Bug#939990: marked as done (bird: CVE-2019-16159)

[Debian Bug Tracking System]

Your message dated Sat, 21 Sep 2019 20:32:08 +0000
with message-id <e1ibm36-0007em...@fasolo.debian.org>
and subject line Bug#939990: fixed in bird 1.6.6-1+deb10u1
has caused the Debian Bug report #939990,
regarding bird: CVE-2019-16159
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
939990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939990
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: bird
Version: 1.6.7-1
Severity: grave
Tags: security upstream
Forwarded: 
http://trubka.network.cz/pipermail/bird-users/2019-September/013718.html
Control: found -1 1.6.6-1

Hi,

The following vulnerability was published for bird.

CVE-2019-16159[0]:
| BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5
| has a stack-based buffer overflow. The BGP daemon's support for RFC
| 8203 administrative shutdown communication messages included an
| incorrect logical expression when checking the validity of an input
| message. Sending a shutdown communication with a sufficient message
| length causes a four-byte overflow to occur while processing the
| message, where two of the overflow bytes are attacker-controlled and
| two are fixed.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16159
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16159
[1] http://trubka.network.cz/pipermail/bird-users/2019-September/013722.html
[2] http://trubka.network.cz/pipermail/bird-users/2019-September/013720.html
[3] http://trubka.network.cz/pipermail/bird-users/2019-September/013718.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: bird
Source-Version: 1.6.6-1+deb10u1

We believe that the bug you reported is fixed in the latest version of
bird, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ond...@sury.org> (supplier of updated bird package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Sep 2019 11:29:03 +0200
Source: bird
Binary: bird bird-bgp bird-dbgsym bird-doc
Architecture: source all amd64
Version: 1.6.6-1+deb10u1
Distribution: buster-security
Urgency: medium
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Ondřej Surý <ond...@sury.org>
Description:
 bird       - Internet Routing Daemon
 bird-bgp   - Internet Routing Daemon [transitional package]
 bird-doc   - Internet Routing Daemon - documentation
Closes: 939990
Changes:
 bird (1.6.6-1+deb10u1) buster-security; urgency=medium
 .
   * [CVE-2019-16159]: Fix stack-based buffer overflow (Closes: #939990)
Checksums-Sha1:
 f436eb9c12dc61d394b6254f203e4903e860dc1e 1029505 bird_1.6.6.orig.tar.gz
 6f051d1bc54b4d2aa7023a04ba13d827d3ed13e3 2375 bird_1.6.6-1+deb10u1.dsc
 acc0392fef64183d48873664afd18b057b601fba 16364 
bird_1.6.6-1+deb10u1.debian.tar.xz
 9c77c27b4e54621de24282e542f748e51b43eaa4 228096 
bird-bgp_1.6.6-1+deb10u1_all.deb
 7034934f985392337943255ea7d7f355b1294341 1966524 
bird-dbgsym_1.6.6-1+deb10u1_amd64.deb
 7ed219951ae996f2840157757cf503bebd8017f9 1123644 
bird-doc_1.6.6-1+deb10u1_all.deb
 68bc356d44fc55503758af25918cc95010568ac0 9906 
bird_1.6.6-1+deb10u1_amd64.buildinfo
 19a6a5dee8aff0824dc27694183c0c67dce71ad1 599128 bird_1.6.6-1+deb10u1_amd64.deb
Checksums-Sha256:
 975b3b7aefbe1e0dc9c11e55517f0ca2d82cca1d544e2e926f78bc843aaf2d70 1029505 
bird_1.6.6.orig.tar.gz
 17220f7945837d867e76f3c610b9966bb92271961016474b2da89113ca25f078 2375 
bird_1.6.6-1+deb10u1.dsc
 4ee6f09de3ff88e9709df1c6d893fbf2881c0b7dc0c84a9f01198fde999d0baf 16364 
bird_1.6.6-1+deb10u1.debian.tar.xz
 44c1bf106cdfbd5e44544619abf8df1f54ee0a278c58e13f59587a3ac23c2909 228096 
bird-bgp_1.6.6-1+deb10u1_all.deb
 abcefc92101fcb0c214da94764b7c414e8c65c10daf7ffb9879beb6269da4645 1966524 
bird-dbgsym_1.6.6-1+deb10u1_amd64.deb
 15eac123f824cf6c74fcddb1e149d4ab0ab98db9b50568339f67ae04f0afa807 1123644 
bird-doc_1.6.6-1+deb10u1_all.deb
 98253749b7bf4baeec477e08f2da23e142c9037c95c3b4fd3235225d72734707 9906 
bird_1.6.6-1+deb10u1_amd64.buildinfo
 60dcc24e09157495076b7b48445ae1ffcdc4bf26ac98859efee2a8f37d686a5b 599128 
bird_1.6.6-1+deb10u1_amd64.deb
Files:
 f2159ce3fb973fb124440725541cf800 1029505 net optional bird_1.6.6.orig.tar.gz
 fcfec1d9bebe3384493846228bb2508f 2375 net optional bird_1.6.6-1+deb10u1.dsc
 962766c5499440dbf3909c3ace58b0c5 16364 net optional 
bird_1.6.6-1+deb10u1.debian.tar.xz
 212cbf9dfd5e1327653401b0e5e08748 228096 oldlibs optional 
bird-bgp_1.6.6-1+deb10u1_all.deb
 9c96bb296f7d042f75005938db962584 1966524 debug optional 
bird-dbgsym_1.6.6-1+deb10u1_amd64.deb
 ca2fb6daee818cbc2b0f0b5234c9a5b7 1123644 doc optional 
bird-doc_1.6.6-1+deb10u1_all.deb
 3ad92c3a004018eaa655fea78074db5b 9906 net optional 
bird_1.6.6-1+deb10u1_amd64.buildinfo
 c3039a7ecd7bf6a17bcf91d7398d2a19 599128 net optional 
bird_1.6.6-1+deb10u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQKkBAEBCgCOFiEEMLkz2A/OPZgaLTj7DJm3DvT8uwcFAl2CBNhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMw
QjkzM0Q4MEZDRTNEOTgxQTJEMzhGQjBDOTlCNzBFRjRGQ0JCMDcQHG9uZHJlakBz
dXJ5Lm9yZwAKCRAMmbcO9Py7B9OjD/9Fs3nYburuuj+KAhKqrEAF/oRioRTcUtEp
FNnZZDyo1l5alYmWsnuMgZqpQ9ppZwIpL9oYE+W7SqOcma4bp3fo6Pmf+w8ZxJ6Z
jdn+9msi9qoEq4F+KbP7XDHjwJCEA7TAf7XjDLMU2r+aBNFMjFNQWZK4eNgp5m69
3k1Nsts1qRygjSD5dXEdrzp29zqp5yKtIOGfBCSnmq2j3n9+pWT9cuD2k1/U/yKD
0aGLe0gPWO5MCPt5iy/4Rx5NAAzNB9T7of34Cx2aM6O23JzIaMnCkZcQup3rW6EH
8I6AYi4bokwaCvdS8Y+elnauJaYmmjdgA8pev9ejg7P8q8BcQOW+3crCLJSb1cHB
hF6hD9GD+HRTGrWfbYRKhpGl79t9FFfMrxIQaHAKmYhFghN0SBTG3qAH6+OG780v
miP1JPfEt1+te2l4DTKaMiExH1FEAP+lcRP2cIGZasx/DNE6REVpEjZ+0k95sxLw
hiDN1Dk6/bnMnoo3rVMoYk7CGf/a5rcbRHBTZZ9N4rC4szl16OMovUDqgCs+gZNk
o/NadYxjD/VfkKMC5u8N+tYABeNkQrkS/BjruU8smP2qM+DIp//IqXFma7DD1RJG
Cadf9whYYF11TPDJc3ND3uGdqnWYgC/xsh+MgN48GtMFhTZtPNHIC22Z0ec5VkiC
xYN4TRKGHQ==
=JMq5
-----END PGP SIGNATURE-----

--- End Message ---