From 188bacbfe68aa6cbbaaa6cbd26b334f634f23871 Mon Sep 17 00:00:00 2001
From: Rene Mayrhofer <rene@mayrhofer.eu.org>
Date: Tue, 31 Mar 2009 10:25:38 +0000
Subject: - Apply patch from security team.

---
 debian/changelog                       | 10 ++++++++++
 debian/patches/00list                  |  1 +
 debian/patches/02-CVE-2009-0790.dpatch | 31 +++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 debian/patches/02-CVE-2009-0790.dpatch

diff --git a/debian/changelog b/debian/changelog
index 1b4060aa0..71d2f2061 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+strongswan (4.2.13-2) unstable; urgency=low
+
+  * Fix DoS issue via malicious Dead Peer Detection packet. Thanks to the 
+    security team for providing the patch.
+    Closes: #521950: CVE-2009-0790: DoS
+    Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
+    to a denial of service attack via a malicious packet.
+
+ -- Rene Mayrhofer <rmayr@debian.org>  Tue, 31 Mar 2009 12:00:51 +0200
+
 strongswan (4.2.13-1) unstable; urgency=low
 
   * New upstream release. This is now compatible with network-manager 0.7
diff --git a/debian/patches/00list b/debian/patches/00list
index e69de29bb..565571969 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -0,0 +1 @@
+02-CVE-2009-0790.dpatch
diff --git a/debian/patches/02-CVE-2009-0790.dpatch b/debian/patches/02-CVE-2009-0790.dpatch
new file mode 100644
index 000000000..1eef2fe3d
--- /dev/null
+++ b/debian/patches/02-CVE-2009-0790.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+@DPATCH@
+diff -urN strongswan-4.2.13/src/pluto/ipsec_doi.c strongswan-4.2.13-patched/src/pluto/ipsec_doi.c
+--- strongswan-4.2.13/src/pluto/ipsec_doi.c	2009-03-21 09:41:49.000000000 +0100
++++ strongswan-4.2.4/src/pluto/ipsec_doi.c	2009-03-21 09:50:06.000000000 +0100
+@@ -5446,9 +5446,9 @@
+    time_t tm = now();
+     u_int32_t seqno;
+ 
+-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
++    if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+     {
+-        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA");
++        loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA");
+         return STF_IGNORE;
+     }
+     if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2)
+@@ -5516,10 +5516,10 @@
+ {
+     u_int32_t seqno;
+ 
+-    if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state))
++    if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state))
+     {
+         loglog(RC_LOG_SERIOUS
+-	    , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA");
++	    , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA");
+         return STF_FAIL;
+     }
+ 
-- 
cgit v1.2.3