Debian LTS: DLA-3797-1: frr Security Advisory Updates
Summary
CVE-2022-26125
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.
CVE-2022-26126
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.
CVE-2022-26127
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.
CVE-2022-26128
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.
CVE-2022-26129
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.
CVE-2022-37035
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-38406
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a "flowspec overflow."
CVE-2023-38407
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.
CVE-2023-46752
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.
CVE-2023-46753
An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.
CVE-2023-47234
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-47235
An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.
CVE-2024-31948
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
CVE-2024-31949
In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.
For Debian 10 buster, these problems have been fixed in version
7.5.1-1.1+deb10u2.
We recommend that you upgrade your frr packages.
For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS