Bug 23856

Summary: buffer flow in zebra port
Product: Ports & Packages Reporter: Vincent Poy <vince>
Component: Individual Port(s)Assignee: andreas <andreas>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Vincent Poy 2000-12-26 13:50:01 UTC 
zebra port (net/zebra) has vtysh buffer overflow and requires patch

Fix: Patch 1:
How-To-Repeat: 
See Zebra Mailing list archives
Comment 1 Peter Pentchev freebsd_committer freebsd_triage 2000-12-26 14:12:38 UTC 
Responsible Changed
From-To: freebsd-ports->andreas

Over to maintainer; this might be moderately urgent, and it might also 
merit a PORTREVISION bump, as per our Security Officer's recommendations 
for security fixes.  It might also have to be run by SO for audit, 
and/or a security advisory :)
Comment 2 Peter Pentchev 2000-12-26 14:25:58 UTC 
On Tue, Dec 26, 2000 at 04:18:19AM -1000, Vincent Poy wrote:
> On Tue, 26 Dec 2000 roam@FreeBSD.ORG wrote:
> 
> > Synopsis: buffer flow in zebra port
> >
> > Responsible-Changed-From-To: freebsd-ports->andreas
> > Responsible-Changed-By: roam
> > Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
> > Responsible-Changed-Why:
> > Over to maintainer; this might be moderately urgent, and it might also
> > merit a PORTREVISION bump, as per our Security Officer's recommendations
> > for security fixes.  It might also have to be run by SO for audit,
> > and/or a security advisory :)
> >
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=23856
> 
> 	Just in case, here are links to the Zebra mailing list:
> 
> http://marc.theaimsgroup.com/?l=zebra&m=97772483632199&w=2
> http://marc.theaimsgroup.com/?l=zebra&m=97773263304303&w=2

Btw, have you *tested* this patch?  Does zebra compile with it?
I admin I have not tried, but the last line - vty-_clear_buf(vty) -
looks a bit suspicious to me; could it be a typo, meant for, say,
vty_clear_buf(vty) ?

G'luck,
Peter

PS.  Note that I'm CC'ing this to freebsd-gnats-submit@FreeBSD.org,
not to -ports; when GNATS receives a message with this subject line,
it forwards it to -ports, and also saves it to the problem report
audit trail - useful for future reference :)  Messages to -ports go
to -ports only, and are only saved in the list archives.

Also, when a message is CC'ed to GNATS, there's no need to send it
to the person resposible for the PR - GNATS sends it his way too.

-- 
If this sentence didn't exist, somebody would have invented it.
Comment 3 Vincent Poy 2000-12-26 14:45:59 UTC 
On Tue, 26 Dec 2000, Peter Pentchev wrote:

Greetings Peter:

> On Tue, Dec 26, 2000 at 04:18:19AM -1000, Vincent Poy wrote:
> > On Tue, 26 Dec 2000 roam@FreeBSD.ORG wrote:
> >
> > > Synopsis: buffer flow in zebra port
> > >
> > > Responsible-Changed-From-To: freebsd-ports->andreas
> > > Responsible-Changed-By: roam
> > > Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
> > > Responsible-Changed-Why:
> > > Over to maintainer; this might be moderately urgent, and it might also
> > > merit a PORTREVISION bump, as per our Security Officer's recommendations
> > > for security fixes.  It might also have to be run by SO for audit,
> > > and/or a security advisory :)
> > >
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=23856
> >
> > 	Just in case, here are links to the Zebra mailing list:
> >
> > http://marc.theaimsgroup.com/?l=zebra&m=97772483632199&w=2
> > http://marc.theaimsgroup.com/?l=zebra&m=97773263304303&w=2
>
> Btw, have you *tested* this patch?  Does zebra compile with it?
> I admin I have not tried, but the last line - vty-_clear_buf(vty) -
> looks a bit suspicious to me; could it be a typo, meant for, say,
> vty_clear_buf(vty) ?

	Haven't yet but I'll test it now since I know they added it to the
latest cvs of zebra.  I added the patch under patch-aa in
/usr/ports/net/zebra/files.  I'll do a make now and it does patch.   It
finishes building and here I go with installing it.  Now just for the
test:

root@oahu [4:43am][/usr/ports/net/zebra] >> zebractl start
 zebra ripd bgpdroot@oahu [4:43am][/usr/ports/net/zebra] >>
root@oahu [4:43am][/usr/ports/net/zebra] >> telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost.WURLDLINK.NET.
Escape character is '^]'.

Hello, this is zebra (version 0.89a)
Copyright 1996-2000 Kunihiro Ishiguro


User Access Verification

Password:
FreeBSD0-atm-us-hnl> en
Password:
FreeBSD0-atm-us-hnl# show version
Zebra 0.89a (i386--freebsd4.1).
Copyright 1996-2000, Kunihiro Ishiguro.
FreeBSD0-atm-us-hnl#

	So it does work.

> G'luck,
> Peter
>
> PS.  Note that I'm CC'ing this to freebsd-gnats-submit@FreeBSD.org,
> not to -ports; when GNATS receives a message with this subject line,
> it forwards it to -ports, and also saves it to the problem report
> audit trail - useful for future reference :)  Messages to -ports go
> to -ports only, and are only saved in the list archives.
>
> Also, when a message is CC'ed to GNATS, there's no need to send it
> to the person resposible for the PR - GNATS sends it his way too.

	Thanks...  I guess I'll remember to reply to -gnats rather than
-ports directly.  Thanks for the tip and a belated Merry Christmas!


Cheers,
Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
WurldLink Corporation                                  / / / /  | /  | __] ]
San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
Comment 4 Andreas Klemm 2000-12-26 22:35:50 UTC 
On Tue, Dec 26, 2000 at 06:13:42AM -0800, roam@FreeBSD.org wrote:
> Synopsis: buffer flow in zebra port
> 
> Responsible-Changed-From-To: freebsd-ports->andreas
> Responsible-Changed-By: roam
> Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
> Responsible-Changed-Why: 
> Over to maintainer; this might be moderately urgent, and it might also
> merit a PORTREVISION bump, as per our Security Officer's recommendations
> for security fixes.  It might also have to be run by SO for audit,
> and/or a security advisory :)
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=23856

I grabbed the patch from the zebra CVS repository and
contacted Kris as "Security Officer" as well as Kunihiro
from zebra to review the patch.

	Andreas ///

-- 
Andreas Klemm                                           Powered by FreeBSD SMP
Songs from our band >>64Bits<<............http://www.apsfilter.org/64bits.html
My homepage................................ http://people.FreeBSD.ORG/~andreas
Please note: Apsfilter got a NEW HOME................http://www.apsfilter.org/
Comment 5 andreas freebsd_committer freebsd_triage 2001-01-09 15:54:55 UTC 
State Changed
From-To: open->closed

patch is o.k. 
additionally a new zebra release is on its way ...