Bug 626795 (CVE-2010-2949)

Summary: CVE-2010-2949 Quagga (bgpd): DoS (crash) while processing certain BGP update AS path messages
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Martin Cermak <mcermak>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jskala, mcermak, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-31 19:08:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 628981, 644830, 644832    
Bug Blocks:    

Description Jan Lieskovsky 2010-08-24 12:58:37 UTC
A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon
parsed paths of autonomous systems (AS). A configured BGP peer could send
a BGP update AS path request with unknown AS type, which could lead to
denial of service (bgpd daemon crash).

Upstream changeset:
  [1] http://code.quagga.net/?p=quagga.git;a=commit;h=cddb8112b80fa9867156c637d63e6e79eeac67bb

  [2] http://www.quagga.net/news2.php?y=2010&m=8&d=19#id1282241100

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/08/24/3

Comment 4 Jan Lieskovsky 2010-08-24 13:09:52 UTC
This issue did NOT affect the versions of the quagga package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.


This issue affects the versions of the quagga package, as shipped
with Fedora release of 12 and 13.

Comment 5 Jan Lieskovsky 2010-08-31 15:09:49 UTC
Created quagga tracking bugs for this issue

Affects: fedora-all [bug 628981]

Comment 11 Jan Lieskovsky 2010-09-24 16:35:16 UTC

Not vulnerable. This issue did not affect the versions of quagga
package as shipped with Red Hat Enterprise Linux 3, 4, or 5, as
these versions do not support 4 byte AS numbers (AS4 support) yet.

Comment 14 Martin Cermak 2010-12-02 09:01:58 UTC
Comment #13 => VERIFIED

Comment 15 errata-xmlrpc 2010-12-06 19:21:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0945 https://rhn.redhat.com/errata/RHSA-2010-0945.html