main/quagga: fix CVE-2017-16227

fixes #8086
author: Natanael Copa <ncopa@alpinelinux.org> 2017-11-23 10:21:55 +0100
committer: Natanael Copa <ncopa@alpinelinux.org> 2017-11-23 10:27:23 +0100
commit: 6e3ecd37f497c0cfbe5ce695900164b2b2d5c1c7 (patch)
tree: 53fe1bea02aef78bff9d4eccf4e07bcce1e98d7b
parent: 034e674e49645d85932b71a01caec44bbcce3bc2 (diff)
2 files changed, 39 insertions, 1 deletions
diff --git a/main/quagga/APKBUILD b/main/quagga/APKBUILD
index 47c6c62577d..5f61dd3c0c2 100644
--- a/main/quagga/APKBUILD
+++ b/main/quagga/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=quagga
 pkgver=0.99.24.1
-pkgrel=5
+pkgrel=6
 pkgdesc="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP."
 url="http://quagga.net/"
 arch="all"
@@ -18,11 +18,15 @@ source="http://download.savannah.gnu.org/releases/quagga/quagga-$pkgver.tar.xz
 	bgpd-fix-useless-call-in-bgp_mplsvpn.patch
 	CVE-2016-2342.patch
         CVE-2016-1245.patch
+	CVE-2017-16227.patch
 
 	bgpd.initd
 	zebra.initd
 	zebra.confd
 	"
+# secfixes:
+#   0.99.24.1-r6:
+#   - CVE-2017-16227
 
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
@@ -80,6 +84,7 @@ md5sums="b168db69435100ee04564c4fb39c7413  quagga-0.99.24.1.tar.xz
 92a293e339a971dbee61a7e3532fc07f  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
 9599aae2fc46e171d6cd1e0ad65bb0b8  CVE-2016-2342.patch
 fb9d9358fecc61ad74a6ff4b033b8697  CVE-2016-1245.patch
+e090eaee979456655099647d09625fc5  CVE-2017-16227.patch
 09a77e2e84e71c43f5a449738c026261  bgpd.initd
 916f1dd1a286ee7b862cda4fe56cbf21  zebra.initd
 34e06a1d2bc602ce691abc9ed169dd15  zebra.confd"
@@ -89,6 +94,7 @@ d8d65cc092cf7644b059d4c1b789b223482b0f50ba2cc891da4d71fe083f8cc0  bgpd-route-sel
 e05f1fbec4f495fb257fb11bda4d1a7ceba008f4af4ff40f9093571f65ab6fe2  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
 4658d69b1e96d741aff29af72b93440b75fbff280d435614d991667f3cd32bdf  CVE-2016-2342.patch
 226167b88b1ee40b2bc765f7efd9c073de27ab5f534d365a192980406155a7ff  CVE-2016-1245.patch
+6fa3066acd1fa938321ea4375355a756d70b942397dc3713aea4b1668e8e4bd6  CVE-2017-16227.patch
 aab037454c6a70cd5cb45e14c47b7dfea358f8d81c7d12418edcf7e58a86c679  bgpd.initd
 c1d7526581927e990e687cbd5d08447eb060f76a439475572785b5b90c60c460  zebra.initd
 f7a52d383f60270a5a8fee5d4ac522c5c0ec2b7c4b5252cff54e260f32d9b323  zebra.confd"
@@ -98,6 +104,7 @@ sha512sums="71c340ce0f4e52c69892d8fed82d30956161b09b029fb0a82ba774664aa2303b4930
 ee50d0ad93f3322ffa5842261359bb46cd7d3e609c44ea2dce86ecee03d0b862dac4b18dc70f116481acab6ca9e66a94cc8b22a8efb67df74ad38eab08592c76  bgpd-fix-useless-call-in-bgp_mplsvpn.patch
 2cd301e9d63c1f006e8b136b6a781692f50d9a63315b58453096125bbdbd81bdb0e092549e6a496ba2451e7ab44f686faeec4b6eab6ad909c91ace95cbe8eee0  CVE-2016-2342.patch
 30db89839427ca03b24d80b832e270c648f1e6fba5612b1d2ba1b5e3b63dca5443f28ba00984854ecc2008c0882d18786454edbc17fc877b5dbb5dd81307caa4  CVE-2016-1245.patch
+3404f74622f80fb4269a8bbda9e4ebdff2211a0a4aabb10d317b4e97e24d14961bd3cfe12e0cf3abf812185f4fbab06194ab90e1b6a0b376fc78461f77e6e9e0  CVE-2017-16227.patch
 13b5b57e10df013bd2d931abc49bf76b8c4dee59dbceab22c9f151ccb988b2c5f7167f2909027d5e0f990b59da8de115667b02484aee9a67d347625700f6cacd  bgpd.initd
 1638a4a64ffd066b1884f7e5a4243edab68739aabd83bd35ea8c9608af7b8623eece1d59fb08feead84e4386b6d1da4220764ccf5fd7f2a9959a8470d5cce86a  zebra.initd
 900972c6f98e561dfacf384111251db262326e8764b8c763a5ef639fa11c7949c03eef5e3bce324a4b1964fe45416d2db74ae1b6bc967f7d4ba48c2eeda017c4  zebra.confd"
diff --git a/main/quagga/CVE-2017-16227.patch b/main/quagga/CVE-2017-16227.patch
new file mode 100644
index 00000000000..17a7c7e0f6f
--- /dev/null
+++ b/main/quagga/CVE-2017-16227.patch
@@ -0,0 +1,31 @@
+From 7a42b78be9a4108d98833069a88e6fddb9285008 Mon Sep 17 00:00:00 2001
+From: Andreas Jaggi <aj@open.ch>
+Date: Mon, 2 Oct 2017 19:38:43 +0530
+Subject: bgpd: Fix AS_PATH size calculation for long paths
+
+If you have an AS_PATH with more entries than
+what can be written into a single AS_SEGMENT_MAX
+it needs to be broken up.  The code that noticed
+that the AS_PATH needs to be broken up was not
+correctly calculating the size of the resulting
+message.  This patch addresses this issue.
+---
+ bgpd/bgp_aspath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_aspath.c b/bgpd/bgp_aspath.c
+index b7af5e8..d813bfb 100644
+--- a/bgpd/bgp_aspath.c
++++ b/bgpd/bgp_aspath.c
+@@ -903,7 +903,7 @@ aspath_put (struct stream *s, struct aspath *as, int use32bit )
+               assegment_header_put (s, seg->type, AS_SEGMENT_MAX);
+               assegment_data_put (s, seg->as, AS_SEGMENT_MAX, use32bit);
+               written += AS_SEGMENT_MAX;
+-              bytes += ASSEGMENT_SIZE (written, use32bit);
++              bytes += ASSEGMENT_SIZE (AS_SEGMENT_MAX, use32bit);
+             }
+           
+           /* write the final segment, probably is also the first */
+-- 
+cgit v1.0-41-gc330
+
author	Natanael Copa <ncopa@alpinelinux.org>	2017-11-23 10:21:55 +0100
committer	Natanael Copa <ncopa@alpinelinux.org>	2017-11-23 10:27:23 +0100
commit	6e3ecd37f497c0cfbe5ce695900164b2b2d5c1c7 (patch)
tree	53fe1bea02aef78bff9d4eccf4e07bcce1e98d7b
parent	034e674e49645d85932b71a01caec44bbcce3bc2 (diff)