From ed9aafdb1736fd76fce97abe65eb693baa6b78e5 Mon Sep 17 00:00:00 2001
From: Yves-Alexis Perez <corsac@debian.org>
Date: Thu, 31 Oct 2013 13:53:05 +0100
Subject: add patch for CVE-2013-6076

fix remote denial of service when using IKEv1
---
 debian/changelog                   |  3 ++-
 debian/patches/CVE-2013-6076.patch | 27 +++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/CVE-2013-6076.patch

diff --git a/debian/changelog b/debian/changelog
index 20837542b..b55aaa63a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,10 @@
 strongswan (5.1.0-3) UNRELEASED; urgency=high
 
-  * urgency=high for the security fix.
+  * urgency=high for the security fixes.
   * debian/patches
     - CVE-2013-6075 added, fix remote denial of service and authorization
       bypass.
+    - CVE-2013-6076 added, fix remote denial of service in IKEv1 code.
 
  -- Yves-Alexis Perez <corsac@debian.org>  Thu, 24 Oct 2013 23:22:58 +0200
 
diff --git a/debian/patches/CVE-2013-6076.patch b/debian/patches/CVE-2013-6076.patch
new file mode 100644
index 000000000..51f0ae37d
--- /dev/null
+++ b/debian/patches/CVE-2013-6076.patch
@@ -0,0 +1,27 @@
+From d8867a8452eece3fffab29605f48e6bed47c42d4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Volker=20R=C3=BCmelin?= <vr_strongswan@t-online.de>
+Date: Fri, 11 Oct 2013 09:38:24 +0200
+Subject: [PATCH] ikev1: Properly initialize list of fragments in case fragment
+ ID is 0
+
+Fixes CVE-2013-6076.
+---
+ src/libcharon/sa/ikev1/task_manager_v1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
+index 6d4ef14..597416e 100644
+--- a/src/libcharon/sa/ikev1/task_manager_v1.c
++++ b/src/libcharon/sa/ikev1/task_manager_v1.c
+@@ -1273,7 +1273,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
+ 		return FAILED;
+ 	}
+ 
+-	if (this->frag.id != payload->get_id(payload))
++	if (!this->frag.list || this->frag.id != payload->get_id(payload))
+ 	{
+ 		clear_fragments(this, payload->get_id(payload));
+ 		this->frag.list = linked_list_create();
+-- 
+1.8.1.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 3db0e29a8..fadf557e2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 01_fix-manpages.patch
 CVE-2013-6075.patch
+CVE-2013-6076.patch
-- 
cgit v1.2.3