diff mbox series

[meta-networking,kirkstone,2/5] quagga: patch CVE-2017-3224

Message ID 20260227120323.333696-2-skandigraun@gmail.com
State New
Headers show
Series [meta-webserver,kirkstone,1/5] webmin: patch CVE-2025-67738 | expand

Commit Message

Gyorgy Sarvari Feb. 27, 2026, 12:03 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2017-3224

Quagga is an abandoned project, but it is not without a successor.
Frr (or Frrouting) is a fork of Quagga, and they have fixed this
vulnerability. That patch from Frr was ported to Quagga.

The Frr patch mentions this CVE ID explicitly, and also Debian
has identified it as the correct patch[1].

[1]: https://security-tracker.debian.org/tracker/CVE-2017-3224

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../quagga/files/CVE-2017-3224.patch          | 90 +++++++++++++++++++
 .../recipes-protocols/quagga/quagga.inc       |  3 +-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch
new file mode 100644
index 0000000000..025f0b3e4f
--- /dev/null
+++ b/meta-networking/recipes-protocols/quagga/files/CVE-2017-3224.patch
@@ -0,0 +1,90 @@ 
+From 5e54975af4c6429f5e7bf9a29ff8425e131e92ca Mon Sep 17 00:00:00 2001
+From: Chirag Shah <chirag@cumulusnetworks.com>
+Date: Fri, 25 Jan 2019 17:21:24 -0800
+Subject: [PATCH] ospfd: address CVE-2017-3224
+
+Based on the vulnerability mentioned in 793496 an attacker can craft an
+LSA with MaxSequence number wtih invalid links and not set age to MAX_AGE
+so the lsa would not be flush from the database.
+
+To address the issue, check incoming LSA is MaxSeq but Age is not set
+to MAX_AGE 3600, discard the LSA from processing it.
+Based on  RFC-2328 , When a LSA update sequence reaches MaxSequence
+number, it should be prematurely aged out from the database with age set
+to MAX_AGE (3600).
+
+Ticket:CM-18989
+Reviewed By:
+Testing Done:
+
+Signed-off-by: Chirag Shah <chirag@cumulusnetworks.com>
+
+CVE: CVE-2017-3224
+Upstream-Status: Inactive-Upstream [ported from frr, a fork: https://github.com/FRRouting/frr/commit/7791d3deab8f4bbee2ccdd98ea596617536bc681]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ ospfd/ospf_packet.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ospfd/ospf_packet.c b/ospfd/ospf_packet.c
+index facba89..504df02 100644
+--- a/ospfd/ospf_packet.c
++++ b/ospfd/ospf_packet.c
+@@ -1936,9 +1936,20 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+       if (current == NULL ||
+ 	  (ret = ospf_lsa_more_recent (current, lsa)) < 0)
+ 	{
++          /* CVE-2017-3224 */
++          if (current && (lsa->data->ls_seqnum ==
++            htonl(OSPF_MAX_SEQUENCE_NUMBER)
++            && !IS_LSA_MAXAGE(lsa))) {
++              zlog_debug(
++                "Link State Update[%s]: has Max Seq but not MaxAge. Dropping it",
++                dump_lsa_key(lsa));
++
++              DISCARD_LSA(lsa, 4);
++              continue;
++          }
+ 	  /* Actual flooding procedure. */
+ 	  if (ospf_flood (oi->ospf, nbr, current, lsa) < 0)  /* Trap NSSA later. */
+-	    DISCARD_LSA (lsa, 4);
++	    DISCARD_LSA (lsa, 5);
+ 	  continue;
+ 	}
+ 
+@@ -1987,7 +1998,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 		if (NBR_IS_DR (nbr))
+ 		  listnode_add (oi->ls_ack, ospf_lsa_lock (lsa));
+ 
+-              DISCARD_LSA (lsa, 5);
++              DISCARD_LSA (lsa, 6);
+ 	    }
+ 	  else
+ 	    /* Acknowledge the receipt of the LSA by sending a
+@@ -1995,7 +2006,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 	       interface. */
+ 	    {
+ 	      ospf_ls_ack_send (nbr, lsa);
+-	      DISCARD_LSA (lsa, 6);
++	      DISCARD_LSA (lsa, 7);
+ 	    }
+ 	}
+ 
+@@ -2011,7 +2022,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 	  if (IS_LSA_MAXAGE (current) &&
+ 	      current->data->ls_seqnum == htonl (OSPF_MAX_SEQUENCE_NUMBER))
+ 	    {
+-	      DISCARD_LSA (lsa, 7);
++	      DISCARD_LSA (lsa, 8);
+ 	    }
+ 	  /* Otherwise, as long as the database copy has not been sent in a
+ 	     Link State Update within the last MinLSArrival seconds, send the
+@@ -2031,7 +2042,7 @@ ospf_ls_upd (struct ospf *ospf, struct ip *iph, struct ospf_header *ospfh,
+ 			  msec2tv (ospf->min_ls_arrival)) >= 0)
+ 		/* Trap NSSA type later.*/
+ 		ospf_ls_upd_send_lsa (nbr, current, OSPF_SEND_PACKET_DIRECT);
+-	      DISCARD_LSA (lsa, 8);
++	      DISCARD_LSA (lsa, 9);
+ 	    }
+ 	}
+     }
diff --git a/meta-networking/recipes-protocols/quagga/quagga.inc b/meta-networking/recipes-protocols/quagga/quagga.inc
index d368311d13..3534114a22 100644
--- a/meta-networking/recipes-protocols/quagga/quagga.inc
+++ b/meta-networking/recipes-protocols/quagga/quagga.inc
@@ -34,7 +34,8 @@  SRC_URI = "https://github.com/Quagga/quagga/releases/download/quagga-${PV}/quagg
            file://ripd.service \
            file://ripngd.service \
            file://zebra.service \
-          "
+           file://CVE-2017-3224.patch \
+           "
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[cap] = "--enable-capabilities,--disable-capabilities,libcap"