Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Quagga>
  3. Dev
Re: [quagga-users 14444] Quagga CVE Released: CVE-2016-1245 (Fix in latest 1.0.20161017 release)
quagga-users at alexis
Nov 14, 2016, 9:20 PM
Post #1 of 3 (543 views)
Permalink
On Oct 18, 2016, at 1:56 AM, Martin Winter <mwinter@opensourcerouting.org> wrote:
> Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
> =============================================================
>
> [...] The issue can be triggered on an IPv6 address where the Quagga
> daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.

So... Nearly a month later, I'm deleting old mail and noticed this.

As far as I can tell, this is an editing error of some sort, and in fact you can NOT trigger the issue simply by having an IPv6 address reachable with an ICMP. Later in the advisory, it says:
> Usage of Quagga without running the 'zebra' daemon, or no
> IPv6 neighbor-discovery are not affected.

A quick look at the code also suggests this is so, but my familiarity with this code is basically nil, and it would be very easy for me to get this wrong.

Can someone who is certain please clarify? And maybe update the CVE so the sentence makes sense (and has balanced parentheses)?

Thanks.

/a
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
Re: [quagga-users 14444] Quagga CVE Released: CVE-2016-1245 (Fix in latest 1.0.20161017 release) [ In reply to ]
mwinter at opensourcerouting
Nov 15, 2016, 3:00 PM
Post #2 of 3 (537 views)
Permalink
On 14 Nov 2016, at 21:20, Alexis Rosen wrote:

> On Oct 18, 2016, at 1:56 AM, Martin Winter
> <mwinter@opensourcerouting.org> wrote:
>> Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
>> =============================================================
>>
>> [...] The issue can be triggered on an IPv6 address where the Quagga
>> daemon is reachable by a RA (Router Advertisement or IPv6 ICMP
>> message.
>
> So... Nearly a month later, I'm deleting old mail and noticed this.
>
> As far as I can tell, this is an editing error of some sort, and in
> fact you can NOT trigger the issue simply by having an IPv6 address
> reachable with an ICMP.

How about this wording:

A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on any interface with a reachable
IPv6 address
by a RA (Router Advertisement) or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.

> Later in the advisory, it says:
>> Usage of Quagga without running the 'zebra' daemon, or no
>> IPv6 neighbor-discovery are not affected.

What this should say:
The issue is in Zebra daemon. So you are safe without Zebra daemon (i.e.
some users only using BGPd)
You are also safe if you have the IPv6 neighbor-discovery disabled.

So maybe just a missing comma?

Usage of Quagga without running the 'zebra' daemon, or no
IPv6 neighbor-discovery, are not affected.

> A quick look at the code also suggests this is so, but my familiarity
> with this code is basically nil, and it would be very easy for me to
> get this wrong.
>
> Can someone who is certain please clarify? And maybe update the CVE so
> the sentence makes sense (and has balanced parentheses)?

I’ll update if you can confirm that these 2 small rewrites clarify the
issue.

- Martin

_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
Re: [quagga-users 14444] Quagga CVE Released: CVE-2016-1245 (Fix in latest 1.0.20161017 release) [ In reply to ]
paul at jakma
Nov 16, 2016, 7:05 AM
Post #3 of 3 (537 views)
Permalink
On Tue, 15 Nov 2016, Alexis Rosen wrote:

> As far as I can tell, this is an editing error of some sort, and in
> fact you can NOT trigger the issue simply by having an IPv6 address
> reachable with an ICMP.

Ah, what's the basis for that? I looked at the code, and that security
claim seemed possible.

> Later in the advisory, it says:

>> Usage of Quagga without running the 'zebra' daemon, or no
>> IPv6 neighbor-discovery are not affected.
>
> A quick look at the code also suggests this is so, but my familiarity
> with this code is basically nil, and it would be very easy for me to
> get this wrong.

The code concerned is all the zebra daemon, so that's correct. The code
that reads the message is only enabled if the zebra RA/ND feature is.

Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's
about the zebra feature. That's also not 100% clear.

regards,
--
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
hardware stress fractures

_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal