Bugzilla – Bug 1079799
VUL-0: CVE-2018-5379: quagga: bgpd double free when processing UPDATE message
Last modified: 2020-05-12 18:14:04 UTC
Created attachment 759216 [details] Quagga-2018-1114.diff EMBARGOED via direct mail CRD: not clear, 2018-02-12 or 2018-02-13 Quagga Security Note 2018-1114 ============================== https://www.quagga.net/security/Quagga-2018-1114.txt Affects: -------- - Likely to affect all versions of Quagga Summary ------- The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. Impact ------ Potentially severe. This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along. This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message. This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process. Solution -------- Upgrade to Quagga 1.2.3, or any other version with the appropriate patch applied, entitled: "bgpd/security: Fix double free of unknown attribute" Description ------------ The issue is a double-free in bgp_attr_flush called from bgp_packet.c:bgp_update_receive. This can be triggered by a variety of BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used in iBGP route-reflection) or an unknown attribute. An unrecognised optional/transitive UPDATE attribute should be passed along by conforming BGP speakers, if the attribute is otherwise well-formed. Therefore this issue potentially can be triggered across a number of Quagga bgpd speakers, over a wide area of a network, by one BGP speaker sending an UPDATE. Once this issue has been triggered the behaviour of bgpd is undefined. The internal state of the memory allocator may become corrupted, unless it has been designed to be robust to the double-free. The memory allocator may catch the issue and crash the bgpd process in a controlled manner, otherwise bgpd process could continue to run with invalid memory allocation state. It is possible an attacker could exploit the corrupted allocator state to gain control of the bgpd process. E.g., if the allocator stores the incorrectly double-freed memory twice on its internal free-list, then the allocator could return the same memory twice in further calls of malloc, and the attacker might be able to control the operation of one part of bgpd with data they supply that is stored in another.
CRD: 2018-02-15 21:30 UTC
Public at: https://www.kb.cert.org/vuls/id/940439 https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1114.txt
Please submit for openSUSE:Leap:42.3:Update/quagga
SUSE-SU-2018:0455-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1021669,1065641,1079798,1079799,1079800,1079801 CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381 Sources used: SUSE OpenStack Cloud 6 (src): quagga-0.99.22.1-16.4.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): quagga-0.99.22.1-16.4.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): quagga-0.99.22.1-16.4.1 SUSE Linux Enterprise Server 12-LTSS (src): quagga-0.99.22.1-16.4.1
SUSE-SU-2018:0456-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1065641,1079798,1079799,1079800,1079801 CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): quagga-1.1.1-17.7.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): quagga-1.1.1-17.7.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): quagga-1.1.1-17.7.1 SUSE Linux Enterprise Server 12-SP3 (src): quagga-1.1.1-17.7.1 SUSE Linux Enterprise Server 12-SP2 (src): quagga-1.1.1-17.7.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-02-23. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63979
CVE-2018-1000063 was marked as a duplicated CVE. The correct number is CVE-2018-5379.
SUSE-SU-2018:0457-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1021669,1065641,1079798,1079799,1079800,1079801 CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): quagga-0.99.15-0.30.3.1 SUSE Linux Enterprise Server 11-SP4 (src): quagga-0.99.15-0.30.3.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): quagga-0.99.15-0.30.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): quagga-0.99.15-0.30.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): quagga-0.99.15-0.30.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): quagga-0.99.15-0.30.3.1
This is an autogenerated message for OBS integration: This bug (1079799) was mentioned in https://build.opensuse.org/request/show/577175 42.3 / quagga https://build.opensuse.org/request/show/577176 Factory / quagga
openSUSE-SU-2018:0473-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1065641,1079798,1079799,1079800,1079801 CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381 Sources used: openSUSE Leap 42.3 (src): quagga-1.1.1-18.3.1
released