CVE-2013-2236

Description

Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when --enable-opaque-lsa and the -a command line option are used, allows remote attackers to cause a denial of service (crash) via a large LSA.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
quagga	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Not affected
	14.04 LTS trusty	Not in release
	13.10 saucy	Ignored end of life
	13.04 raring	Ignored end of life
	12.10 quantal	Ignored end of life
	12.04 LTS precise	Fixed 0.99.20.1-0ubuntu0.12.04.4
	10.04 LTS lucid	Ignored end of life

Notes

jdstrand

requires --enable-opaque-lsa during the build (true for Ubuntu 10.04 LTS and higher) also requires starting ospfd with '-a'. ospfd is not enabled by default and the configuration in /etc/quagga/debian.conf does not include '-a'. Per upstream, normal protection measures (eg, packet filtering, listening on internal network, etc) would prevent this. Furthermore, it is difficult to exploit. Considering the above, downgrading to 'low'

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
quagga	Proposed: http://lists.quagga.net/pipermail/quagga-dev/2013-July/010625.html Upstream: http://lists.quagga.net/pipermail/quagga-dev/2013-July/010639.html Vendor: http://www.debian.org/security/2013/dsa-2803 Upstream: http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commit;h=c51443f4aa6b7f0b0d6ad5409ad7d4b215092443

References

Related Ubuntu Security Notices (USN)

USN-2941-1
Quagga vulnerabilities
24 March 2016