Merge branch 'sid'

4 files changed, 66 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index d253808b2..ba7f8a9fd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -38,6 +38,16 @@ strongswan (5.1.1-1) UNRELEASED; urgency=low
 
  -- Romain Francoise <rfrancoise@debian.org>  Tue, 29 Oct 2013 20:01:37 +0100
 
+strongswan (5.1.0-3) unstable; urgency=high
+
+  * urgency=high for the security fixes.
+  * debian/patches
+    - CVE-2013-6075 added, fix remote denial of service and authorization
+      bypass.
+    - CVE-2013-6076 added, fix remote denial of service in IKEv1 code.
+
+ -- Yves-Alexis Perez <corsac@debian.org>  Tue, 29 Oct 2013 21:07:04 +0100
+
 strongswan (5.1.0-2) unstable; urgency=medium
 
   * urgency=medium since we already spent 16 days in unstable and the fix is
diff --git a/debian/patches/CVE-2013-6075.patch b/debian/patches/CVE-2013-6075.patch
new file mode 100644
index 000000000..d50616a60
--- /dev/null
+++ b/debian/patches/CVE-2013-6075.patch
@@ -0,0 +1,27 @@
+From aa277adfc204b6bda2c3792710138f9a8723a8f1 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@revosec.ch>
+Date: Mon, 7 Oct 2013 14:21:57 +0200
+Subject: [PATCH] identification: Properly check length before comparing for
+ binary DN equality
+
+Fixes CVE-2013-6075.
+---
+ src/libstrongswan/utils/identification.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
+index 5df3e5f..9c43ad5 100644
+--- a/src/libstrongswan/utils/identification.c
++++ b/src/libstrongswan/utils/identification.c
+@@ -602,7 +602,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
+ 		}
+ 	}
+ 	/* try a binary compare */
+-	if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len))
++	if (chunk_equals(t_dn, o_dn))
+ 	{
+ 		return TRUE;
+ 	}
+-- 
+1.8.1.2
+
diff --git a/debian/patches/CVE-2013-6076.patch b/debian/patches/CVE-2013-6076.patch
new file mode 100644
index 000000000..51f0ae37d
--- /dev/null
+++ b/debian/patches/CVE-2013-6076.patch
@@ -0,0 +1,27 @@
+From d8867a8452eece3fffab29605f48e6bed47c42d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Volker=20R=C3=BCmelin?= <vr_strongswan@t-online.de>
+Date: Fri, 11 Oct 2013 09:38:24 +0200
+Subject: [PATCH] ikev1: Properly initialize list of fragments in case fragment
+ ID is 0
+
+Fixes CVE-2013-6076.
+---
+ src/libcharon/sa/ikev1/task_manager_v1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
+index 6d4ef14..597416e 100644
+--- a/src/libcharon/sa/ikev1/task_manager_v1.c
++++ b/src/libcharon/sa/ikev1/task_manager_v1.c
+@@ -1273,7 +1273,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
+ 		return FAILED;
+ 	}
+ 
+-	if (this->frag.id != payload->get_id(payload))
++	if (!this->frag.list || this->frag.id != payload->get_id(payload))
+ 	{
+ 		clear_fragments(this, payload->get_id(payload));
+ 		this->frag.list = linked_list_create();
+-- 
+1.8.1.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 2cf256b6c..fadf557e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
 01_fix-manpages.patch
+CVE-2013-6075.patch
+CVE-2013-6076.patch