From vince@oahu.WURLDLINK.NET  Tue Dec 26 05:40:40 2000
Return-Path: <vince@oahu.WURLDLINK.NET>
Received: from oahu.WURLDLINK.NET (oahu.WURLDLINK.NET [216.235.52.1])
	by hub.freebsd.org (Postfix) with ESMTP id 6093D37B402
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 26 Dec 2000 05:40:39 -0800 (PST)
Received: (from vince@localhost)
	by oahu.WURLDLINK.NET (8.9.3/8.9.3) id DAA31977;
	Tue, 26 Dec 2000 03:40:22 -1000 (HST)
	(envelope-from vince)
Message-Id: <200012261340.DAA31977@oahu.WURLDLINK.NET>
Date: Tue, 26 Dec 2000 03:40:22 -1000 (HST)
From: Vincent Poy <vince@oahu.WURLDLINK.NET>
Reply-To: vince@oahu.WURLDLINK.NET
To: FreeBSD-gnats-submit@freebsd.org
Subject: Zebra port needs slight update
X-Send-Pr-Version: 3.2

>Number:         23856
>Category:       ports
>Synopsis:       buffer flow in zebra port
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    andreas
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 26 05:50:01 PST 2000
>Closed-Date:    Tue Jan 9 07:54:55 PST 2001
>Last-Modified:  Tue Jan 09 07:56:44 PST 2001
>Originator:     Vincent Poy
>Release:        FreeBSD 4.1-RELEASE i386
>Organization:
Wurldlink Corporation - http://www.WURLDLINK.NET
>Environment:

Standard FreeBSD i386 environment

>Description:

zebra port (net/zebra) has vtysh buffer overflow and requires patch

>How-To-Repeat:

See Zebra Mailing list archives

>Fix:

Patch 1:

Index: lib/vty.c
===================================================================
RCS file: /cvsroot/zebra/lib/vty.c.v
retrieving revision 1.105
diff -r1.105 vty.c
1858c1858,1859
<   vty->buf = buf;
---
>   vty_ensure( vty, nbytes );
>   memcpy( vty->buf, buf, nbytes );
1860c1861
<   vty->buf = NULL;
---
>   vty-_clear_buf( vty );


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->andreas 
Responsible-Changed-By: roam 
Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000 
Responsible-Changed-Why:  
Over to maintainer; this might be moderately urgent, and it might also 
merit a PORTREVISION bump, as per our Security Officer's recommendations 
for security fixes.  It might also have to be run by SO for audit, 
and/or a security advisory :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23856 

From: Peter Pentchev <roam@orbitel.bg>
To: Vincent Poy <vince@oahu.WURLDLINK.NET>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: ports/23856: buffer flow in zebra port
Date: Tue, 26 Dec 2000 16:25:58 +0200

 On Tue, Dec 26, 2000 at 04:18:19AM -1000, Vincent Poy wrote:
 > On Tue, 26 Dec 2000 roam@FreeBSD.ORG wrote:
 > 
 > > Synopsis: buffer flow in zebra port
 > >
 > > Responsible-Changed-From-To: freebsd-ports->andreas
 > > Responsible-Changed-By: roam
 > > Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
 > > Responsible-Changed-Why:
 > > Over to maintainer; this might be moderately urgent, and it might also
 > > merit a PORTREVISION bump, as per our Security Officer's recommendations
 > > for security fixes.  It might also have to be run by SO for audit,
 > > and/or a security advisory :)
 > >
 > > http://www.freebsd.org/cgi/query-pr.cgi?pr=23856
 > 
 > 	Just in case, here are links to the Zebra mailing list:
 > 
 > http://marc.theaimsgroup.com/?l=zebra&m=97772483632199&w=2
 > http://marc.theaimsgroup.com/?l=zebra&m=97773263304303&w=2
 
 Btw, have you *tested* this patch?  Does zebra compile with it?
 I admin I have not tried, but the last line - vty-_clear_buf(vty) -
 looks a bit suspicious to me; could it be a typo, meant for, say,
 vty_clear_buf(vty) ?
 
 G'luck,
 Peter
 
 PS.  Note that I'm CC'ing this to freebsd-gnats-submit@FreeBSD.org,
 not to -ports; when GNATS receives a message with this subject line,
 it forwards it to -ports, and also saves it to the problem report
 audit trail - useful for future reference :)  Messages to -ports go
 to -ports only, and are only saved in the list archives.
 
 Also, when a message is CC'ed to GNATS, there's no need to send it
 to the person resposible for the PR - GNATS sends it his way too.
 
 -- 
 If this sentence didn't exist, somebody would have invented it.
 

From: Vincent Poy <vince@oahu.WURLDLINK.NET>
To: Peter Pentchev <roam@orbitel.bg>
Cc: <freebsd-gnats-submit@FreeBSD.ORG>
Subject: Re: ports/23856: buffer flow in zebra port
Date: Tue, 26 Dec 2000 04:45:59 -1000 (HST)

 On Tue, 26 Dec 2000, Peter Pentchev wrote:
 
 Greetings Peter:
 
 > On Tue, Dec 26, 2000 at 04:18:19AM -1000, Vincent Poy wrote:
 > > On Tue, 26 Dec 2000 roam@FreeBSD.ORG wrote:
 > >
 > > > Synopsis: buffer flow in zebra port
 > > >
 > > > Responsible-Changed-From-To: freebsd-ports->andreas
 > > > Responsible-Changed-By: roam
 > > > Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
 > > > Responsible-Changed-Why:
 > > > Over to maintainer; this might be moderately urgent, and it might also
 > > > merit a PORTREVISION bump, as per our Security Officer's recommendations
 > > > for security fixes.  It might also have to be run by SO for audit,
 > > > and/or a security advisory :)
 > > >
 > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=23856
 > >
 > > 	Just in case, here are links to the Zebra mailing list:
 > >
 > > http://marc.theaimsgroup.com/?l=zebra&m=97772483632199&w=2
 > > http://marc.theaimsgroup.com/?l=zebra&m=97773263304303&w=2
 >
 > Btw, have you *tested* this patch?  Does zebra compile with it?
 > I admin I have not tried, but the last line - vty-_clear_buf(vty) -
 > looks a bit suspicious to me; could it be a typo, meant for, say,
 > vty_clear_buf(vty) ?
 
 	Haven't yet but I'll test it now since I know they added it to the
 latest cvs of zebra.  I added the patch under patch-aa in
 /usr/ports/net/zebra/files.  I'll do a make now and it does patch.   It
 finishes building and here I go with installing it.  Now just for the
 test:
 
 root@oahu [4:43am][/usr/ports/net/zebra] >> zebractl start
  zebra ripd bgpdroot@oahu [4:43am][/usr/ports/net/zebra] >>
 root@oahu [4:43am][/usr/ports/net/zebra] >> telnet localhost 2601
 Trying 127.0.0.1...
 Connected to localhost.WURLDLINK.NET.
 Escape character is '^]'.
 
 Hello, this is zebra (version 0.89a)
 Copyright 1996-2000 Kunihiro Ishiguro
 
 
 User Access Verification
 
 Password:
 FreeBSD0-atm-us-hnl> en
 Password:
 FreeBSD0-atm-us-hnl# show version
 Zebra 0.89a (i386--freebsd4.1).
 Copyright 1996-2000, Kunihiro Ishiguro.
 FreeBSD0-atm-us-hnl#
 
 	So it does work.
 
 > G'luck,
 > Peter
 >
 > PS.  Note that I'm CC'ing this to freebsd-gnats-submit@FreeBSD.org,
 > not to -ports; when GNATS receives a message with this subject line,
 > it forwards it to -ports, and also saves it to the problem report
 > audit trail - useful for future reference :)  Messages to -ports go
 > to -ports only, and are only saved in the list archives.
 >
 > Also, when a message is CC'ed to GNATS, there's no need to send it
 > to the person resposible for the PR - GNATS sends it his way too.
 
 	Thanks...  I guess I'll remember to reply to -gnats rather than
 -ports directly.  Thanks for the tip and a belated Merry Christmas!
 
 
 Cheers,
 Vince - vince@WURLDLINK.NET - Vice President             ________   __ ____
 Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
 WurldLink Corporation                                  / / / /  | /  | __] ]
 San Francisco - Honolulu - Hong Kong                  / / / / / |/ / | __] ]
 HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
 Almighty1@IRC - oahu.DAL.NET Hawaii's DALnet IRC Network Server Admin
 
 
 

From: Andreas Klemm <andreas@klemm.gtn.com>
To: roam@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: ports/23856: buffer flow in zebra port
Date: Tue, 26 Dec 2000 23:35:50 +0100

 On Tue, Dec 26, 2000 at 06:13:42AM -0800, roam@FreeBSD.org wrote:
 > Synopsis: buffer flow in zebra port
 > 
 > Responsible-Changed-From-To: freebsd-ports->andreas
 > Responsible-Changed-By: roam
 > Responsible-Changed-When: Tue Dec 26 06:12:38 PST 2000
 > Responsible-Changed-Why: 
 > Over to maintainer; this might be moderately urgent, and it might also
 > merit a PORTREVISION bump, as per our Security Officer's recommendations
 > for security fixes.  It might also have to be run by SO for audit,
 > and/or a security advisory :)
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=23856
 
 I grabbed the patch from the zebra CVS repository and
 contacted Kris as "Security Officer" as well as Kunihiro
 from zebra to review the patch.
 
 	Andreas ///
 
 -- 
 Andreas Klemm                                           Powered by FreeBSD SMP
 Songs from our band >>64Bits<<............http://www.apsfilter.org/64bits.html
 My homepage................................ http://people.FreeBSD.ORG/~andreas
 Please note: Apsfilter got a NEW HOME................http://www.apsfilter.org/
 
 
State-Changed-From-To: open->closed 
State-Changed-By: andreas 
State-Changed-When: Tue Jan 9 07:54:55 PST 2001 
State-Changed-Why:  
patch is o.k. 
additionally a new zebra release is on its way ... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=23856 
>Unformatted:
