net-misc/quagga: revision bump

Backport upstream security fix for stack overrun
in IPv6 RA receive code in zebra daemon.

Reported-by: Agostino Sarubbo <ago@gentoo.org>
Gentoo-Bug: 597410

Package-Manager: portage-2.3.2

2 files changed, 185 insertions, 0 deletions

diff --git a/net-misc/quagga/files/quagga-1.0.20160315-zebra-ipv6-ra-overflow.patch b/net-misc/quagga/files/quagga-1.0.20160315-zebra-ipv6-ra-overflow.patch
new file mode 100644
index 000000000000..74b8add40c18
--- /dev/null
+++ b/net-misc/quagga/files/quagga-1.0.20160315-zebra-ipv6-ra-overflow.patch
@@ -0,0 +1,48 @@
+commit cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
+Author: David Lamparter <equinox@opensourcerouting.org>
+Date:   Wed Aug 31 13:31:16 2016 +0200
+
+    zebra: stack overrun in IPv6 RA receive code (CVE-2016-1245)
+    
+    The IPv6 RA code also receives ICMPv6 RS and RA messages.
+    Unfortunately, by bad coding practice, the buffer size specified on
+    receiving such messages mixed up 2 constants that in fact have
+    different values.
+    
+    The code itself has:
+     #define RTADV_MSG_SIZE 4096
+    While BUFSIZ is system-dependent, in my case (x86_64 glibc):
+     /usr/include/_G_config.h:#define _G_BUFSIZ 8192
+     /usr/include/libio.h:#define _IO_BUFSIZ _G_BUFSIZ
+     /usr/include/stdio.h:# define BUFSIZ _IO_BUFSIZ
+    
+    FreeBSD, OpenBSD, NetBSD and Illumos are not affected, since all of them
+    have BUFSIZ == 1024.
+    
+    As the latter is passed to the kernel on recvmsg(), it's possible to
+    overwrite 4kB of stack -- with ICMPv6 packets that can be globally sent
+    to any of the system's addresses (using fragmentation to get to 8k).
+    
+    (The socket has filters installed limiting this to RS and RA packets,
+    but does not have a filter for source address or TTL.)
+    
+    Issue discovered by trying to test other stuff, which randomly caused
+    the stack to be smaller than 8kB in that code location, which then
+    causes the kernel to report EFAULT (Bad address).
+    
+    Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
+    Reviewed-by: Donald Sharp <sharpd@cumulusnetworks.com>
+
+diff --git a/zebra/rtadv.c b/zebra/rtadv.c
+index d4ef1b8..2f62714 100644
+--- a/zebra/rtadv.c
++++ b/zebra/rtadv.c
+@@ -482,7 +482,7 @@ rtadv_read (struct thread *thread)
+   /* Register myself. */
+   rtadv_event (zvrf, RTADV_READ, sock);
+ 
+-  len = rtadv_recv_packet (sock, buf, BUFSIZ, &from, &ifindex, &hoplimit);
++  len = rtadv_recv_packet (sock, buf, sizeof (buf), &from, &ifindex, &hoplimit);
+ 
+   if (len < 0) 
+     {
diff --git a/net-misc/quagga/quagga-1.0.20160315-r4.ebuild b/net-misc/quagga/quagga-1.0.20160315-r4.ebuild
new file mode 100644
index 000000000000..b6af57e72967
--- /dev/null
+++ b/net-misc/quagga/quagga-1.0.20160315-r4.ebuild
@@ -0,0 +1,137 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=6
+
+CLASSLESS_BGP_PATCH=ht-20040304-classless-bgp.patch
+
+inherit autotools eutils flag-o-matic multilib pam readme.gentoo-r1 systemd user
+
+DESCRIPTION="A free routing daemon replacing Zebra supporting RIP, OSPF and BGP"
+HOMEPAGE="http://quagga.net/"
+SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz
+	bgpclassless? ( http://hasso.linux.ee/stuff/patches/quagga/${CLASSLESS_BGP_PATCH} )"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~s390 ~sparc ~x86"
+
+IUSE="bgpclassless caps doc elibc_glibc ipv6 multipath ospfapi pam +readline snmp tcp-zebra"
+
+COMMON_DEPEND="
+	caps? ( sys-libs/libcap )
+	snmp? ( net-analyzer/net-snmp )
+	readline? (
+		sys-libs/readline:0
+		pam? ( sys-libs/pam )
+	)
+	!elibc_glibc? ( dev-libs/libpcre )"
+DEPEND="${COMMON_DEPEND}
+	app-arch/xz-utils
+	sys-apps/gawk
+	sys-devel/libtool:2"
+RDEPEND="${COMMON_DEPEND}
+	sys-apps/iproute2"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-0.99.22.4-ipctl-forwarding.patch"
+	"${FILESDIR}/${P}-ripd-null-pointer-fix.patch"
+	"${FILESDIR}/${P}-ospfd-dangling-pointer-fix.patch"
+	"${FILESDIR}/${P}-bgpd-logging-fix.patch"
+	"${FILESDIR}/${P}-zebra-ipv6-ra-overflow.patch"
+)
+
+DISABLE_AUTOFORMATTING=1
+DOC_CONTENTS="Sample configuration files can be found in /usr/share/doc/${PF}/samples
+You have to create config files in /etc/quagga before
+starting one of the daemons.
+
+You can pass additional options to the daemon by setting the EXTRA_OPTS
+variable in their respective file in /etc/conf.d"
+
+pkg_setup() {
+	enewgroup quagga
+	enewuser quagga -1 -1 /var/empty quagga
+}
+
+src_prepare() {
+	# Classless prefixes for BGP
+	# http://hasso.linux.ee/doku.php/english:network:quagga
+	use bgpclassless && eapply -p0 "${DISTDIR}/${CLASSLESS_BGP_PATCH}"
+
+	epatch ${PATCHES[@]}
+	eapply_user
+	eautoreconf
+}
+
+src_configure() {
+	append-flags -fno-strict-aliasing
+
+	# do not build PDF docs
+	export ac_cv_prog_PDFLATEX=no
+	export ac_cv_prog_LATEXMK=no
+
+	econf \
+		--enable-exampledir=/usr/share/doc/${PF}/samples \
+		--enable-irdp \
+		--enable-isisd \
+		--enable-isis-topology \
+		--enable-pimd \
+		--enable-user=quagga \
+		--enable-group=quagga \
+		--enable-vty-group=quagga \
+		--with-cflags="${CFLAGS}" \
+		--with-pkg-extra-version="-gentoo" \
+		--sysconfdir=/etc/quagga \
+		--localstatedir=/run/quagga \
+		--disable-static \
+		$(use_enable caps capabilities) \
+		$(usex snmp '--enable-snmp' '' '' '') \
+		$(use_enable !elibc_glibc pcreposix) \
+		$(use_enable tcp-zebra) \
+		$(use_enable doc) \
+		$(usex multipath $(use_enable multipath) '' '=0' '') \
+		$(usex ospfapi '--enable-opaque-lsa --enable-ospf-te --enable-ospfclient' '' '' '') \
+		$(use_enable readline vtysh) \
+		$(use_with pam libpam) \
+		$(use_enable ipv6 ripngd) \
+		$(use_enable ipv6 ospf6d) \
+		$(use_enable ipv6 rtadv)
+}
+
+src_install() {
+	default
+	prune_libtool_files
+	readme.gentoo_create_doc
+
+	keepdir /etc/quagga
+	fowners root:quagga /etc/quagga
+	fperms 0770 /etc/quagga
+
+	# Path for PIDs before first reboot should be created here, bug #558194
+	dodir /run/quagga
+	fowners quagga:quagga /run/quagga
+	fperms 0770 /run/quagga
+
+	# Install systemd-related stuff, bug #553136
+	systemd_dotmpfilesd "${FILESDIR}/systemd/quagga.conf"
+	systemd_dounit "${FILESDIR}/systemd/zebra.service"
+
+	# install zebra as a file, symlink the rest
+	newinitd "${FILESDIR}"/quagga-services.init.3 zebra
+
+	for service in bgpd isisd ospfd pimd ripd $(use ipv6 && echo ospf6d ripngd); do
+		dosym zebra /etc/init.d/${service}
+		systemd_dounit "${FILESDIR}/systemd/${service}.service"
+	done
+
+	use readline && use pam && newpamd "${FILESDIR}/quagga.pam" quagga
+
+	insinto /etc/logrotate.d
+	newins redhat/quagga.logrotate quagga
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}