[SECURITY] [DLA 3865-1] frr security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3865-1] frr security update
From: Tobias Frost <tobi@debian.org>
Date: Tue, 3 Sep 2024 07:07:14 +0200
Message-id: <[🔎] ZtaZgtdCsKVjezJ3@isildor2.loewenhoehle.ip>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-3865-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
September 03, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : frr
Version        : 7.5.1-1.1+deb11u3
CVE ID         : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
                 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 
                 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 
                 CVE-2024-31948 CVE-2024-31949 CVE-2024-44070
Debian Bug     : 1008010 1016978 1055852 1079649

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to potentially trigger
those effects: buffer overflows with the possibility to gain remote code
execution, buffer overreads, crashes or trick the software to enter an
infinite loop.

CVE-2022-26125

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    the use of strdup with a non-zero-terminated binary string in
    isis_nb_notifications.c.

CVE-2022-26127

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    missing a check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26128

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    a wrong check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26129

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the subtlv length in the functions, parse_hello_subtlv,
    parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

    bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
    length of zero, aka a "flowspec overflow."

CVE-2023-38407

    bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
    the end of the stream during labeled unicast parsing.

CVE-2023-46752

    An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
    malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur for a crafted BGP UPDATE message without mandatory attributes,
    e.g., one with only an unknown transit attribute.

CVE-2023-47234

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur when a malformed BGP UPDATE message with an EOR is processed,
    because the presence of EOR does not lead to a treat-as-withdraw
    outcome.

CVE-2024-31948

    In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
    attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

    In FRRouting (FRR) through 9.1, an infinite loop can occur when
    receiving a MP/GR capability as a dynamic capability because malformed
    data results in a pointer not advancing.

CVE-2024-44070

    An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
    in bgpd/bgp_attr.c does not check the actual remaining stream length
    before taking the TLV value.

For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 3864-1] webkit2gtk security update
Next by Date: [SECURITY] [DLA 3866-1] ruby-tzinfo security update
Previous by thread: [SECURITY] [DLA 3864-1] webkit2gtk security update
Next by thread: [SECURITY] [DLA 3866-1] ruby-tzinfo security update
Index(es):
- Date
- Thread