{"containers": {"cna": {"affected": [{"product": "Quagga before 1.0.20161017", "vendor": "n/a", "versions": [{"status": "affected", "version": "Quagga before 1.0.20161017"}]}], "datePublic": "2017-02-22T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent."}], "problemTypes": [{"descriptions": [{"description": "stack-based buffer overflow", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "RHSA-2017:0794", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0794.html"}, {"name": "GLSA-201701-48", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-48"}, {"name": "93775", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93775"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.gossamer-threads.com/lists/quagga/users/31952"}, {"name": "DSA-3695", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2016/dsa-3695"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2016-1245", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Quagga before 1.0.20161017", "version": {"version_data": [{"version_value": "Quagga before 1.0.20161017"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "stack-based buffer overflow"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:0794", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0794.html"}, {"name": "GLSA-201701-48", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-48"}, {"name": "93775", "refsource": "BID", "url": "http://www.securityfocus.com/bid/93775"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, {"name": "http://www.gossamer-threads.com/lists/quagga/users/31952", "refsource": "CONFIRM", "url": "http://www.gossamer-threads.com/lists/quagga/users/31952"}, {"name": "DSA-3695", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2016/dsa-3695"}, {"name": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546", "refsource": "CONFIRM", "url": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:48:13.613Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:0794", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0794.html"}, {"name": "GLSA-201701-48", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-48"}, {"name": "93775", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/93775"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.gossamer-threads.com/lists/quagga/users/31952"}, {"name": "DSA-3695", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2016/dsa-3695"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2016-1245", "datePublished": "2017-02-22T23:00:00", "dateReserved": "2015-12-27T00:00:00", "dateUpdated": "2024-08-05T22:48:13.613Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quagga:quagga:*:*:*:*:*:*:*:*", "matchCriteriaId": "B646D43D-A1C2-441B-90CE-2929F7BB072A", "versionEndIncluding": "1.0.20160315", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent."}, {"lang": "es", "value": "Se descubri\u00f3 que el demonio zebra en Quagga en versiones anteriores a 1.0.20161017 sufri\u00f3 un desbordamiento de b\u00fafer basado en pila al procesar mensajes de Neighbor Discovery de IPv6. La causa ra\u00edz radicaba en BUFSIZ para ser compatible con un tama\u00f1o de mensaje; sin embargo, BUFSIZ depende del sistema."}], "id": "CVE-2016-1245", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-02-22T23:59:00.143", "references": [{"source": "security@debian.org", "url": "http://rhn.redhat.com/errata/RHSA-2017-0794.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.gossamer-threads.com/lists/quagga/users/31952"}, {"source": "security@debian.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/93775"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, {"source": "security@debian.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546"}, {"source": "security@debian.org", "url": "https://security.gentoo.org/glsa/201701-48"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2016/dsa-3695"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2017-0794.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Mitigation", "Third Party Advisory"], "url": "http://www.gossamer-threads.com/lists/quagga/users/31952"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/93775"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201701-48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2016/dsa-3695"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:0794", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "quagga-0:0.99.15-14.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2017-03-21T00:00:00Z"}], "bugzilla": {"description": "quagga: Buffer Overflow in IPv6 RA handling", "id": "1386109", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1386109"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "verified"}, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-121", "details": ["It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent.", "A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service."], "name": "CVE-2016-1245", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "quagga", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "quagga", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2016-10-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-1245\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-1245"], "threat_severity": "Moderate"}