Bug 1043370 - (CVE-2013-6051) CVE-2013-6051 quagga: bgp crash when receiving bgp updates
CVE-2013-6051 quagga: bgp crash when receiving bgp updates
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1043371
Blocks: 1035093
  Show dependency treegraph
Reported: 2013-12-16 01:27 EST by Ratul Gupta
Modified: 2014-01-27 03:59 EST (History)
5 users (show)

See Also:
Fixed In Version: quagga 0.99.22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-20 16:12:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-12-16 01:27:19 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6051 to the following vulnerability:

The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.

Upstream fix:

Comment 1 Ratul Gupta 2013-12-16 01:28:54 EST
Created quagga tracking bugs for this issue:

Affects: fedora-18 [bug 1043371]
Comment 2 Vincent Danen 2013-12-20 15:40:50 EST
Quick check of the code shows that Quagga 0.98.6 (so Red Hat Enterprise Linux 5) is affected; would also imply that Red Hat Enterprise Linux 6 is affected (being that 0.99.15 is between 0.98.6 and the reported 0.99.21 version).

This is corrected in 0.99.22 (verified by looking at the code), so Fedora 19 and 20 are not affected.
Comment 3 Vincent Danen 2013-12-20 16:07:46 EST
Sorry, the above is not correct.

Red Hat Enterprise Linux 5 and 6 are NOT affected because total does get initialized prior to being used:

/* BGP unknown attribute treatment. */
bgp_attr_unknown (struct peer *peer, struct attr *attr, u_char flag,
                  u_char type, bgp_size_t length, u_char *startp)
  bgp_size_t total;
  struct transit *transit;

  if (BGP_DEBUG (events, EVENTS))
    zlog (peer->log, LOG_DEBUG,
          "Unknown attribute type %d length %d is received", type, length);

  /* Forward read pointer of input stream. */
  stream_forward (peer->ibuf, length);

  /* Adjest total length to include type and length. */
  total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);

This would have been introduced via this commit, which refactored much of the code, and removed that initial initialization:

Comment 4 Vincent Danen 2013-12-20 16:12:09 EST

Not vulnerable. This issue did not affect the versions of quagga as shipped
with Red Hat Enterprise Linux 5 and 6.

Note You need to log in before you can comment on or make changes to this bug.