Bug#1037056: bookworm-pu: package libreswan/4.10-2+deb12u1

2023-06-07 Thread Adam D. Barratt 
On Fri, 2023-06-02 at 18:54 -0400, Daniel Kahn Gillmor wrote:
> Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka
> CVE-2023-30570), which addresses a potential DoS against libreswan
> instances that use a certain IKEv1 configuration.
> 
> Discussion with Salvatore Bonaccorso over in #1035542 concluded that
> using point releases for this should be sufficient.
> 

fwiw, because you already uploaded this, it hit testing-proposed-
updates, where it got autobuilt without any review from the Release
Team (as the approval boundary there is tpu -> testing, rather than
stable-new -> pu).

Hopefully that shouldn't make any practical difference, I'm just
mentioning it in case it was unexpected. (It will also need a bit of
handholding to get our tooling to recognise it properly once the
release has happened, but it's not the only package in that situation.)

Regards,

Adam

Bug#1037056: bookworm-pu: package libreswan/4.10-2+deb12u1

2023-06-02 Thread Daniel Kahn Gillmor 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bookworm with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I've already uploaded an update to 4.3 for the next bullseye point
release as well.
diff -Nru libreswan-4.10/debian/changelog libreswan-4.10/debian/changelog
--- libreswan-4.10/debian/changelog 2023-03-10 16:34:25.0 -0500
+++ libreswan-4.10/debian/changelog 2023-06-02 18:15:28.0 -0400
@@ -1,3 +1,9 @@
+libreswan (4.10-2+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor   Fri, 02 Jun 2023 18:15:28 
-0400
+
 libreswan (4.10-2) unstable; urgency=medium
 
   * Reach NSPR mipsel workaround for #854472
diff -Nru libreswan-4.10/debian/control libreswan-4.10/debian/control
--- libreswan-4.10/debian/control   2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/control   2023-06-02 18:15:28.0 -0400
@@ -6,7 +6,7 @@
  Paul Wouters ,
  Ondřej Surý ,
 Vcs-Browser: https://salsa.debian.org/debian/libreswan
-Vcs-Git: https://salsa.debian.org/debian/libreswan.git
+Vcs-Git: https://salsa.debian.org/debian/libreswan.git -b debian/bookworm
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Build-Depends:
diff -Nru libreswan-4.10/debian/gbp.conf libreswan-4.10/debian/gbp.conf
--- libreswan-4.10/debian/gbp.conf  2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/gbp.conf  2023-06-02 18:15:28.0 -0400
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 upstream-tag = v%(version)s
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
diff -Nru libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 
libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch
--- libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 1969-12-31 
19:00:00.0 -0500
+++ libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 2023-06-02 
18:14:32.0 -0400
@@ -0,0 +1,138 @@
+From: Daniel Kahn Gillmor 
+Date: Fri, 2 Jun 2023 18:14:24 -0400
+Subject: Fix CVE-2023-30570
+
+---
+ programs/pluto/ikev1.c  | 61 ++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index e061532..401618b 100644
+--- a/programs/pluto/ikev1.c
 b/programs/pluto/ikev1.c
+@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
+   struct state *st = NULL;
+   enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++  /*
++   * For the initial responses, don't leak the responder's SPI.
++   * Hence the use of send_v1_notification_from_md().
++   *
++   * AGGR mode is a mess in that the R0->R1 transition happens
++   * well before the transition succeeds.
++   */
+ #define SEND_NOTIFICATION(t)  \
+   {   \
+   pstats(ikev1_sent_notifies_e, t);   \
+-  if (st != NULL) \
++  if (st != NULL &&   \
++  st->st_state->kind != STATE_AGGR_R0 &&  \
++  st->st_state->kind != STATE_AGGR_R1 &&  \
++  st->st_state->kind != STATE_MAIN_R0)\
+   send_v1_notification_from_state(st, from_state,