Package: libreswan 4.9-1 Control: found -1 4.3-1+deb11u1 Control: found -1 4.7-1 Control: fixed -1 4.9-2 Control: forwarded -1 https://github.com/libreswan/libreswan/issues/954 Control: tags -1 + security patch fixed-upstream
There is a remotely-triggerable crash in libreswan, known as
CVE-2023-23009, based on a null pointer dereference. It is apparently
present in the versions of libreswan in bullseye, testing, and unstable
at least.
On the linked github issue, upstream says that the attached patch fixes
the problem (though i do not have a reproducer to verify).
I've applied the patch in unstable already.
I'll prepare an upload for bullseye if the security team is OK with
that. Please confirm!
Thanks,
--dkg
From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Date: Wed, 22 Feb 2023 14:57:02 -0500 Subject: Fix CVE-2023-23009 See https://github.com/libreswan/libreswan/issues/954 --- programs/pluto/ikev2_ts.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c index fba776a..c8ce761 100644 --- a/programs/pluto/ikev2_ts.c +++ b/programs/pluto/ikev2_ts.c @@ -421,6 +421,11 @@ static bool v2_parse_ts(struct payload_digest *const ts_pd, d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, &ts_h, sizeof(ts_h), &ts_body_pbs); + if (d != NULL) { + llog_diag(RC_LOG, logger, &d, "%s", ""); + return false; + } + switch (ts_h.isath_type) { case IKEv2_TS_IPV4_ADDR_RANGE: case IKEv2_TS_IPV6_ADDR_RANGE:
signature.asc
Description: PGP signature
