First Last Prev Next    This bug is not in your last search results.
Bug 1079800 - (CVE-2018-5380) VUL-1: CVE-2018-5380: quagga: bgpd code-to-string conversion tables overrun
(CVE-2018-5380)
VUL-1: CVE-2018-5380: quagga: bgpd code-to-string conversion tables overrun
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:RedHat:CVE-2018-5380:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-07 11:01 UTC by Andreas Stieger
Modified: 2018-12-16 07:43 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-02-07 11:01:24 UTC 
Created attachment 759217 [details]
Quagga-2018-1550.diff

EMBARGOED via direct mail
CRD: not clear, 2018-02-12 or 2018-02-13

Quagga Security Note 2018-1550
==============================

https://www.quagga.net/security/Quagga-2018-1550.txt


Affects:
--------

All versions of Quagga.


Summary
-------

The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string
conversion tables used for debug by 1 pointer value, based on input.


Impact
------

The impact is thought to be very low. The bgpd daemon likely will continue
running. Warning and debug messages in the logs may contain arbitrary bytes.

The issue can only be triggered by a configured peer, if there is sufficient
transport security.


Solution
--------

Upgrade to Quagga version 1.2.3, or any version with the fix applied. The
fix is git commit:

  "bgpd/security: debug print of received NOTIFY data can over-read msg array"


Description
------------

The bgpd daemon contains a number of tables to convert BGP code-points to
string representations. These tables are used for logging debug and warning
messages if a NOTIFY is sent.

The lookup into the conversion table used a bound on the size that was 1
greater than the actual size of the table. This allowed the lookup to read 1
pointer past the end of the array, if a lookup was made with an unknown
code-point from a BGP message.
Comment 8 Andreas Stieger 2018-02-15 10:27:45 UTC 
CRD: 2018-02-15 21:30 UTC
Comment 11 Andreas Stieger 2018-02-15 23:26:33 UTC 
Please submit for openSUSE:Leap:42.3:Update/quagga
Comment 12 Swamp Workflow Management 2018-02-16 05:09:42 UTC 
SUSE-SU-2018:0455-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1021669,1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE OpenStack Cloud 6 (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    quagga-0.99.22.1-16.4.1
Comment 13 Swamp Workflow Management 2018-02-16 05:10:50 UTC 
SUSE-SU-2018:0456-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server 12-SP2 (src):    quagga-1.1.1-17.7.1
Comment 14 Swamp Workflow Management 2018-02-16 06:23:34 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-02-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63979
Comment 15 Swamp Workflow Management 2018-02-16 08:09:10 UTC 
SUSE-SU-2018:0457-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1021669,1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    quagga-0.99.15-0.30.3.1
Comment 16 Swamp Workflow Management 2018-02-16 09:40:22 UTC 
This is an autogenerated message for OBS integration:
This bug (1079800) was mentioned in
https://build.opensuse.org/request/show/577175 42.3 / quagga
https://build.opensuse.org/request/show/577176 Factory / quagga
Comment 18 Swamp Workflow Management 2018-02-19 14:14:24 UTC 
openSUSE-SU-2018:0473-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
openSUSE Leap 42.3 (src):    quagga-1.1.1-18.3.1
Comment 19 Marcus Meissner 2018-02-19 19:52:15 UTC 
releasesd
First Last Prev Next    This bug is not in your last search results.