Hi,
given the long history of NMUs for this package...
... attached is a patch for a 0-day NMU fixing this 
vulnerability.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ipsec-tools-0.7.1/debian/changelog ipsec-tools-0.7.1/debian/changelog
--- ipsec-tools-0.7.1/debian/changelog
+++ ipsec-tools-0.7.1/debian/changelog
@@ -1,3 +1,11 @@
+ipsec-tools (1:0.7.1-1.5) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix multiple memory leaks in NAT traversal and RSA authentication
+    code of racoon leading to DoS because (CVE-2009-1632; Closes: #528933).
+
+ -- Nico Golde <[email protected]>  Tue, 19 May 2009 13:26:14 +0200
+
 ipsec-tools (1:0.7.1-1.4) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- ipsec-tools-0.7.1.orig/src/racoon/nattraversal.c
+++ ipsec-tools-0.7.1/src/racoon/nattraversal.c
@@ -319,6 +319,15 @@
       iph1->natt_flags |= NAT_ANNOUNCED;
 }
 
+static void
+natt_keepalive_delete (struct natt_ka_addrs *ka)
+{
+  TAILQ_REMOVE (&ka_tree, ka, chain);
+  racoon_free (ka->src);
+  racoon_free (ka->dst);
+  racoon_free (ka);
+}
+
 /* NAT keepalive functions */
 static void
 natt_keepalive_send (void *param)
@@ -333,8 +342,7 @@
     
     s = getsockmyaddr(ka->src);
     if (s == -1) {
-      TAILQ_REMOVE (&ka_tree, ka, chain);
-      racoon_free (ka);
+      natt_keepalive_delete(ka);
       continue;
     }
     plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", 
@@ -435,8 +443,7 @@
 
       plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
 
-      TAILQ_REMOVE (&ka_tree, ka, chain);
-      racoon_free (ka);
+      natt_keepalive_delete (ka);
       /* Should we break here? Every pair of addresses should 
          be inserted only once, but who knows :-) Lets traverse 
 	 the whole list... */
only in patch2:
unchanged:
--- ipsec-tools-0.7.1.orig/src/racoon/crypto_openssl.c
+++ ipsec-tools-0.7.1/src/racoon/crypto_openssl.c
@@ -901,12 +901,14 @@
 	evp = X509_get_pubkey(x509);
 	if (! evp) {
 		plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
+		X509_free(x509);
 		return -1;
 	}
 
 	res = eay_rsa_verify(source, sig, evp->pkey.rsa);
 
 	EVP_PKEY_free(evp);
+	X509_free(x509);
 
 	return res;
 }

Attachment: pgpA669hzxdfw.pgp
Description: PGP signature

Reply via email to