Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1542985 - (CVE-2018-5379) CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code
CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certa...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180215,repo...
: Security
Depends On: 1546007 1546008 1546015 1546016
Blocks: 1543001
  Show dependency treegraph
 
Reported: 2018-02-07 09:07 EST by Adam Mariš
Modified: 2018-05-14 09:57 EDT (History)
9 users (show)

See Also:
Fixed In Version: quagga 1.2.3
Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Upstream patch (3.15 KB, patch)
2018-02-07 09:24 EST, Adam Mariš 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0377 normal SHIPPED_LIVE Important: quagga security update 2018-02-28 18:30:59 EST

  None (edit)
Description Adam Mariš 2018-02-07 09:07:20 EST 
The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.

This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along.  This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message.

This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process.

All versions are likely affected.
Comment 1 Adam Mariš 2018-02-07 09:07:23 EST 
Acknowledgments:

Name: the Quagga project
Comment 2 Adam Mariš 2018-02-07 09:24 EST 
Created attachment 1392685 [details]
Upstream patch
Comment 3 Doran Moppert 2018-02-12 23:15:37 EST 
External References:

https://www.quagga.net/security/Quagga-2018-1114.txt
Comment 4 Doran Moppert 2018-02-13 00:02:30 EST 
Statement:

Glibc's heap protection mitigations render this issue more difficult to exploit, though bypasses may still be possible.
Comment 5 Doran Moppert 2018-02-15 23:37:19 EST 
Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1546008]
Comment 8 errata-xmlrpc 2018-02-28 13:27:00 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0377 https://access.redhat.com/errata/RHSA-2018:0377
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.