From f062a22a7324de6096c775d4ab8941c168bc4c00 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Fri, 25 Oct 2013 07:15:00 +0200 Subject: add patch for CVE-2013-6075 fixing denial of service and authorization bypass --- debian/changelog | 9 +++++++++ debian/patches/CVE-2013-6075.patch | 27 +++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 37 insertions(+) create mode 100644 debian/patches/CVE-2013-6075.patch diff --git a/debian/changelog b/debian/changelog index 77bf2a952..20837542b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +strongswan (5.1.0-3) UNRELEASED; urgency=high + + * urgency=high for the security fix. + * debian/patches + - CVE-2013-6075 added, fix remote denial of service and authorization + bypass. + + -- Yves-Alexis Perez Thu, 24 Oct 2013 23:22:58 +0200 + strongswan (5.1.0-2) unstable; urgency=medium * urgency=medium since we already spent 16 days in unstable and the fix is diff --git a/debian/patches/CVE-2013-6075.patch b/debian/patches/CVE-2013-6075.patch new file mode 100644 index 000000000..d50616a60 --- /dev/null +++ b/debian/patches/CVE-2013-6075.patch @@ -0,0 +1,27 @@ +From aa277adfc204b6bda2c3792710138f9a8723a8f1 Mon Sep 17 00:00:00 2001 +From: Martin Willi +Date: Mon, 7 Oct 2013 14:21:57 +0200 +Subject: [PATCH] identification: Properly check length before comparing for + binary DN equality + +Fixes CVE-2013-6075. +--- + src/libstrongswan/utils/identification.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c +index 5df3e5f..9c43ad5 100644 +--- a/src/libstrongswan/utils/identification.c ++++ b/src/libstrongswan/utils/identification.c +@@ -602,7 +602,7 @@ static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) + } + } + /* try a binary compare */ +- if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) ++ if (chunk_equals(t_dn, o_dn)) + { + return TRUE; + } +-- +1.8.1.2 + diff --git a/debian/patches/series b/debian/patches/series index 2cf256b6c..3db0e29a8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 01_fix-manpages.patch +CVE-2013-6075.patch -- cgit v1.2.3 From ed9aafdb1736fd76fce97abe65eb693baa6b78e5 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 31 Oct 2013 13:53:05 +0100 Subject: add patch for CVE-2013-6076 fix remote denial of service when using IKEv1 --- debian/changelog | 3 ++- debian/patches/CVE-2013-6076.patch | 27 +++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 debian/patches/CVE-2013-6076.patch diff --git a/debian/changelog b/debian/changelog index 20837542b..b55aaa63a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,10 @@ strongswan (5.1.0-3) UNRELEASED; urgency=high - * urgency=high for the security fix. + * urgency=high for the security fixes. * debian/patches - CVE-2013-6075 added, fix remote denial of service and authorization bypass. + - CVE-2013-6076 added, fix remote denial of service in IKEv1 code. -- Yves-Alexis Perez Thu, 24 Oct 2013 23:22:58 +0200 diff --git a/debian/patches/CVE-2013-6076.patch b/debian/patches/CVE-2013-6076.patch new file mode 100644 index 000000000..51f0ae37d --- /dev/null +++ b/debian/patches/CVE-2013-6076.patch @@ -0,0 +1,27 @@ +From d8867a8452eece3fffab29605f48e6bed47c42d4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Volker=20R=C3=BCmelin?= +Date: Fri, 11 Oct 2013 09:38:24 +0200 +Subject: [PATCH] ikev1: Properly initialize list of fragments in case fragment + ID is 0 + +Fixes CVE-2013-6076. +--- + src/libcharon/sa/ikev1/task_manager_v1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c +index 6d4ef14..597416e 100644 +--- a/src/libcharon/sa/ikev1/task_manager_v1.c ++++ b/src/libcharon/sa/ikev1/task_manager_v1.c +@@ -1273,7 +1273,7 @@ static status_t handle_fragment(private_task_manager_t *this, message_t *msg) + return FAILED; + } + +- if (this->frag.id != payload->get_id(payload)) ++ if (!this->frag.list || this->frag.id != payload->get_id(payload)) + { + clear_fragments(this, payload->get_id(payload)); + this->frag.list = linked_list_create(); +-- +1.8.1.2 + diff --git a/debian/patches/series b/debian/patches/series index 3db0e29a8..fadf557e2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 01_fix-manpages.patch CVE-2013-6075.patch +CVE-2013-6076.patch -- cgit v1.2.3 From f82d8327dae7ed3f27c1efa5b0fd0ee4340879d2 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Wed, 30 Oct 2013 09:17:11 +0100 Subject: upload to unstable --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index b55aaa63a..9b650b9eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -strongswan (5.1.0-3) UNRELEASED; urgency=high +strongswan (5.1.0-3) unstable; urgency=high * urgency=high for the security fixes. * debian/patches @@ -6,7 +6,7 @@ strongswan (5.1.0-3) UNRELEASED; urgency=high bypass. - CVE-2013-6076 added, fix remote denial of service in IKEv1 code. - -- Yves-Alexis Perez Thu, 24 Oct 2013 23:22:58 +0200 + -- Yves-Alexis Perez Tue, 29 Oct 2013 21:07:04 +0100 strongswan (5.1.0-2) unstable; urgency=medium -- cgit v1.2.3