Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6051 to the following vulnerability: The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update. Upstream fix: http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408 References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730513 http://www.debian.org/security/2013/dsa-2803
Created quagga tracking bugs for this issue: Affects: fedora-18 [bug 1043371]
Quick check of the code shows that Quagga 0.98.6 (so Red Hat Enterprise Linux 5) is affected; would also imply that Red Hat Enterprise Linux 6 is affected (being that 0.99.15 is between 0.98.6 and the reported 0.99.21 version). This is corrected in 0.99.22 (verified by looking at the code), so Fedora 19 and 20 are not affected.
Sorry, the above is not correct. Red Hat Enterprise Linux 5 and 6 are NOT affected because total does get initialized prior to being used: /* BGP unknown attribute treatment. */ int bgp_attr_unknown (struct peer *peer, struct attr *attr, u_char flag, u_char type, bgp_size_t length, u_char *startp) { bgp_size_t total; struct transit *transit; if (BGP_DEBUG (events, EVENTS)) zlog (peer->log, LOG_DEBUG, "Unknown attribute type %d length %d is received", type, length); /* Forward read pointer of input stream. */ stream_forward (peer->ibuf, length); /* Adjest total length to include type and length. */ total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); This would have been introduced via this commit, which refactored much of the code, and removed that initial initialization: http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=835315b
Statement: Not vulnerable. This issue did not affect the versions of quagga as shipped with Red Hat Enterprise Linux 5 and 6.