Sebastian Jaenicke <tsa@jaenicke.org>:

Additional patches to the zebra package to close a locally exploitable
and a remotely exploitable denial of service vulnerability.


git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@1756 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc

Documentation/Developers/CHANGELOG-RENE

@@ -1,4 +1,8 @@
 
+*) 2003-11-13 (2.0.0-rc2 - 2.0.0-rc3)
+
+ - Sebastian Jaenicke: added zebra security patches
+
 *) 2003-11-12 (2.0.0-rc2 - 2.0.0-rc3)
 
  - Juergen Sawinski: fixed rene/nxcomp to only install the major library

package/tsa/zebra/50zebra-0.91a-netlink.patch

@@ -0,0 +1,71 @@
+--- zebra-0.91a/zebra/rt_netlink.c.netlink	Tue Jan 23 03:10:04 2001
++++ zebra-0.91a/zebra/rt_netlink.c	Wed Oct 29 22:46:44 2003
+@@ -46,9 +46,8 @@
+   int seq;
+   struct sockaddr_nl snl;
+   char *name;
+-} netlink =	{ -1, 0, {0}, "netlink-listen" },	/* kernel messages */
+-  netlink_cmd = { -1, 0, {0}, "netlink-cmd" },          /* command channel */
+-  netlink_addr = {-1, 0, {0}, "netlink-addr" };		/* address channel */
++} netlink_sock ={ -1, 0, {0}, "netlink-listen" },	/* kernel messages */
++  netlink_cmd = { -1, 0, {0}, "netlink-cmd" };          /* command channel */
+ 
+ struct message nlmsg_str[] =
+ {
+@@ -206,6 +205,13 @@
+ 	  return -1;
+ 	}
+ 
++      /* JF: Ignore messages that aren't from the kernel */
++      if ( snl.nl_pid != 0 )
++        {
++          zlog ( NULL, LOG_ERR, "Ignoring message from pid %u", snl.nl_pid );
++        continue;
++      }
++
+       for (h = (struct nlmsghdr *) buf; NLMSG_OK (h, status); 
+ 	   h = NLMSG_NEXT (h, status))
+ 	{
+@@ -1052,7 +1058,7 @@
+   snl.nl_family = AF_NETLINK;
+ 
+   /* Talk to netlink socket. */
+-  ret = netlink_talk (&req.n, &netlink);
++  ret = netlink_talk (&req.n, &netlink_sock);
+   if (ret < 0)
+     return -1;
+ 
+@@ -1270,7 +1276,7 @@
+   if (family == AF_INET)
+     nl = &netlink_cmd;
+   else
+-    nl = &netlink;
++    nl = &netlink_sock;
+ 
+   /* Talk to netlink socket. */
+   return netlink_talk (&req.n, nl);
+@@ -1384,8 +1390,8 @@
+   int sock;
+ 
+   sock = THREAD_FD (thread);
+-  ret = netlink_parse_info (netlink_information_fetch, &netlink);
+-  thread_add_read (master, kernel_read, NULL, netlink.sock);
++  ret = netlink_parse_info (netlink_information_fetch, &netlink_sock);
++  thread_add_read (master, kernel_read, NULL, netlink_sock.sock);
+ 
+   return 0;
+ }
+@@ -1401,10 +1407,10 @@
+ #ifdef HAVE_IPV6
+   groups |= RTMGRP_IPV6_ROUTE|RTMGRP_IPV6_IFADDR;
+ #endif /* HAVE_IPV6 */
+-  netlink_socket (&netlink, groups);
++  netlink_socket (&netlink_sock, groups);
+   netlink_socket (&netlink_cmd, 0);
+ 
+   /* Register kernel socket. */
+-  if (netlink.sock > 0)
+-    thread_add_read (master, kernel_read, NULL, netlink.sock);
++  if (netlink_sock.sock > 0)
++    thread_add_read (master, kernel_read, NULL, netlink_sock.sock);
+ }

package/tsa/zebra/60zebra-0.91a-remote_dos.patch

@@ -0,0 +1,23 @@
+--- zebra-0.91a/lib/vty.c.orig	Thu Feb  1 02:18:05 2001
++++ zebra-0.91a/lib/vty.c	Wed Oct 15 19:50:34 2003
+@@ -1103,13 +1103,16 @@
+       break;
+     case SE: 
+       {
+-	char *buffer = (char *)vty->sb_buffer->head->data;
+-	int length = vty->sb_buffer->length;
++	char *buffer;
++	int length;
+ 
+-	if (buffer == NULL)
++	if (!vty->iac_sb_in_progress)
+ 	  return 0;
+ 
+-	if (!vty->iac_sb_in_progress)
++	buffer = (char *)vty->sb_buffer->head->data;
++	length = vty->sb_buffer->length;
++
++	if (buffer == NULL)
+ 	  return 0;
+ 
+ 	if (buffer[0] == '\0')