Am Sat, May 04, 2024 at 06:00:24PM +0200 schrieb Moritz Mühlenhoff: > Source: frr > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for frr. > > CVE-2024-34088[0]: > | In FRRouting (FRR) through 9.1, it is possible for the get_edge() > | function in ospf_te.c in the OSPF daemon to return a NULL pointer. > | In cases where calling functions do not handle the returned NULL > | value, the OSPF daemon crashes, leading to denial of service.
There are two additional CVE IDs related covered by the same pull request (https://github.com/FRRouting/frr/pull/15674/): CVE-2024-31951: | In the Opaque LSA Extended Link parser in FRRouting (FRR) through | 9.1, there can be a buffer overflow and daemon crash in | ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read | Segment Routing Adjacency SID subTLVs (lengths are not validated). CVE-2024-31950: | In FRRouting (FRR) through 9.1, there can be a buffer overflow and | daemon crash in ospf_te_parse_ri for OSPF LSA packets during an | attempt to read Segment Routing | subTLVs (their size is not validated). These got merged with the following commits: https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4 https://github.com/FRRouting/frr/commit/5557a289acdaec8cc63ffc97b5c2abf6dee7b3a https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0 Cheers, Moritz
