forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Backport upstream security fix for stack overrun in IPv6 RA receive code in zebra daemon. Reported-by: Agostino Sarubbo <[email protected]> Gentoo-Bug: 597410 Package-Manager: portage-2.3.2
- Loading branch information
Showing
2 changed files
with
185 additions
and
0 deletions.
There are no files selected for viewing
48 changes: 48 additions & 0 deletions
48
net-misc/quagga/files/quagga-1.0.20160315-zebra-ipv6-ra-overflow.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
commit cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 | ||
Author: David Lamparter <[email protected]> | ||
Date: Wed Aug 31 13:31:16 2016 +0200 | ||
|
||
zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245) | ||
|
||
The IPv6 RA code also receives ICMPv6 RS and RA messages. | ||
Unfortunately, by bad coding practice, the buffer size specified on | ||
receiving such messages mixed up 2 constants that in fact have | ||
different values. | ||
|
||
The code itself has: | ||
#define RTADV_MSG_SIZE 4096 | ||
While BUFSIZ is system-dependent, in my case (x86_64 glibc): | ||
/usr/include/_G_config.h:#define _G_BUFSIZ 8192 | ||
/usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ | ||
/usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ | ||
|
||
FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them | ||
have BUFSIZ == 1024. | ||
|
||
As the latter is passed to the kernel on recvmsg(), it's possible to | ||
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent | ||
to any of the system's addresses (using fragmentation to get to 8k). | ||
|
||
(The socket has filters installed limiting this to RS and RA packets, | ||
but does not have a filter for source address or TTL.) | ||
|
||
Issue discovered by trying to test other stuff, which randomly caused | ||
the stack to be smaller than 8kB in that code location, which then | ||
causes the kernel to report EFAULT (Bad address). | ||
|
||
Signed-off-by: David Lamparter <[email protected]> | ||
Reviewed-by: Donald Sharp <[email protected]> | ||
|
||
diff --git a/zebra/rtadv.c b/zebra/rtadv.c | ||
index d4ef1b8..2f62714 100644 | ||
--- a/zebra/rtadv.c | ||
+++ b/zebra/rtadv.c | ||
@@ -482,7 +482,7 @@ rtadv_read (struct thread *thread) | ||
/* Register myself. */ | ||
rtadv_event (zvrf, RTADV_READ, sock); | ||
|
||
- len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit); | ||
+ len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit); | ||
|
||
if (len < 0) | ||
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
# Copyright 1999-2016 Gentoo Foundation | ||
# Distributed under the terms of the GNU General Public License v2 | ||
# $Id$ | ||
|
||
EAPI=6 | ||
|
||
CLASSLESS_BGP_PATCH=ht-20040304-classless-bgp.patch | ||
|
||
inherit autotools eutils flag-o-matic multilib pam readme.gentoo-r1 systemd user | ||
|
||
DESCRIPTION="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP" | ||
HOMEPAGE="http://quagga.net/" | ||
SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz | ||
bgpclassless? ( http://hasso.linux.ee/stuff/patches/quagga/${CLASSLESS_BGP_PATCH} )" | ||
|
||
LICENSE="GPL-2" | ||
SLOT="0" | ||
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~s390 ~sparc ~x86" | ||
|
||
IUSE="bgpclassless caps doc elibc_glibc ipv6 multipath ospfapi pam +readline snmp tcp-zebra" | ||
|
||
COMMON_DEPEND=" | ||
caps? ( sys-libs/libcap ) | ||
snmp? ( net-analyzer/net-snmp ) | ||
readline? ( | ||
sys-libs/readline:0 | ||
pam? ( sys-libs/pam ) | ||
) | ||
!elibc_glibc? ( dev-libs/libpcre )" | ||
DEPEND="${COMMON_DEPEND} | ||
app-arch/xz-utils | ||
sys-apps/gawk | ||
sys-devel/libtool:2" | ||
RDEPEND="${COMMON_DEPEND} | ||
sys-apps/iproute2" | ||
|
||
PATCHES=( | ||
"${FILESDIR}/${PN}-0.99.22.4-ipctl-forwarding.patch" | ||
"${FILESDIR}/${P}-ripd-null-pointer-fix.patch" | ||
"${FILESDIR}/${P}-ospfd-dangling-pointer-fix.patch" | ||
"${FILESDIR}/${P}-bgpd-logging-fix.patch" | ||
"${FILESDIR}/${P}-zebra-ipv6-ra-overflow.patch" | ||
) | ||
|
||
DISABLE_AUTOFORMATTING=1 | ||
DOC_CONTENTS="Sample configuration files can be found in /usr/share/doc/${PF}/samples | ||
You have to create config files in /etc/quagga before | ||
starting one of the daemons. | ||
You can pass additional options to the daemon by setting the EXTRA_OPTS | ||
variable in their respective file in /etc/conf.d" | ||
|
||
pkg_setup() { | ||
enewgroup quagga | ||
enewuser quagga -1 -1 /var/empty quagga | ||
} | ||
|
||
src_prepare() { | ||
# Classless prefixes for BGP | ||
# http://hasso.linux.ee/doku.php/english:network:quagga | ||
use bgpclassless && eapply -p0 "${DISTDIR}/${CLASSLESS_BGP_PATCH}" | ||
|
||
epatch ${PATCHES[@]} | ||
eapply_user | ||
eautoreconf | ||
} | ||
|
||
src_configure() { | ||
append-flags -fno-strict-aliasing | ||
|
||
# do not build PDF docs | ||
export ac_cv_prog_PDFLATEX=no | ||
export ac_cv_prog_LATEXMK=no | ||
|
||
econf \ | ||
--enable-exampledir=/usr/share/doc/${PF}/samples \ | ||
--enable-irdp \ | ||
--enable-isisd \ | ||
--enable-isis-topology \ | ||
--enable-pimd \ | ||
--enable-user=quagga \ | ||
--enable-group=quagga \ | ||
--enable-vty-group=quagga \ | ||
--with-cflags="${CFLAGS}" \ | ||
--with-pkg-extra-version="-gentoo" \ | ||
--sysconfdir=/etc/quagga \ | ||
--localstatedir=/run/quagga \ | ||
--disable-static \ | ||
$(use_enable caps capabilities) \ | ||
$(usex snmp '--enable-snmp' '' '' '') \ | ||
$(use_enable !elibc_glibc pcreposix) \ | ||
$(use_enable tcp-zebra) \ | ||
$(use_enable doc) \ | ||
$(usex multipath $(use_enable multipath) '' '=0' '') \ | ||
$(usex ospfapi '--enable-opaque-lsa --enable-ospf-te --enable-ospfclient' '' '' '') \ | ||
$(use_enable readline vtysh) \ | ||
$(use_with pam libpam) \ | ||
$(use_enable ipv6 ripngd) \ | ||
$(use_enable ipv6 ospf6d) \ | ||
$(use_enable ipv6 rtadv) | ||
} | ||
|
||
src_install() { | ||
default | ||
prune_libtool_files | ||
readme.gentoo_create_doc | ||
|
||
keepdir /etc/quagga | ||
fowners root:quagga /etc/quagga | ||
fperms 0770 /etc/quagga | ||
|
||
# Path for PIDs before first reboot should be created here, bug #558194 | ||
dodir /run/quagga | ||
fowners quagga:quagga /run/quagga | ||
fperms 0770 /run/quagga | ||
|
||
# Install systemd-related stuff, bug #553136 | ||
systemd_dotmpfilesd "${FILESDIR}/systemd/quagga.conf" | ||
systemd_dounit "${FILESDIR}/systemd/zebra.service" | ||
|
||
# install zebra as a file, symlink the rest | ||
newinitd "${FILESDIR}"/quagga-services.init.3 zebra | ||
|
||
for service in bgpd isisd ospfd pimd ripd $(use ipv6 && echo ospf6d ripngd); do | ||
dosym zebra /etc/init.d/${service} | ||
systemd_dounit "${FILESDIR}/systemd/${service}.service" | ||
done | ||
|
||
use readline && use pam && newpamd "${FILESDIR}/quagga.pam" quagga | ||
|
||
insinto /etc/logrotate.d | ||
newins redhat/quagga.logrotate quagga | ||
} | ||
|
||
pkg_postinst() { | ||
readme.gentoo_print_elog | ||
} |