Bug 1043370 (CVE-2013-6051) - CVE-2013-6051 quagga: bgp crash when receiving bgp updates
Summary: CVE-2013-6051 quagga: bgp crash when receiving bgp updates
Alias: CVE-2013-6051
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1043371
Blocks: 1035093
TreeView+ depends on / blocked
Reported: 2013-12-16 06:27 UTC by Ratul Gupta
Modified: 2021-02-17 07:04 UTC (History)
5 users (show)

Fixed In Version: quagga 0.99.22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-12-20 21:12:09 UTC

Attachments (Terms of Use)

Description Ratul Gupta 2013-12-16 06:27:19 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6051 to the following vulnerability:

The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.

Upstream fix:


Comment 1 Ratul Gupta 2013-12-16 06:28:54 UTC
Created quagga tracking bugs for this issue:

Affects: fedora-18 [bug 1043371]

Comment 2 Vincent Danen 2013-12-20 20:40:50 UTC
Quick check of the code shows that Quagga 0.98.6 (so Red Hat Enterprise Linux 5) is affected; would also imply that Red Hat Enterprise Linux 6 is affected (being that 0.99.15 is between 0.98.6 and the reported 0.99.21 version).

This is corrected in 0.99.22 (verified by looking at the code), so Fedora 19 and 20 are not affected.

Comment 3 Vincent Danen 2013-12-20 21:07:46 UTC
Sorry, the above is not correct.

Red Hat Enterprise Linux 5 and 6 are NOT affected because total does get initialized prior to being used:

/* BGP unknown attribute treatment. */
bgp_attr_unknown (struct peer *peer, struct attr *attr, u_char flag,
                  u_char type, bgp_size_t length, u_char *startp)
  bgp_size_t total;
  struct transit *transit;

  if (BGP_DEBUG (events, EVENTS))
    zlog (peer->log, LOG_DEBUG,
          "Unknown attribute type %d length %d is received", type, length);

  /* Forward read pointer of input stream. */
  stream_forward (peer->ibuf, length);

  /* Adjest total length to include type and length. */
  total = length + (CHECK_FLAG (flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);

This would have been introduced via this commit, which refactored much of the code, and removed that initial initialization:


Comment 4 Vincent Danen 2013-12-20 21:12:09 UTC

Not vulnerable. This issue did not affect the versions of quagga as shipped
with Red Hat Enterprise Linux 5 and 6.

Note You need to log in before you can comment on or make changes to this bug.