Red Hat Bugzilla – Bug 1043370
CVE-2013-6051 quagga: bgp crash when receiving bgp updates
Last modified: 2014-01-27 03:59:12 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6051 to the following vulnerability:
The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.
Created quagga tracking bugs for this issue:
Affects: fedora-18 [bug 1043371]
Quick check of the code shows that Quagga 0.98.6 (so Red Hat Enterprise Linux 5) is affected; would also imply that Red Hat Enterprise Linux 6 is affected (being that 0.99.15 is between 0.98.6 and the reported 0.99.21 version).
This is corrected in 0.99.22 (verified by looking at the code), so Fedora 19 and 20 are not affected.
Sorry, the above is not correct.
Red Hat Enterprise Linux 5 and 6 are NOT affected because total does get initialized prior to being used:
/* BGP unknown attribute treatment. */
bgp_attr_unknown (struct peer *peer, struct attr *attr, u_char flag,
u_char type, bgp_size_t length, u_char *startp)
struct transit *transit;
if (BGP_DEBUG (events, EVENTS))
zlog (peer->log, LOG_DEBUG,
"Unknown attribute type %d length %d is received", type, length);
/* Forward read pointer of input stream. */
stream_forward (peer->ibuf, length);
/* Adjest total length to include type and length. */
total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
This would have been introduced via this commit, which refactored much of the code, and removed that initial initialization:
Not vulnerable. This issue did not affect the versions of quagga as shipped
with Red Hat Enterprise Linux 5 and 6.