Package: strongswan Severity: grave Tags: security, patch Hi
>From the DSA: Gerd v. Egidy discovered that the Pluto IKE daemon in strongswan, an IPSec implementation for linux, is prone to a denial of service attack via a malicious packet. Please consider including the patch, I've attached the debdiff for stable. Cheers Steffen
diff -u strongswan-4.2.4/debian/changelog strongswan-4.2.4/debian/changelog --- strongswan-4.2.4/debian/changelog +++ strongswan-4.2.4/debian/changelog @@ -1,3 +1,11 @@ +strongswan (4.2.4-5+lenny1) stable-security; urgency=high + + * Non-maintainer upload by the security team + * Fix DoS issue via malicious Dead Peer Detection packet + Fixes: CVE-2009-0790 + + -- Steffen Joeris <wh...@debian.org> Tue, 24 Mar 2009 12:31:39 +0000 + strongswan (4.2.4-5) unstable; urgency=high Reason for urgency high: this is potentially security relevant. diff -u strongswan-4.2.4/debian/patches/00list strongswan-4.2.4/debian/patches/00list --- strongswan-4.2.4/debian/patches/00list +++ strongswan-4.2.4/debian/patches/00list @@ -1,0 +2 @@ +02-CVE-2009-0790.dpatch only in patch2: unchanged: --- strongswan-4.2.4.orig/debian/patches/02-CVE-2009-0790.dpatch +++ strongswan-4.2.4/debian/patches/02-CVE-2009-0790.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run + +...@dpatch@ +diff -urN strongswan-4.2.13/src/pluto/ipsec_doi.c strongswan-4.2.13-patched/src/pluto/ipsec_doi.c +--- strongswan-4.2.13/src/pluto/ipsec_doi.c 2009-03-21 09:41:49.000000000 +0100 ++++ strongswan-4.2.4/src/pluto/ipsec_doi.c 2009-03-21 09:50:06.000000000 +0100 +@@ -5446,9 +5446,9 @@ + time_t tm = now(); + u_int32_t seqno; + +- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) ++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + { +- loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISKAMP SA"); ++ loglog(RC_LOG_SERIOUS, "DPD: Received R_U_THERE for unestablished ISAKMP SA"); + return STF_IGNORE; + } + if (n->isan_spisize != COOKIE_SIZE * 2 || pbs_left(pbs) < COOKIE_SIZE * 2) +@@ -5516,10 +5516,10 @@ + { + u_int32_t seqno; + +- if (!IS_ISAKMP_SA_ESTABLISHED(st->st_state)) ++ if (!st || !IS_ISAKMP_SA_ESTABLISHED(st->st_state)) + { + loglog(RC_LOG_SERIOUS +- , "DPD: Received R_U_THERE_ACK for unestablished ISKAMP SA"); ++ , "DPD: Received R_U_THERE_ACK for unestablished ISAKMP SA"); + return STF_FAIL; + } +