doc/security: Security announcements for 4 issues

* doc/security/Quagga-2018-0543.txt: attr_endp used for NOTIFY data
* doc/security/Quagga-2018-1114.txt: bgpd double free
* doc/security/Quagga-2018-1550.txt: debug overrun in notify lookup tables
* doc/security/Quagga-2018-1975.txt: BGP capability inf. loop

doc/security/Quagga-2018-0543.txt

@@ -0,0 +1,72 @@
+Quagga Security Note 2018-0543
+==============================
+
+https://www.quagga.net/security/Quagga-2018-0543.txt
+
+
+Affects:
+--------
+
+Quagga versions: 
+- 1.1.0
+- 1.1.1
+- 1.2.0
+- 1.2.1
+- 1.2.2
+
+Summary
+-------
+
+The Quagga BGP daemon, bgpd, does not properly bounds check the data
+sent with a NOTIFY to a peer, if an attribute length is invalid. 
+Arbitrary data from the bgpd process may be sent over the network to a
+peer and/or it may crash.
+
+
+Impact
+------
+
+Sensitive data from the bgpd process may be sent over the network to a
+configured peer.  The bgpd process may or may not crash.
+
+
+Solution
+--------
+
+Upgrade Quagga to a version containing the fix.  E.g., Quagga version
+1.2.3.
+
+Description
+------------
+
+When bgpd receives an UPDATE with invalid attribute length, the invalid
+length is correctly checked, and detected as such, and a NOTIFY
+prepared to terminate the session.  According to the BGP protocol, the
+NOTIFY message may include the incorrect received data with the NOTIFY,
+for debug purposes.  Commit c69698704806a9ac5 modified the bgpd code to
+do that just, and also send the malformed attr with the NOTIFY. 
+However, the invalid attribute length was used as the length of the
+data to send back.
+
+The result is a read past the end of data, which is then written to the
+NOTIFY message and sent to the peer.
+
+A configured BGP peer can use this bug to read up to 64 KiB of memory from
+the bgpd process, or crash the process if the invalid read is caught by
+some means (unmapped page and SEGV, or other mechanism) resulting in a
+DoS.
+
+This bug _ought_ /not/ be exploitable by anything other than the connected
+BGP peer.  For no BGP peer should send on an UPDATE with this attribute. 
+Quagga will not, as Quagga always validates the attr header length,
+regardless of type.
+
+However, it is possible that there are BGP implementations that do not
+check lengths on some attributes (e.g.  optional/transitive ones of a type
+they do not recognise), and might pass such malformed attrs on.  If such
+implementations exists and are common, then this bug might be triggerable
+by BGP speakers further hops away.  Those peers will not receive the
+NOTIFY (unless they sit on a shared medium), however they might then be
+able to trigger a DoS.
+
+The code fix is to use the valid bound to calculate the length.

doc/security/Quagga-2018-1114.txt

@@ -0,0 +1,65 @@
+Quagga Security Note 2018-1114
+==============================
+
+https://www.quagga.net/security/Quagga-2018-1114.txt
+
+
+Affects:
+--------
+
+- Likely to affect all versions of Quagga
+
+Summary
+-------
+
+The Quagga BGP daemon, bgpd, can double-free memory when processing
+certain forms of UPDATE message, containing cluster-list and/or unknown
+attributes.
+
+Impact
+------
+
+Potentially severe.
+
+This issue can be triggered by an optional/transitive UPDATE attribute, that
+all conforming eBGP speakers should pass along.  This means this may
+triggerable in many affected Quagga bgpd processes across a wide area of a
+network, because of just one UPDATE message.
+
+This issue could result in a crash of bgpd, or even allow a remote
+attacker to gain control of an affected bgpd process.
+
+Solution
+--------
+
+Upgrade to Quagga 1.2.3, or any other version with the appropriate
+patch applied, entitled:
+
+  "bgpd/security: Fix double free of unknown attribute"
+
+Description
+------------
+
+The issue is a double-free in bgp_attr_flush called from
+bgp_packet.c:bgp_update_receive. This can be triggered by a variety of
+BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used
+in iBGP route-reflection) or an unknown attribute.
+
+An unrecognised optional/transitive UPDATE attribute should be passed along
+by conforming BGP speakers, if the attribute is otherwise well-formed. 
+Therefore this issue potentially can be triggered across a number of Quagga
+bgpd speakers, over a wide area of a network, by one BGP speaker sending an
+UPDATE.
+
+Once this issue has been triggered the behaviour of bgpd is undefined.  The
+internal state of the memory allocator may become corrupted, unless it has
+been designed to be robust to the double-free.  The memory allocator may
+catch the issue and crash the bgpd process in a controlled manner, otherwise
+bgpd process could continue to run with invalid memory allocation state.
+
+It is possible an attacker could exploit the corrupted allocator state to
+gain control of the bgpd process.  E.g., if the allocator stores the
+incorrectly double-freed memory twice on its internal free-list, then the
+allocator could return the same memory twice in further calls of malloc, and
+the attacker might be able to control the operation of one part of bgpd with
+data they supply that is stored in another.

doc/security/Quagga-2018-1550.txt

@@ -0,0 +1,50 @@
+Quagga Security Note 2018-1550
+==============================
+
+https://www.quagga.net/security/Quagga-2018-1550.txt
+
+
+Affects:
+--------
+
+All versions of Quagga.
+
+
+Summary
+-------
+
+The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string
+conversion tables used for debug by 1 pointer value, based on input.
+
+
+Impact
+------
+
+The impact is thought to be very low. The bgpd daemon likely will continue
+running. Warning and debug messages in the logs may contain arbitrary bytes.
+
+The issue can only be triggered by a configured peer, if there is sufficient
+transport security.
+
+
+Solution
+--------
+
+Upgrade to Quagga version 1.2.3, or any version with the fix applied. The
+fix is git commit:
+
+  "bgpd/security: debug print of received NOTIFY data can over-read msg array"
+
+
+Description
+------------
+
+The bgpd daemon contains a number of tables to convert BGP code-points to
+string representations. These tables are used for logging debug and warning
+messages if a NOTIFY is sent.
+
+The lookup into the conversion table used a bound on the size that was 1
+greater than the actual size of the table. This allowed the lookup to read 1
+pointer past the end of the array, if a lookup was made with an unknown
+code-point from a BGP message.
+

doc/security/Quagga-2018-1975.txt

@@ -0,0 +1,68 @@
+Quagga Security Note 2018-1975
+==============================
+
+https://www.quagga.net/security/Quagga-2018-1975.txt
+
+
+Affects:
+--------
+
+- Quagga version 0.99.9, and all later versions
+- All versions, if the "override-capability" neighbour option is set (not
+  the default).
+
+
+Summary
+-------
+
+The Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid
+OPEN message by a configured peer.
+
+
+Impact
+------
+
+This problem is triggerable by packets from a configured peer.  
+
+When triggered, the bgpd daemon enters an infinite loop and cease to respond
+to any other events.  BGP sessions will drop and not be reestablished.  The
+CLI interface will be unresponsive.  The bgpd daemon will stay in this state
+until it is restarted.
+
+
+Solution
+--------
+
+Upgrade to Quagga version 1.2.3 or later, or apply the fix from commit:
+
+  "bgpd/security: fix infinite loop on certain invalid OPEN messages"
+
+Until then, the problem can be mitigated by enabling watchquagga and
+ensuring that it monitors bgpd and restarts it if it ceases to be
+responsive.
+
+Disabling capability negotiation will also prevent the problem from
+occurring, but may cause problems. It is not recommended to disable
+capability negotiation in normal operation.
+
+
+Description
+------------
+
+The Quagga BGP daemon, bgpd, had a bug in its parsing of "Capabilities" in
+BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. 
+The parser can enter an infinite loop on invalid capabilities if a
+Multi-Protocol capability does not have a recognised AFI/SAFI.
+
+The issue was introduced in commit 6d58272b4c, by copying an incorrect
+pattern of code from an existing check on a configuration flag (which also
+has the issue) and applying it to protocol data.
+
+This issue can be triggered by a configured peer, accidentally or
+deliberately.  It could also be configured by others, if transport security
+and/or network topology allowed an attacker to spoof a full TCP connection.
+
+The consequence of this bug is that bgpd enters an infinite loop. The bgpd
+daemon will not be able to do any other work as a consequence, including
+servicing BGP and CLI sessions. BGP sessions will time out and drop and not
+be re-established. This state will persist until the bgpd is restarted.

doc/security/template.txt

@@ -1,6 +1,8 @@
 Quagga Security Note 201x-YYYY
 ==============================
 
+https://www.quagga.net/security/Quagga-YYYY-XXXX.txt
+
 Summary
 -------