Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan
[ Reason ]
Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.
Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.
[ Impact ]
Users on bookworm with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.
[ Tests ]
Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.
[ Risks ]
The risks of including these patches are minimal.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.
[ Other info ]
All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.
I've already uploaded an update to 4.3 for the next bullseye point
release as well.
diff -Nru libreswan-4.10/debian/changelog libreswan-4.10/debian/changelog
--- libreswan-4.10/debian/changelog 2023-03-10 16:34:25.0 -0500
+++ libreswan-4.10/debian/changelog 2023-06-02 18:15:28.0 -0400
@@ -1,3 +1,9 @@
+libreswan (4.10-2+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor Fri, 02 Jun 2023 18:15:28
-0400
+
libreswan (4.10-2) unstable; urgency=medium
* Reach NSPR mipsel workaround for #854472
diff -Nru libreswan-4.10/debian/control libreswan-4.10/debian/control
--- libreswan-4.10/debian/control 2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/control 2023-06-02 18:15:28.0 -0400
@@ -6,7 +6,7 @@
Paul Wouters ,
Ondřej Surý ,
Vcs-Browser: https://salsa.debian.org/debian/libreswan
-Vcs-Git: https://salsa.debian.org/debian/libreswan.git
+Vcs-Git: https://salsa.debian.org/debian/libreswan.git -b debian/bookworm
Standards-Version: 4.6.2
Rules-Requires-Root: no
Build-Depends:
diff -Nru libreswan-4.10/debian/gbp.conf libreswan-4.10/debian/gbp.conf
--- libreswan-4.10/debian/gbp.conf 2023-03-03 09:54:30.0 -0500
+++ libreswan-4.10/debian/gbp.conf 2023-06-02 18:15:28.0 -0400
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
upstream-tag = v%(version)s
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
diff -Nru libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch
libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch
--- libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 1969-12-31
19:00:00.0 -0500
+++ libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 2023-06-02
18:14:32.0 -0400
@@ -0,0 +1,138 @@
+From: Daniel Kahn Gillmor
+Date: Fri, 2 Jun 2023 18:14:24 -0400
+Subject: Fix CVE-2023-30570
+
+---
+ programs/pluto/ikev1.c | 61 ++---
+ programs/pluto/ikev1_aggr.c | 5 ++--
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index e061532..401618b 100644
+--- a/programs/pluto/ikev1.c
b/programs/pluto/ikev1.c
+@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
+ struct state *st = NULL;
+ enum state_kind from_state = STATE_UNDEFINED; /* state we started in
*/
+
++ /*
++ * For the initial responses, don't leak the responder's SPI.
++ * Hence the use of send_v1_notification_from_md().
++ *
++ * AGGR mode is a mess in that the R0->R1 transition happens
++ * well before the transition succeeds.
++ */
+ #define SEND_NOTIFICATION(t) \
+ { \
+ pstats(ikev1_sent_notifies_e, t); \
+- if (st != NULL) \
++ if (st != NULL && \
++ st->st_state->kind != STATE_AGGR_R0 && \
++ st->st_state->kind != STATE_AGGR_R1 && \
++ st->st_state->kind != STATE_MAIN_R0)\
+ send_v1_notification_from_state(st, from_state,