savannah.nongnu.org/forum/forum.php?forum_id=9095 OK? Index: Makefile === RCS file: /cvs/ports/net/quagga/Makefile,v retrieving revision 1.56 diff -u -p -r1.56 Makefile --- Makefile11 Jan 2018 19:27:07 - 1.56 +++ Makefile16 Feb 2018 20:39:11 - @@ -2,8 +2,7 @@ COMMENT= multi-threaded routing daemon -DISTNAME= quagga-1.2.2 -REVISION= 1 +DISTNAME= quagga-1.2.3 CATEGORIES=net MASTER_SITES= http://download.savannah.gnu.org/releases/quagga/ Index: distinfo === RCS file: /cvs/ports/net/quagga/distinfo,v retrieving revision 1.22 diff -u -p -r1.22 distinfo --- distinfo3 Nov 2017 14:28:43 - 1.22 +++ distinfo16 Feb 2018 20:39:11 - @@ -1,2 +1,2 @@ -SHA256 (quagga-1.2.2.tar.gz) = Ui4i8r7uZOPwws3j0BVfO4ED9Pb8ir75LLQLw6TMKTE= -SIZE (quagga-1.2.2.tar.gz) = 2986142 +SHA256 (quagga-1.2.3.tar.gz) = 7iwJB6EGkCq73K9jtPKMZyQcTzOWmJ7VTae0l27srTE= +SIZE (quagga-1.2.3.tar.gz) = 2925444 Index: patches/patch-configure_ac === RCS file: /cvs/ports/net/quagga/patches/patch-configure_ac,v retrieving revision 1.6 diff -u -p -r1.6 patch-configure_ac --- patches/patch-configure_ac 3 Nov 2017 14:28:43 - 1.6 +++ patches/patch-configure_ac 16 Feb 2018 20:39:11 - @@ -6,7 +6,7 @@ ip_mreq.imr_interface. Index: configure.ac --- configure.ac.orig +++ configure.ac -@@ -1053,7 +1053,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [], +@@ -1054,7 +1054,7 @@ AC_CHECK_HEADERS([linux/mroute.h], [], [], AC_MSG_CHECKING([for BSD struct ip_mreq hack]) AC_TRY_COMPILE([#ifdef HAVE_SYS_PARAM_H #include