hy,
attached patch will fix this bug and also #533837 Ruben -- Ruben Puettmann ru...@puettmann.net http://www.puettmann.net
diff -Nru strongswan-4.2.14/debian/changelog strongswan-4.2.14/debian/changelog --- strongswan-4.2.14/debian/changelog 2009-06-21 18:34:54.000000000 +0200 +++ strongswan-4.2.14/debian/changelog 2009-06-21 18:34:55.000000000 +0200 @@ -1,3 +1,14 @@ +strongswan (4.2.14-1.2) unstable; urgency=high + + * Non-maintainer upload. + * Fix build on i386 + Closes: #525652: FTBFS on i386: + libstrongswan-padlock.so*': No such file or directory + * Fix Two Denial of Service Vulnerabilities + Closes: #533837: strongSwan Two Denial of Service Vulnerabilities + + -- Ruben Puettmann <ru...@puettmann.net> Sun, 21 Jun 2009 17:50:02 +0200 + strongswan (4.2.14-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru strongswan-4.2.14/debian/rules strongswan-4.2.14/debian/rules --- strongswan-4.2.14/debian/rules 2009-06-21 18:34:54.000000000 +0200 +++ strongswan-4.2.14/debian/rules 2009-06-21 18:34:55.000000000 +0200 @@ -41,7 +41,7 @@ # the padlock plugin only makes sense on i386 # but it actually doesn't do much, so maybe we don't need it ifeq ($(DEB_BUILD_ARCH_CPU),i386) - CONFIGURE_ARGS += --enable-padlock + CONFIGUREARGS += --enable-padlock endif patch: diff -Nru strongswan-4.2.14/src/libstrongswan/asn1/asn1.c strongswan-4.2.14/src/libstrongswan/asn1/asn1.c --- strongswan-4.2.14/src/libstrongswan/asn1/asn1.c 2009-04-01 08:16:00.000000000 +0200 +++ strongswan-4.2.14/src/libstrongswan/asn1/asn1.c 2009-06-21 18:34:55.000000000 +0200 @@ -261,6 +261,11 @@ len = 256*len + *blob->ptr++; blob->len--; } + if (len > blob->len) + { + DBG2("length is larger than remaining blob size"); + return ASN1_INVALID_LENGTH; + } return len; } @@ -283,14 +288,20 @@ { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in positive timezone offset format */ + } tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */ } else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in negative timezone offset format */ + } tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */ } else @@ -303,14 +314,20 @@ const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d": "%4d%2d%2d%2d%2d"; - sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, - &t.tm_hour, &t.tm_min); + if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, + &t.tm_hour, &t.tm_min) != 5) + { + return 0; /* error in time st [yy]yymmddhhmm time format */ + } } /* is there a seconds field? */ if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14)) { - sscanf(eot-2, "%2d", &t.tm_sec); + if (sscanf(eot-2, "%2d", &t.tm_sec) != 1) + { + return 0; /* error in ss seconds field format */ + } } else { diff -Nru strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c --- strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c 2009-04-01 08:16:00.000000000 +0200 +++ strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c 2009-06-21 18:34:55.000000000 +0200 @@ -160,7 +160,7 @@ blob1->len = asn1_length(blob); - if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len) + if (blob1->len == ASN1_INVALID_LENGTH) { DBG1("L%d - %s: length of ASN.1 object invalid or too large", level, obj.name); diff -Nru strongswan-4.2.14/src/pluto/asn1.c strongswan-4.2.14/src/pluto/asn1.c --- strongswan-4.2.14/src/pluto/asn1.c 2009-04-01 08:16:04.000000000 +0200 +++ strongswan-4.2.14/src/pluto/asn1.c 2009-06-21 18:34:55.000000000 +0200 @@ -191,6 +191,13 @@ len = 256*len + *blob->ptr++; blob->len--; } + if (len > blob->len) + { + DBG(DBG_PARSING, + DBG_log("length is larger than remaining blob size") + ) + return ASN1_INVALID_LENGTH; + } return len; } @@ -368,14 +375,20 @@ { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in positive timezone offset format */ + } tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */ } else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL) { int tz_hour, tz_min; - sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min); + if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2) + { + return 0; /* error in negative timezone offset format */ + } tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */ } else @@ -388,14 +401,20 @@ const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d": "%4d%2d%2d%2d%2d"; - sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, - &t.tm_hour, &t.tm_min); - } + if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday, + &t.tm_hour, &t.tm_min) != 5) + { + return 0; /* error in time st [yy]yymmddhhmm time format */ + } + } /* is there a seconds field? */ if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14)) { - sscanf(eot-2, "%2d", &t.tm_sec); + if (sscanf(eot-2, "%2d", &t.tm_sec) != 1) + { + return 0; /* error in ss seconds field format */ + } } else { @@ -592,7 +611,7 @@ blob1->len = asn1_length(blob); - if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len) + if (blob1->len == ASN1_INVALID_LENGTH) { DBG(DBG_PARSING, DBG_log("L%d - %s: length of ASN.1 object invalid or too large",
signature.asc
Description: Digital signature