Hello community, here is the log from the commit of package ipsec-tools for openSUSE:Factory checked in at 2018-01-29 14:58:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ipsec-tools (Old) and /work/SRC/openSUSE:Factory/.ipsec-tools.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ipsec-tools" Mon Jan 29 14:58:37 2018 rev:43 rq:570401 version:0.8.2 Changes: -------- --- /work/SRC/openSUSE:Factory/ipsec-tools/ipsec-tools.changes 2017-12-02 13:12:37.494101681 +0100 +++ /work/SRC/openSUSE:Factory/.ipsec-tools.new/ipsec-tools.changes 2018-01-29 15:00:15.458672836 +0100 @@ -1,0 +2,6 @@ +Fri Jan 26 17:07:35 UTC 2018 - jbo...@suse.com + +- avoid-dos-with-fragment-out-of-order.patch (bsc#1047443, + CVE-2016-10396) + +------------------------------------------------------------------- New: ---- avoid-dos-with-fragment-out-of-order.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ipsec-tools.spec ++++++ --- /var/tmp/diff_new_pack.e38XEY/_old 2018-01-29 15:00:16.838608363 +0100 +++ /var/tmp/diff_new_pack.e38XEY/_new 2018-01-29 15:00:16.846607989 +0100 @@ -1,7 +1,7 @@ # # spec file for package ipsec-tools # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,6 +42,7 @@ Patch5: racoon-fips-rsa.patch Patch6: racoon-no-md5.patch Patch7: ipsec-tools-openssl1.1.patch +Patch8: avoid-dos-with-fragment-out-of-order.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: fdupes @@ -82,6 +83,8 @@ if pkg-config --atleast-version=1.1.0 libssl; then %patch7 -p1 fi +%patch8 + ./bootstrap sed -i 's|-Werror||g' configure ++++++ avoid-dos-with-fragment-out-of-order.patch ++++++ From: Antoine_Beaupre <anar...@orangeseeds.org> Acked-by: Jiri Bohac <jbo...@suse.cz> Subject: PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list. References: bsc#1047443, CVE-2016-10396 Index: src/racoon/handler.h =================================================================== --- src/racoon/handler.h.orig 2018-01-26 18:05:21.114764376 +0100 +++ src/racoon/handler.h 2018-01-26 18:05:33.986741103 +0100 @@ -141,6 +141,7 @@ struct ph1handle { #endif #ifdef ENABLE_FRAG int frag; /* IKE phase 1 fragmentation */ + int frag_last_index; struct isakmp_frag_item *frag_chain; /* Received fragments */ #endif Index: src/racoon/isakmp.c =================================================================== --- src/racoon/isakmp.c.orig 2018-01-26 18:05:21.118764369 +0100 +++ src/racoon/isakmp.c 2018-01-26 18:05:33.986741103 +0100 @@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local) iph1->frag = 1; else iph1->frag = 0; + iph1->frag_last_index = 0; iph1->frag_chain = NULL; #endif iph1->approval = NULL; @@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, et #endif #ifdef ENABLE_FRAG iph1->frag = 0; + iph1->frag_last_index = 0; iph1->frag_chain = NULL; #endif iph1->approval = NULL; Index: src/racoon/isakmp_frag.c =================================================================== --- src/racoon/isakmp_frag.c.orig 2018-01-26 18:05:21.118764369 +0100 +++ src/racoon/isakmp_frag.c 2018-01-26 18:05:33.986741103 +0100 @@ -173,6 +173,43 @@ vendorid_frag_cap(gen) return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); } +static int +isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) +{ + struct isakmp_frag_item *pitem = NULL; + struct isakmp_frag_item *citem = iph1->frag_chain; + + /* no frag yet, just insert at beginning of list */ + if (iph1->frag_chain == NULL) { + iph1->frag_chain = item; + return 0; + } + + do { + /* duplicate fragment number, abort (CVE-2016-10396) */ + if (citem->frag_num == item->frag_num) + return -1; + + /* need to insert before current item */ + if (citem->frag_num > item->frag_num) { + if (pitem != NULL) + pitem->frag_next = item; + else + /* insert at the beginning of the list */ + iph1->frag_chain = item; + item->frag_next = citem; + return 0; + } + + pitem = citem; + citem = citem->frag_next; + } while (citem != NULL); + + /* we reached the end of the list, insert */ + pitem->frag_next = item; + return 0; +} + int isakmp_frag_extract(iph1, msg) struct ph1handle *iph1; @@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) item->frag_next = NULL; item->frag_packet = buf; - /* Look for the last frag while inserting the new item in the chain */ - if (item->frag_last) - last_frag = item->frag_num; + /* Check for the last frag before inserting the new item in the chain */ + if (item->frag_last) { + /* if we have the last fragment, indices must match */ + if (iph1->frag_last_index != 0 && + item->frag_last != iph1->frag_last_index) { + plog(LLV_ERROR, LOCATION, NULL, + "Repeated last fragment index mismatch\n"); + racoon_free(item); + vfree(buf); + return -1; + } - if (iph1->frag_chain == NULL) { - iph1->frag_chain = item; - } else { - struct isakmp_frag_item *current; + last_frag = iph1->frag_last_index = item->frag_num; + } - current = iph1->frag_chain; - while (current->frag_next) { - if (current->frag_last) - last_frag = item->frag_num; - current = current->frag_next; - } - current->frag_next = item; + /* insert fragment into chain */ + if (isakmp_frag_insert(iph1, item) == -1) { + plog(LLV_ERROR, LOCATION, NULL, + "Repeated fragment index mismatch\n"); + racoon_free(item); + vfree(buf); + return -1; } - /* If we saw the last frag, check if the chain is complete */ + /* If we saw the last frag, check if the chain is complete + * we have a sorted list now, so just walk through */ if (last_frag != 0) { + item = iph1->frag_chain; for (i = 1; i <= last_frag; i++) { - item = iph1->frag_chain; - do { - if (item->frag_num == i) - break; - item = item->frag_next; - } while (item != NULL); - + if (item->frag_num != i) + break; + item = item->frag_next; if (item == NULL) /* Not found */ break; } - if (item != NULL) /* It is complete */ + if (i > last_frag) /* It is complete */ return 1; } @@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) } data = buf->v; + item = iph1->frag_chain; for (i = 1; i <= frag_count; i++) { - item = iph1->frag_chain; - do { - if (item->frag_num == i) - break; - item = item->frag_next; - } while (item != NULL); - - if (item == NULL) { + if (item->frag_num != i) { plog(LLV_ERROR, LOCATION, NULL, "Missing fragment #%d\n", i); vfree(buf); @@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) } memcpy(data, item->frag_packet->v, item->frag_packet->l); data += item->frag_packet->l; + item = item->frag_next; } out: diff -u -p -r1.50 -r1.51 --- src/racoon/isakmp_inf.c 2013/04/12 09:53:10 1.50 +++ src/racoon/isakmp_inf.c 2017/01/24 19:23:56 1.51 @@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca #endif #ifdef ENABLE_FRAG iph1->frag = 0; + iph1->frag_last_index = 0; iph1->frag_chain = NULL; #endif