Debian Bug report logs -
#693102
CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, md@linux.it, Christian Hammers <ch@debian.org>
:
Bug#693102
; Package quagga
.
(Tue, 13 Nov 2012 02:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco d'Itri <md@linux.it>
:
New Bug report received and forwarded. Copy sent to md@linux.it, Christian Hammers <ch@debian.org>
.
(Tue, 13 Nov 2012 02:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: quagga
Version: 0.99.21-3
Severity: important
Tags: security
100% reproducible remote DoS: bug: if I configure a network longer than
/64 of any interface of one of my Juniper routers, all ospf6d in the
network (squeeze and wheezy) crash with this assertion failure:
OSPF6: Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove
OSPF6: Backtrace for 9 stack frames:
OSPF6: [bt 0] /usr/lib/libzebra.so.0(zlog_backtrace+0x26) [0x7f09746b91e7]
OSPF6: [bt 1] /usr/lib/libzebra.so.0(_zlog_assert_failed+0xa3) [0x7f09746b98ea]
OSPF6: [bt 2] /usr/lib/quagga/ospf6d(ospf6_route_remove+0xfd) [0x7f0974b25faf]
OSPF6: [bt 3] /usr/lib/quagga/ospf6d(ospf6_intra_route_calculation+0xd4) [0x7f0974b2a593]
OSPF6: [bt 4] /usr/lib/quagga/ospf6d(+0x2590f) [0x7f0974b2c90f]
OSPF6: [bt 5] /usr/lib/libzebra.so.0(thread_call+0x67) [0x7f09746ae80b]
OSPF6: [bt 6] /usr/lib/quagga/ospf6d(main+0x37f) [0x7f0974b15b6f]
OSPF6: [bt 7] /lib/libc.so.6(__libc_start_main+0xfd) [0x7f0973d04c8d]
OSPF6: [bt 8] /usr/lib/quagga/ospf6d(+0xebd1) [0x7f0974b15bd1]
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>
:
Bug#693102
; Package quagga
.
(Tue, 13 Nov 2012 09:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@lathspell.de>
:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>
.
(Tue, 13 Nov 2012 09:12:03 GMT) (full text, mbox, link).
Message #10 received at 693102@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hallo
Did you already discuss this with the upstream authors or should I
forward the bug?
bye,
-christian-
On Tue, 13 Nov 2012 03:34:37 +0100
Marco d'Itri <md@linux.it> wrote:
> Package: quagga
> Version: 0.99.21-3
> Severity: important
> Tags: security
>
> 100% reproducible remote DoS: bug: if I configure a network longer than
> /64 of any interface of one of my Juniper routers, all ospf6d in the
> network (squeeze and wheezy) crash with this assertion failure:
>
> OSPF6: Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove
> OSPF6: Backtrace for 9 stack frames:
> OSPF6: [bt 0] /usr/lib/libzebra.so.0(zlog_backtrace+0x26) [0x7f09746b91e7]
> OSPF6: [bt 1] /usr/lib/libzebra.so.0(_zlog_assert_failed+0xa3) [0x7f09746b98ea]
> OSPF6: [bt 2] /usr/lib/quagga/ospf6d(ospf6_route_remove+0xfd) [0x7f0974b25faf]
> OSPF6: [bt 3] /usr/lib/quagga/ospf6d(ospf6_intra_route_calculation+0xd4) [0x7f0974b2a593]
> OSPF6: [bt 4] /usr/lib/quagga/ospf6d(+0x2590f) [0x7f0974b2c90f]
> OSPF6: [bt 5] /usr/lib/libzebra.so.0(thread_call+0x67) [0x7f09746ae80b]
> OSPF6: [bt 6] /usr/lib/quagga/ospf6d(main+0x37f) [0x7f0974b15b6f]
> OSPF6: [bt 7] /lib/libc.so.6(__libc_start_main+0xfd) [0x7f0973d04c8d]
> OSPF6: [bt 8] /usr/lib/quagga/ospf6d(+0xebd1) [0x7f0974b15bd1]
>
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>
:
Bug#693102
; Package quagga
.
(Tue, 13 Nov 2012 11:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@lathspell.de>
:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>
.
(Tue, 13 Nov 2012 11:54:06 GMT) (full text, mbox, link).
Message #15 received at 693102@bugs.debian.org (full text, mbox, reply):
tags 693102 + upstream forwarded
forwarded 693102 https://bugzilla.quagga.net/show_bug.cgi?id=747
stop
Added tag(s) upstream.
Request was from Christian Hammers <ch@lathspell.de>
to control@bugs.debian.org
.
(Tue, 13 Nov 2012 12:03:08 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2012-5521: ospf6d crashes with Assertion `current == route' failed' from 'ospf6d crashes with Assertion `current == route' failed in file ospf6_route.c, line 608, function ospf6_route_remove'
Request was from Christian Hammers <ch@lathspell.de>
to control@bugs.debian.org
.
(Wed, 14 Nov 2012 12:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#693102
; Package quagga
.
(Sat, 24 Nov 2012 16:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@debian.org>
:
Extra info received and forwarded to list.
(Sat, 24 Nov 2012 16:39:06 GMT) (full text, mbox, link).
Message #26 received at 693102@bugs.debian.org (full text, mbox, reply):
Hello Quagga maintainers
Did you notice the following bug which was marked as security relevant?
It was filed as #747 in your BTS.
It would be great if you could provide a patch that applies to
0.99.20.1 (for the current Debian stable distribution).
bye,
-christian-
Beginn der weitergeleiteten Nachricht:
Datum: Tue, 13 Nov 2012 11:27:27 -0700
Von: Kurt Seiifried <kseifried@redhat.com>
An: oss-security@lists.openwall.com
Cc: Jan Lieskovsky <jlieskov@redhat.com>, "Steven M. Christey"
<coley@linus.mitre.org>, Denis Ovsienko
<infrastation@yandex.ru>, Christian Hammers
<ch@debian.org>, "Dmitry V. Levin" <ldv@altlinux.org>, Paul
Jakma <paul@jakma.org>, Florian Weimer <fweimer@redhat.com>,
"Marco d'Itri" <md@linux.it> Betreff: Re: [oss-security] CVE Request --
quagga (ospf6d): Assertion failure when removing routes (retrieving
information which route to remove)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/13/2012 07:48 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> Marco d'Itri in Debian bug [1] has reported the following
> deficiency, being present in 0.99.21 and possibly earlier versions
> of the Quagga routing suite:
>
> A denial of service flaw was found in the way Quagga's ospf6d
> daemon performed routes removal. In certain circumstances when
> removing the route the ospf6d daemon terminated with assertion
> failure when trying to determine / find, which route to remove. An
> OSPF6 router could use this flaw to cause ospf6d on an adjacent
> router to abort.
>
> References: [1]
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693102 [2]
> https://bugzilla.redhat.com/show_bug.cgi?id=876197
>
> Upstream bug report: [3]
> https://bugzilla.quagga.net/show_bug.cgi?id=747
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
Please use CVE-2012-5521 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQopEPAAoJEBYNRVNeJnmT5fQP/0T4SrIhya2QCMKB6xwXh4A3
g15i+A2X0ToXLDgUpnMlJPUbQMSRKvncm+prkHUJNsDxP6KW/hzMj/lsFGfdxsda
drGePasJJNJUT0f1Z2g8IXNfy1iUq3ZnjAFpwbd93iR/iRclDvNPhC5813XOr37G
ozpR4E4K+7Uf2GUvPAHwbTsgYeCQwnOzWZ3wIet9+Ej1vaEqRuXra3XmSnLAPiRp
RTZb6A4TROnc/+KLRI8JHH5AZUSNODJClG00sewI8CVSEp+EtbRRljntzzRVlqOJ
OXqITx5F5a+Su1S93dlRCoj4GJlPOJ9ALZ74+9RxmBFmR/ApE+uVUqZmIlJbvK73
sAUBEvvV8yymP6WoaamA/UP8HcICATvjjdQe+I5fgCiFLxOU2z2vVkNuOdNZNwom
iDGnnckWVEfjy9uRPAf7ubybCAMyY54pMZP2YHOwEzCaH7p74G3Pgv52DtGnQqU6
ADSJPp0Sc6R0/QyqCbnSyksdPw/gAUWEbAZvlct63o2k+tENii3DjN8oz7bd4dsB
afIuUqXbV+/1ta/6fkduY6Hir5gOyBXkh9KNg84FM6aa1sYgLGuxzVb1OOxXzXd8
dsc6nahjFM98n80yx5InFKgyEcGr9BEzEWjn3dqKtagEyr5X3RjeFEabTlojYZIS
sMvb3K2PDbLv/+TJ2NIG
=S1si
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>
:
Bug#693102
; Package quagga
.
(Tue, 26 Feb 2013 22:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@lathspell.de>
:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>
.
(Tue, 26 Feb 2013 22:57:08 GMT) (full text, mbox, link).
Message #31 received at 693102@bugs.debian.org (full text, mbox, reply):
Hello Marco
The upstream authors have a question, could you provide those tcpdumps?
https://bugzilla.quagga.net/show_bug.cgi?id=747
> --- Comment #2 from David Lamparter <equinox@diac24.net> 2013-02-26
> 20:05:24 UTC --- Is it possible to get a tcpdump (limit to ospf6
> packets) or at least some information on the exact routes involved in
> this?
bye,
-christian-
Information forwarded
to debian-bugs-dist@lists.debian.org, Christian Hammers <ch@debian.org>
:
Bug#693102
; Package quagga
.
(Tue, 26 Feb 2013 22:57:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Marco d'Itri <md@linux.it>
:
Extra info received and forwarded to list. Copy sent to Christian Hammers <ch@debian.org>
.
(Tue, 26 Feb 2013 22:57:10 GMT) (full text, mbox, link).
Message #36 received at 693102@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Feb 26, Christian Hammers <ch@lathspell.de> wrote:
> The upstream authors have a question, could you provide those tcpdumps?
No, I am sorry but I do not feel like crashing my network right now. :-)
I recommend that they build an Olive and try that in a lab.
This is the configuration that I used:
interfaces {
irb {
unit 42 {
family inet6 {
address 2001:4b78:feff::2/64; # this breaks if I use /120
}
}
}
}
protocols {
ospf3 {
area 0.0.0.0 {
interface irb.42 {
metric 350;
}
}
}
}
This Juniper router is not directly connected to the quagga ones, there
are Cisco routers between them.
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#693102
; Package quagga
.
(Mon, 22 Apr 2013 21:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hammers <ch@debian.org>
:
Extra info received and forwarded to list.
(Mon, 22 Apr 2013 21:45:04 GMT) (full text, mbox, link).
Message #41 received at 693102@bugs.debian.org (full text, mbox, reply):
Hello Marco
Could you have a look at the upstream bug tracker? David is having
problems to reproduce the bug:
https://bugzilla.quagga.net/show_bug.cgi?id=747
bye,
-christian-
Marked as found in versions quagga/0.99.23.1-1+deb8u1.
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org
.
(Tue, 13 Jun 2017 01:06:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:49:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.