Bug 1043370 (CVE-2013-6051)

Summary: CVE-2013-6051 quagga: bgp crash when receiving bgp updates
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: balajig81, jkurik, msekleta, pfrields, vonsch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quagga 0.99.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-20 21:12:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1043371    
Bug Blocks: 1035093    

Description Ratul Gupta 2013-12-16 06:27:19 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6051 to the following vulnerability:

The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.

Upstream fix:
http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730513
http://www.debian.org/security/2013/dsa-2803
Comment 1 Ratul Gupta 2013-12-16 06:28:54 UTC 
Created quagga tracking bugs for this issue:

Affects: fedora-18 [bug 1043371]
Comment 2 Vincent Danen 2013-12-20 20:40:50 UTC 
Quick check of the code shows that Quagga 0.98.6 (so Red Hat Enterprise Linux 5) is affected; would also imply that Red Hat Enterprise Linux 6 is affected (being that 0.99.15 is between 0.98.6 and the reported 0.99.21 version).

This is corrected in 0.99.22 (verified by looking at the code), so Fedora 19 and 20 are not affected.
Comment 3 Vincent Danen 2013-12-20 21:07:46 UTC 
Sorry, the above is not correct.

Red Hat Enterprise Linux 5 and 6 are NOT affected because total does get initialized prior to being used:

/* BGP unknown attribute treatment. */
int
bgp_attr_unknown (struct peer *peer, struct attr *attr, u_char flag,
                  u_char type, bgp_size_t length, u_char *startp)
{
  bgp_size_t total;
  struct transit *transit;

  if (BGP_DEBUG (events, EVENTS))
    zlog (peer->log, LOG_DEBUG,
          "Unknown attribute type %d length %d is received", type, length);

  /* Forward read pointer of input stream. */
  stream_forward (peer->ibuf, length);

  /* Adjest total length to include type and length. */
  total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);


This would have been introduced via this commit, which refactored much of the code, and removed that initial initialization:

http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=835315b
Comment 4 Vincent Danen 2013-12-20 21:12:09 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of quagga as shipped
with Red Hat Enterprise Linux 5 and 6.