Skip to content

Commit

Permalink
net-misc/quagga: revision bump
Browse files Browse the repository at this point in the history
Backport upstream security fix for stack overrun
in IPv6 RA receive code in zebra daemon.

Reported-by: Agostino Sarubbo <[email protected]>
Gentoo-Bug: 597410

Package-Manager: portage-2.3.2
  • Loading branch information
Pinkbyte committed Oct 18, 2016
1 parent 05e75d8 commit 5a041e0
Show file tree
Hide file tree
Showing 2 changed files with 185 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
commit cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
Author: David Lamparter <[email protected]>
Date: Wed Aug 31 13:31:16 2016 +0200

zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)

The IPv6 RA code also receives ICMPv6 RS and RA messages.
Unfortunately, by bad coding practice, the buffer size specified on
receiving such messages mixed up 2 constants that in fact have
different values.

The code itself has:
#define RTADV_MSG_SIZE 4096
While BUFSIZ is system-dependent, in my case (x86_64 glibc):
/usr/include/_G_config.h:#define _G_BUFSIZ 8192
/usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
/usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ

FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
have BUFSIZ == 1024.

As the latter is passed to the kernel on recvmsg(), it's possible to
overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
to any of the system's addresses (using fragmentation to get to 8k).

(The socket has filters installed limiting this to RS and RA packets,
but does not have a filter for source address or TTL.)

Issue discovered by trying to test other stuff, which randomly caused
the stack to be smaller than 8kB in that code location, which then
causes the kernel to report EFAULT (Bad address).

Signed-off-by: David Lamparter <[email protected]>
Reviewed-by: Donald Sharp <[email protected]>

diff --git a/zebra/rtadv.c b/zebra/rtadv.c
index d4ef1b8..2f62714 100644
--- a/zebra/rtadv.c
+++ b/zebra/rtadv.c
@@ -482,7 +482,7 @@ rtadv_read (struct thread *thread)
/* Register myself. */
rtadv_event (zvrf, RTADV_READ, sock);

- len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
+ len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);

if (len < 0)
{
137 changes: 137 additions & 0 deletions net-misc/quagga/quagga-1.0.20160315-r4.ebuild
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$

EAPI=6

CLASSLESS_BGP_PATCH=ht-20040304-classless-bgp.patch

inherit autotools eutils flag-o-matic multilib pam readme.gentoo-r1 systemd user

DESCRIPTION="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP"
HOMEPAGE="http://quagga.net/"
SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz
bgpclassless? ( http://hasso.linux.ee/stuff/patches/quagga/${CLASSLESS_BGP_PATCH} )"

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~s390 ~sparc ~x86"

IUSE="bgpclassless caps doc elibc_glibc ipv6 multipath ospfapi pam +readline snmp tcp-zebra"

COMMON_DEPEND="
caps? ( sys-libs/libcap )
snmp? ( net-analyzer/net-snmp )
readline? (
sys-libs/readline:0
pam? ( sys-libs/pam )
)
!elibc_glibc? ( dev-libs/libpcre )"
DEPEND="${COMMON_DEPEND}
app-arch/xz-utils
sys-apps/gawk
sys-devel/libtool:2"
RDEPEND="${COMMON_DEPEND}
sys-apps/iproute2"

PATCHES=(
"${FILESDIR}/${PN}-0.99.22.4-ipctl-forwarding.patch"
"${FILESDIR}/${P}-ripd-null-pointer-fix.patch"
"${FILESDIR}/${P}-ospfd-dangling-pointer-fix.patch"
"${FILESDIR}/${P}-bgpd-logging-fix.patch"
"${FILESDIR}/${P}-zebra-ipv6-ra-overflow.patch"
)

DISABLE_AUTOFORMATTING=1
DOC_CONTENTS="Sample configuration files can be found in /usr/share/doc/${PF}/samples
You have to create config files in /etc/quagga before
starting one of the daemons.
You can pass additional options to the daemon by setting the EXTRA_OPTS
variable in their respective file in /etc/conf.d"

pkg_setup() {
enewgroup quagga
enewuser quagga -1 -1 /var/empty quagga
}

src_prepare() {
# Classless prefixes for BGP
# http://hasso.linux.ee/doku.php/english:network:quagga
use bgpclassless && eapply -p0 "${DISTDIR}/${CLASSLESS_BGP_PATCH}"

epatch ${PATCHES[@]}
eapply_user
eautoreconf
}

src_configure() {
append-flags -fno-strict-aliasing

# do not build PDF docs
export ac_cv_prog_PDFLATEX=no
export ac_cv_prog_LATEXMK=no

econf \
--enable-exampledir=/usr/share/doc/${PF}/samples \
--enable-irdp \
--enable-isisd \
--enable-isis-topology \
--enable-pimd \
--enable-user=quagga \
--enable-group=quagga \
--enable-vty-group=quagga \
--with-cflags="${CFLAGS}" \
--with-pkg-extra-version="-gentoo" \
--sysconfdir=/etc/quagga \
--localstatedir=/run/quagga \
--disable-static \
$(use_enable caps capabilities) \
$(usex snmp '--enable-snmp' '' '' '') \
$(use_enable !elibc_glibc pcreposix) \
$(use_enable tcp-zebra) \
$(use_enable doc) \
$(usex multipath $(use_enable multipath) '' '=0' '') \
$(usex ospfapi '--enable-opaque-lsa --enable-ospf-te --enable-ospfclient' '' '' '') \
$(use_enable readline vtysh) \
$(use_with pam libpam) \
$(use_enable ipv6 ripngd) \
$(use_enable ipv6 ospf6d) \
$(use_enable ipv6 rtadv)
}

src_install() {
default
prune_libtool_files
readme.gentoo_create_doc

keepdir /etc/quagga
fowners root:quagga /etc/quagga
fperms 0770 /etc/quagga

# Path for PIDs before first reboot should be created here, bug #558194
dodir /run/quagga
fowners quagga:quagga /run/quagga
fperms 0770 /run/quagga

# Install systemd-related stuff, bug #553136
systemd_dotmpfilesd "${FILESDIR}/systemd/quagga.conf"
systemd_dounit "${FILESDIR}/systemd/zebra.service"

# install zebra as a file, symlink the rest
newinitd "${FILESDIR}"/quagga-services.init.3 zebra

for service in bgpd isisd ospfd pimd ripd $(use ipv6 && echo ospf6d ripngd); do
dosym zebra /etc/init.d/${service}
systemd_dounit "${FILESDIR}/systemd/${service}.service"
done

use readline && use pam && newpamd "${FILESDIR}/quagga.pam" quagga

insinto /etc/logrotate.d
newins redhat/quagga.logrotate quagga
}

pkg_postinst() {
readme.gentoo_print_elog
}

0 comments on commit 5a041e0

Please sign in to comment.