Quagga-2018-1550.txt 1.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
  1. Quagga Security Note 2018-1550
  2. ==============================
  3. https://www.quagga.net/security/Quagga-2018-1550.txt
  4. Affects:
  5. --------
  6. All versions of Quagga.
  7. Summary
  8. -------
  9. The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string
  10. conversion tables used for debug by 1 pointer value, based on input.
  11. Impact
  12. ------
  13. The impact is thought to be very low. The bgpd daemon likely will continue
  14. running. Warning and debug messages in the logs may contain arbitrary bytes.
  15. The issue can only be triggered by a configured peer, if there is sufficient
  16. transport security.
  17. Solution
  18. --------
  19. Upgrade to Quagga version 1.2.3, or any version with the fix applied. The
  20. fix is git commit:
  21. "bgpd/security: debug print of received NOTIFY data can over-read msg array"
  22. Description
  23. ------------
  24. The bgpd daemon contains a number of tables to convert BGP code-points to
  25. string representations. These tables are used for logging debug and warning
  26. messages if a NOTIFY is sent.
  27. The lookup into the conversion table used a bound on the size that was 1
  28. greater than the actual size of the table. This allowed the lookup to read 1
  29. pointer past the end of the array, if a lookup was made with an unknown
  30. code-point from a BGP message.