Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Quagga>
  3. Users
Re: [quagga-dev 16400] Re: Quagga CVE Released: CVE-2016-1245 (Fix in latest 1.0.20161017 release)
paul at jakma
Nov 16, 2016, 7:05 AM
Post #1 of 1 (458 views)
Permalink
On Tue, 15 Nov 2016, Alexis Rosen wrote:

> As far as I can tell, this is an editing error of some sort, and in
> fact you can NOT trigger the issue simply by having an IPv6 address
> reachable with an ICMP.

Ah, what's the basis for that? I looked at the code, and that security
claim seemed possible.

> Later in the advisory, it says:

>> Usage of Quagga without running the 'zebra' daemon, or no
>> IPv6 neighbor-discovery are not affected.
>
> A quick look at the code also suggests this is so, but my familiarity
> with this code is basically nil, and it would be very easy for me to
> get this wrong.

The code concerned is all the zebra daemon, so that's correct. The code
that reads the message is only enabled if the zebra RA/ND feature is.

Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's
about the zebra feature. That's also not 100% clear.

regards,
--
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
hardware stress fractures

_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal