The patches for fixing the pre-authentication buffer overflow in atodn() / atoid() (CVE-2013-2053) introduced a bug in parsing the ID_DER_ASN1_DN subject when using certificates and the full distinguished names for leftid and/or rightid in /etc/ipsec.conf
Since the Peer ID_DER_ASN1_DN subject is garbled the appropriate entry from ipsec.conf cannot be found and the tunnel is revoked. Please note this bug is not limited to 2.6.28+dfsg-5+squeeze2, but was introducted in 2.6.37-3+deb7u1 (wheezy), too. In the attachment you find a patch for fixing the boundary check in lib/libopenswan/x509dn.c The patch is tested for 2.6.28+dfsg-5+squeeze2 (squeeze) and 2.6.37-3+deb7u1 (wheezy). @Paul Wouters: those *** have been substituted to remain anonymity. Sorry, I should have had mentioned this...
Description: Fixed parsing of ID_DER_ASN1_DN in X.509 certificates The fix for CVE-2013-2053 (#709144) introduced a bug when parsing the ID_DER_ASN1_DN of a X.509 certificate (local and remote). In the atodn function a boundary check failed, when the full distinguished name if given in ipsec.conf (leftid or rightid). This results in a garbled peer id and in revoking connections. This patch fixes the boundary check. Bug-Debian: http://bugs.debian.org/743332 Origin: other Author: Alexander Hosfeld <[email protected]> Last-Update: 2014-04-09 --- openswan-2.6.28+dfsg.orig/lib/libopenswan/x509dn.c +++ openswan-2.6.28+dfsg/lib/libopenswan/x509dn.c @@ -866,7 +866,6 @@ atodn(char *src, chunk_t *dn) chunkcpy(dn_ptr, name); /* accumulate the length of the distinguished name sequence */ - dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len; dn_seq_len += rdn_len; /* reset name and change state */
Description: Fixed parsing of ID_DER_ASN1_DN in X.509 certificates The fix for CVE-2013-2053 (#709144) introduced a bug when parsing the ID_DER_ASN1_DN of a X.509 certificate (local and remote). In the atodn function a boundary check failed, when the full distinguished name if given in ipsec.conf (leftid or rightid). This results in a garbled peer id and in revoking connections. This patch fixes the boundary check. Bug-Debian: http://bugs.debian.org/743332 Origin: other Author: Alexander Hosfeld <[email protected]> Last-Update: 2014-04-09 --- openswan-2.6.37.orig/lib/libopenswan/x509dn.c +++ openswan-2.6.37/lib/libopenswan/x509dn.c @@ -866,7 +866,6 @@ atodn(char *src, chunk_t *dn) chunkcpy(dn_ptr, name); /* accumulate the length of the distinguished name sequence */ - dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len; dn_seq_len += rdn_len; /* reset name and change state */
signature.asc
Description: Digital signature
