Re: L2TP/IPSec on Mac OSX stop working after openswan upgrade [with patches]
I think it didn't reintroduce CVE-2013-6466.
I have use some packets to test them.
ref: http://www.openwall.com/lists/oss-security/2014/02/18/1
on 1:2.6.37-3, it didn't show message droped, and on
1:2.6.37-3+deb7u1 and the one with my patch, it shows:
missing payload(s)
(ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2KE+ISAKMP_NEXT_v2Ni). Message dropped.
Furthermore, I have diffed the patch in debian and the patch in rhel5.
The patch in rhel5 is almost the same with the patch in debian,
without the removal of compatible codes for mac os x's
ISAKMP_NEXT_NATD_BADDRAFTS.
The original CVE-2013-6466 is something related with NULL pointer.
>From the other side, it's unnecessary to remove the compatible codes
for mac os x.
--
Best regards,
Liu DongMiao
2014-05-01 23:23 GMT+08:00 Henrique de Moraes Holschuh <hmh@debian.org>:
> On Tue, 29 Apr 2014, Liu DongMiao wrote:
>> After checking the patch, I found the it's CVE-2013-6466.patch, it
>> removes the compatible code for mac os x and ios, which use a bad
>> draft. Now, I have fixed this, and test on mac os x and ios. However,
>> I didn't test on other platform, such as linux, windows.
>
> Did you test to make sure you did not reintroduce CVE-2013-6466? While your
> patch is simple, the patch that fixed CVE-2013-6466 is not and touched a lot
> of code. It was not immediately obvious -- at least to me -- that
> reenabling the compatibiliy code will still work well after the changes done
> to fix CVE-2013-6466.
>
> --
> "One disk to rule them all, One disk to find them. One disk to bring
> them all and in the darkness grind them. In the Land of Redmond
> where the shadows lie." -- The Silicon Valley Tarot
> Henrique Holschuh
Reply to: