On Oct 18, 2016, at 1:56 AM, Martin Winter <mwinter@opensourcerouting.org> wrote:
> Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
> =============================================================
>
> [...] The issue can be triggered on an IPv6 address where the Quagga
> daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
So... Nearly a month later, I'm deleting old mail and noticed this.
As far as I can tell, this is an editing error of some sort, and in fact you can NOT trigger the issue simply by having an IPv6 address reachable with an ICMP. Later in the advisory, it says:
> Usage of Quagga without running the 'zebra' daemon, or no
> IPv6 neighbor-discovery are not affected.
A quick look at the code also suggests this is so, but my familiarity with this code is basically nil, and it would be very easy for me to get this wrong.
Can someone who is certain please clarify? And maybe update the CVE so the sentence makes sense (and has balanced parentheses)?
Thanks.
/a
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
> Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
> =============================================================
>
> [...] The issue can be triggered on an IPv6 address where the Quagga
> daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
So... Nearly a month later, I'm deleting old mail and noticed this.
As far as I can tell, this is an editing error of some sort, and in fact you can NOT trigger the issue simply by having an IPv6 address reachable with an ICMP. Later in the advisory, it says:
> Usage of Quagga without running the 'zebra' daemon, or no
> IPv6 neighbor-discovery are not affected.
A quick look at the code also suggests this is so, but my familiarity with this code is basically nil, and it would be very easy for me to get this wrong.
Can someone who is certain please clarify? And maybe update the CVE so the sentence makes sense (and has balanced parentheses)?
Thanks.
/a
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev