[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#869949: marked as done (jessie-pu: package ipsec-tools/1:0.8.2+20140711-2+deb8u1)

Your message dated Sun, 17 Jun 2018 19:06:08 +0100
with message-id <20180617180608.uhpwjhfmrh2zmojb@powdarrmonkey.net>
and subject line Re: Bug#869949: jessie-pu: package ipsec-tools/1:0.8.2+20140711-2+deb8u1
has caused the Debian Bug report #869949,
regarding jessie-pu: package ipsec-tools/1:0.8.2+20140711-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
869949: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869949
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

I'd like to update ipsec-tools in the next oldstable point release to
address a security vulnerability in which a remote unauthenticated
attacker could cause racoon to exhause CPU resources resulting in a
denial-of-service. Because the issue has been known for some time, the
security team does not feel that this warrants a DSA. Instead it should
be updated via (old)stable-updates. See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 for details.

Note also that I already uploaded a package targeting stable-updates
without prior approval.  Apologies for getting the process wrong in that
case.

debdiff is attached. The diffstat is:
 changelog                    |    6 ++
 patches/CVE-2016-10396.patch |  201 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 208 insertions(+)

Thanks
noah

diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog ipsec-tools-0.8.2+20140711/debian/changelog
--- ipsec-tools-0.8.2+20140711/debian/changelog	2015-05-22 01:03:06.000000000 -0700
+++ ipsec-tools-0.8.2+20140711/debian/changelog	2017-07-27 14:37:54.000000000 -0700
@@ -1,3 +1,9 @@
+ipsec-tools (1:0.8.2+20140711-2+deb8u2) oldstable; urgency=medium
+
+  * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986)
+
+ -- Noah Meyerhans <noahm@debian.org>  Thu, 27 Jul 2017 14:37:54 -0700
+
 ipsec-tools (1:0.8.2+20140711-2+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch
--- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch	1969-12-31 16:00:00.000000000 -0800
+++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch	2017-07-27 14:37:54.000000000 -0700
@@ -0,0 +1,201 @@
+Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
+Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
+Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
+
+Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
++++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
+@@ -1,4 +1,4 @@
+-/*	$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $	*/
++/*	$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $	*/
+ 
+ /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
+ 
+@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
+ 	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
+ }
+ 
++static int 
++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
++{
++	struct isakmp_frag_item *pitem = NULL;
++	struct isakmp_frag_item *citem = iph1->frag_chain;
++
++	/* no frag yet, just insert at beginning of list */
++	if (iph1->frag_chain == NULL) {
++		iph1->frag_chain = item;
++		return 0;
++	}
++
++	do {
++		/* duplicate fragment number, abort (CVE-2016-10396) */
++		if (citem->frag_num == item->frag_num)
++			return -1;
++
++		/* need to insert before current item */
++		if (citem->frag_num > item->frag_num) {
++			if (pitem != NULL)
++				pitem->frag_next = item;
++			else
++				/* insert at the beginning of the list  */
++				iph1->frag_chain = item;
++			item->frag_next = citem;
++			return 0;
++		}
++
++		pitem = citem;
++		citem = citem->frag_next;
++	} while (citem != NULL);
++
++	/* we reached the end of the list, insert */
++	pitem->frag_next = item;
++	return 0;
++}
++
+ int 
+ isakmp_frag_extract(iph1, msg)
+ 	struct ph1handle *iph1;
+@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
+ 	item->frag_next = NULL;
+ 	item->frag_packet = buf;
+ 
+-	/* Look for the last frag while inserting the new item in the chain */
+-	if (item->frag_last)
+-		last_frag = item->frag_num;
++	/* Check for the last frag before inserting the new item in the chain */
++	if (item->frag_last) {
++		/* if we have the last fragment, indices must match */
++		if (iph1->frag_last_index != 0 &&
++		    item->frag_last != iph1->frag_last_index) {
++			plog(LLV_ERROR, LOCATION, NULL,
++			     "Repeated last fragment index mismatch\n");
++			racoon_free(item);
++			vfree(buf);
++			return -1;
++		}
+ 
+-	if (iph1->frag_chain == NULL) {
+-		iph1->frag_chain = item;
+-	} else {
+-		struct isakmp_frag_item *current;
++		last_frag = iph1->frag_last_index = item->frag_num;
++	}
+ 
+-		current = iph1->frag_chain;
+-		while (current->frag_next) {
+-			if (current->frag_last)
+-				last_frag = item->frag_num;
+-			current = current->frag_next;
+-		}
+-		current->frag_next = item;
++	/* insert fragment into chain */
++	if (isakmp_frag_insert(iph1, item) == -1) {
++		plog(LLV_ERROR, LOCATION, NULL,
++		    "Repeated fragment index mismatch\n");
++		racoon_free(item);
++		vfree(buf);
++		return -1;
+ 	}
+ 
+-	/* If we saw the last frag, check if the chain is complete */
++	/* If we saw the last frag, check if the chain is complete
++	 * we have a sorted list now, so just walk through */
+ 	if (last_frag != 0) {
++		item = iph1->frag_chain;
+ 		for (i = 1; i <= last_frag; i++) {
+-			item = iph1->frag_chain;
+-			do {
+-				if (item->frag_num == i)
+-					break;
+-				item = item->frag_next;
+-			} while (item != NULL);
+-
++			if (item->frag_num != i)
++				break;
++			item = item->frag_next;
+ 			if (item == NULL) /* Not found */
+ 				break;
+ 		}
+ 
+-		if (item != NULL) /* It is complete */
++		if (i > last_frag) /* It is complete */
+ 			return 1;
+ 	}
+ 		
+@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
+ 	}
+ 	data = buf->v;
+ 
++	item = iph1->frag_chain;
+ 	for (i = 1; i <= frag_count; i++) {
+-		item = iph1->frag_chain;
+-		do {
+-			if (item->frag_num == i)
+-				break;
+-			item = item->frag_next;
+-		} while (item != NULL);
+-
+-		if (item == NULL) {
++		if (item->frag_num != i) {
+ 			plog(LLV_ERROR, LOCATION, NULL, 
+ 			    "Missing fragment #%d\n", i);
+ 			vfree(buf);
+@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
+ 		}
+ 		memcpy(data, item->frag_packet->v, item->frag_packet->l);
+ 		data += item->frag_packet->l;
++		item = item->frag_next;
+ 	}
+ 
+ out:
+Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
++++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
+@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
+ #endif
+ #ifdef ENABLE_FRAG
+ 	iph1->frag = 0;
++	iph1->frag_last_index = 0;
+ 	iph1->frag_chain = NULL;
+ #endif
+ 
+Index: pkg-ipsec-tools/src/racoon/isakmp.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
++++ pkg-ipsec-tools/src/racoon/isakmp.c
+@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
+ 		iph1->frag = 1;
+ 	else
+ 		iph1->frag = 0;
++	iph1->frag_last_index = 0;
+ 	iph1->frag_chain = NULL;
+ #endif
+ 	iph1->approval = NULL;
+@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
+ #endif
+ #ifdef ENABLE_FRAG
+ 	iph1->frag = 0;
++	iph1->frag_last_index = 0;
+ 	iph1->frag_chain = NULL;
+ #endif
+ 	iph1->approval = NULL;
+Index: pkg-ipsec-tools/src/racoon/handler.h
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/handler.h
++++ pkg-ipsec-tools/src/racoon/handler.h
+@@ -1,4 +1,4 @@
+-/*	$NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $	*/
++/*	$NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $	*/
+ 
+ /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
+ 
+@@ -141,6 +141,7 @@ struct ph1handle {
+ #endif
+ #ifdef ENABLE_FRAG
+ 	int frag;			/* IKE phase 1 fragmentation */
++	int frag_last_index;
+ 	struct isakmp_frag_item *frag_chain;	/* Received fragments */
+ #endif
+ 
diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/series ipsec-tools-0.8.2+20140711/debian/patches/series
--- ipsec-tools-0.8.2+20140711/debian/patches/series	2015-05-22 01:03:06.000000000 -0700
+++ ipsec-tools-0.8.2+20140711/debian/patches/series	2017-07-27 14:37:54.000000000 -0700
@@ -13,3 +13,4 @@
 ipv6literalaltname.patch
 checkpoint-xauth.patch
 bug785778-null-pointer-deref.patch
+CVE-2016-10396.patch

--- End Message ---
--- Begin Message --- 
Control: tag -1 wontfix

Hi,

This request was approved and tagged 'confirmed', but no upload was
subsequently made. With the final point release for Jessie now being
prepared, it's unfortunately too late for this package to be updated.

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: