CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed

Debian Bug report logs - #693102
CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove

Date: Tue, 13 Nov 2012 03:34:37 +0100

[Message part 1 (text/plain, inline)]

Package: quagga
Version: 0.99.21-3
Severity: important
Tags: security

100% reproducible remote DoS: bug: if I configure a network longer than 
/64 of any interface of one of my Juniper routers, all ospf6d in the 
network (squeeze and wheezy) crash with this assertion failure:

OSPF6: Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove
OSPF6: Backtrace for 9 stack frames:
OSPF6: [bt 0] /usr/lib/libzebra.so.0(zlog_backtrace+0x26) [0x7f09746b91e7]
OSPF6: [bt 1] /usr/lib/libzebra.so.0(_zlog_assert_failed+0xa3) [0x7f09746b98ea]
OSPF6: [bt 2] /usr/lib/quagga/ospf6d(ospf6_route_remove+0xfd) [0x7f0974b25faf]
OSPF6: [bt 3] /usr/lib/quagga/ospf6d(ospf6_intra_route_calculation+0xd4) [0x7f0974b2a593]
OSPF6: [bt 4] /usr/lib/quagga/ospf6d(+0x2590f) [0x7f0974b2c90f]
OSPF6: [bt 5] /usr/lib/libzebra.so.0(thread_call+0x67) [0x7f09746ae80b]
OSPF6: [bt 6] /usr/lib/quagga/ospf6d(main+0x37f) [0x7f0974b15b6f]
OSPF6: [bt 7] /lib/libc.so.6(__libc_start_main+0xfd) [0x7f0973d04c8d]
OSPF6: [bt 8] /usr/lib/quagga/ospf6d(+0xebd1) [0x7f0974b15bd1]

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@lathspell.de>

To: Marco d'Itri <md@linux.it>, 693102@bugs.debian.org

Subject: Re: Bug#693102: ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove

Date: Tue, 13 Nov 2012 10:02:54 +0100

[Message part 1 (text/plain, inline)]

Hallo

Did you already discuss this with the upstream authors or should I
forward the bug?

bye,

-christian-

On Tue, 13 Nov 2012 03:34:37 +0100
Marco d'Itri <md@linux.it> wrote:

> Package: quagga
> Version: 0.99.21-3
> Severity: important
> Tags: security
> 
> 100% reproducible remote DoS: bug: if I configure a network longer than 
> /64 of any interface of one of my Juniper routers, all ospf6d in the 
> network (squeeze and wheezy) crash with this assertion failure:
> 
> OSPF6: Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove
> OSPF6: Backtrace for 9 stack frames:
> OSPF6: [bt 0] /usr/lib/libzebra.so.0(zlog_backtrace+0x26) [0x7f09746b91e7]
> OSPF6: [bt 1] /usr/lib/libzebra.so.0(_zlog_assert_failed+0xa3) [0x7f09746b98ea]
> OSPF6: [bt 2] /usr/lib/quagga/ospf6d(ospf6_route_remove+0xfd) [0x7f0974b25faf]
> OSPF6: [bt 3] /usr/lib/quagga/ospf6d(ospf6_intra_route_calculation+0xd4) [0x7f0974b2a593]
> OSPF6: [bt 4] /usr/lib/quagga/ospf6d(+0x2590f) [0x7f0974b2c90f]
> OSPF6: [bt 5] /usr/lib/libzebra.so.0(thread_call+0x67) [0x7f09746ae80b]
> OSPF6: [bt 6] /usr/lib/quagga/ospf6d(main+0x37f) [0x7f0974b15b6f]
> OSPF6: [bt 7] /lib/libc.so.6(__libc_start_main+0xfd) [0x7f0973d04c8d]
> OSPF6: [bt 8] /usr/lib/quagga/ospf6d(+0xebd1) [0x7f0974b15bd1]
> 

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@lathspell.de>

To: control@bugs.debian.org

Cc: 693102@bugs.debian.org

Subject: tagging bug

Date: Tue, 13 Nov 2012 12:51:11 +0100

tags 693102 + upstream forwarded
forwarded 693102 https://bugzilla.quagga.net/show_bug.cgi?id=747
stop

Message #26 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: security@quagga.net

Cc: 693102@bugs.debian.org

Subject: Fw: [oss-security] CVE Request -- quagga (ospf6d): Assertion failure when removing routes (retrieving information which route to remove)

Date: Sat, 24 Nov 2012 17:37:48 +0100

Hello Quagga maintainers

Did you notice the following bug which was marked as security relevant?
It was filed as #747 in your BTS.

It would be great if you could provide a patch that applies to
0.99.20.1 (for the current Debian stable distribution).

bye,

-christian-



Beginn der weitergeleiteten Nachricht:

Datum: Tue, 13 Nov 2012 11:27:27 -0700
Von: Kurt Seiifried <kseifried@redhat.com>
An: oss-security@lists.openwall.com
Cc: Jan Lieskovsky <jlieskov@redhat.com>,        "Steven M. Christey"
<coley@linus.mitre.org>,        Denis Ovsienko
<infrastation@yandex.ru>,        Christian Hammers
<ch@debian.org>,        "Dmitry V. Levin" <ldv@altlinux.org>, Paul
Jakma <paul@jakma.org>,        Florian Weimer <fweimer@redhat.com>,
"Marco d'Itri" <md@linux.it> Betreff: Re: [oss-security] CVE Request --
quagga (ospf6d): Assertion failure when removing routes (retrieving
information which route to remove)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 07:48 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> Marco d'Itri in Debian bug [1] has reported the following
> deficiency, being present in 0.99.21 and possibly earlier versions
> of the Quagga routing suite:
> 
> A denial of service flaw was found in the way Quagga's ospf6d
> daemon performed routes removal. In certain circumstances when
> removing the route the ospf6d daemon terminated with assertion
> failure when trying to determine / find, which route to remove. An
> OSPF6 router could use this flaw to cause ospf6d on an adjacent
> router to abort.
> 
> References: [1]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693102 [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=876197
> 
> Upstream bug report: [3]
> https://bugzilla.quagga.net/show_bug.cgi?id=747
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 

Please use CVE-2012-5521 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQopEPAAoJEBYNRVNeJnmT5fQP/0T4SrIhya2QCMKB6xwXh4A3
g15i+A2X0ToXLDgUpnMlJPUbQMSRKvncm+prkHUJNsDxP6KW/hzMj/lsFGfdxsda
drGePasJJNJUT0f1Z2g8IXNfy1iUq3ZnjAFpwbd93iR/iRclDvNPhC5813XOr37G
ozpR4E4K+7Uf2GUvPAHwbTsgYeCQwnOzWZ3wIet9+Ej1vaEqRuXra3XmSnLAPiRp
RTZb6A4TROnc/+KLRI8JHH5AZUSNODJClG00sewI8CVSEp+EtbRRljntzzRVlqOJ
OXqITx5F5a+Su1S93dlRCoj4GJlPOJ9ALZ74+9RxmBFmR/ApE+uVUqZmIlJbvK73
sAUBEvvV8yymP6WoaamA/UP8HcICATvjjdQe+I5fgCiFLxOU2z2vVkNuOdNZNwom
iDGnnckWVEfjy9uRPAf7ubybCAMyY54pMZP2YHOwEzCaH7p74G3Pgv52DtGnQqU6
ADSJPp0Sc6R0/QyqCbnSyksdPw/gAUWEbAZvlct63o2k+tENii3DjN8oz7bd4dsB
afIuUqXbV+/1ta/6fkduY6Hir5gOyBXkh9KNg84FM6aa1sYgLGuxzVb1OOxXzXd8
dsc6nahjFM98n80yx5InFKgyEcGr9BEzEWjn3dqKtagEyr5X3RjeFEabTlojYZIS
sMvb3K2PDbLv/+TJ2NIG
=S1si
-----END PGP SIGNATURE-----

Message #31 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@lathspell.de>

To: 693102@bugs.debian.org, Marco d'Itri <md@linux.it>

Subject: Re: Bug#693102 Fw: [Bug 747] CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove

Date: Tue, 26 Feb 2013 23:48:52 +0100

Hello Marco

The upstream authors have a question, could you provide those tcpdumps?

https://bugzilla.quagga.net/show_bug.cgi?id=747

> --- Comment #2 from David Lamparter <equinox@diac24.net> 2013-02-26
> 20:05:24 UTC --- Is it possible to get a tcpdump (limit to ospf6
> packets) or at least some information on the exact routes involved in
> this?

bye,

-christian-

Message #36 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Marco d'Itri <md@linux.it>

To: Christian Hammers <ch@lathspell.de>

Cc: 693102@bugs.debian.org

Subject: Re: Bug#693102 Fw: [Bug 747] CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove

Date: Tue, 26 Feb 2013 23:51:46 +0100

[Message part 1 (text/plain, inline)]

On Feb 26, Christian Hammers <ch@lathspell.de> wrote:

> The upstream authors have a question, could you provide those tcpdumps?
No, I am sorry but I do not feel like crashing my network right now. :-)
I recommend that they build an Olive and try that in a lab.

This is the configuration that I used:

interfaces {
    irb {
        unit 42 {
            family inet6 {
                address 2001:4b78:feff::2/64; # this breaks if I use /120
            }
        }
    }
}
protocols {
    ospf3 {
        area 0.0.0.0 {
            interface irb.42 {
                metric 350;
            }
        }
    }
}

This Juniper router is not directly connected to the quagga ones, there 
are Cisco routers between them.

-- 
ciao,
Marco

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 693102@bugs.debian.org (full text, mbox, reply):

From: Christian Hammers <ch@debian.org>

To: Marco d'Itri <md@linux.it>, 693102@bugs.debian.org

Cc: Marco d'Itri <md@linux.it>

Subject: Re: Bug#693102: ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove

Date: Mon, 22 Apr 2013 23:32:45 +0200

Hello Marco

Could you have a look at the upstream bug tracker? David is having
problems to reproduce the bug:

 https://bugzilla.quagga.net/show_bug.cgi?id=747

bye,

-christian-

Send a report that this bug log contains spam.