Bug#929916: libreswan: CVE-2019-12312
Hi Daniel! On Mon, Jun 03, 2019 at 12:24:08PM -0400, Daniel Kahn Gillmor wrote: > On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote: > > Source: libreswan > > Version: 3.27-4 > > Severity: grave > > Tags: patch security upstream fixed-upstream > > Justification: user security hole > > Forwarded: https://github.com/libreswan/libreswan/issues/246 > > Control: fixed -1 3.28-1 > > > > The following vulnerability was published for libreswan. > > > > CVE-2019-12312[0]: > > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE > > | daemon restart. An attacker can trigger a NULL pointer dereference by > > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode > > | to a Libreswan server. This affects send_v2N_spi_response_from_state > > | in programs/pluto/ikev2_send.c when built with Network Security > > | Services (NSS). > > thanks for this heads-up, Salvatore. > > I'm working with upstream libreswan at patching this now, publishing my > work on the debian/master branch in salsa. The upstream issue lists as https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 as the fixing commit, fwiw. > out of curiosity, how was this CVE applied for, and how was it > coordinated? When I pointed it out to libreswan upstream on the > freenode IRC #swan, it sounded like they had never heard of it. I do not know. The CVE appeared for us on the radar via the MITRE feed update. Could be that the reporter of the upstream issue did request a CVE on its own. If you ask MITRE they though would not disclose who requested a specific CVE, so we might not know in the end. I suspect it was not coordinated at all with upstream. > thanks for all you do for debian security! likewise for all your contributions within Debian! Regards, Salvatore
Bug#929916: libreswan: CVE-2019-12312
On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote: > Source: libreswan > Version: 3.27-4 > Severity: grave > Tags: patch security upstream fixed-upstream > Justification: user security hole > Forwarded: https://github.com/libreswan/libreswan/issues/246 > Control: fixed -1 3.28-1 > > The following vulnerability was published for libreswan. > > CVE-2019-12312[0]: > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE > | daemon restart. An attacker can trigger a NULL pointer dereference by > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode > | to a Libreswan server. This affects send_v2N_spi_response_from_state > | in programs/pluto/ikev2_send.c when built with Network Security > | Services (NSS). thanks for this heads-up, Salvatore. I'm working with upstream libreswan at patching this now, publishing my work on the debian/master branch in salsa. out of curiosity, how was this CVE applied for, and how was it coordinated? When I pointed it out to libreswan upstream on the freenode IRC #swan, it sounded like they had never heard of it. thanks for all you do for debian security! --dkg signature.asc Description: PGP signature
Bug#929916: libreswan: CVE-2019-12312
Source: libreswan Version: 3.27-4 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Forwarded: https://github.com/libreswan/libreswan/issues/246 Control: fixed -1 3.28-1 Hi, The following vulnerability was published for libreswan. CVE-2019-12312[0]: | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE | daemon restart. An attacker can trigger a NULL pointer dereference by | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode | to a Libreswan server. This affects send_v2N_spi_response_from_state | in programs/pluto/ikev2_send.c when built with Network Security | Services (NSS). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12312 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12312 [1] https://github.com/libreswan/libreswan/issues/246 [2] https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 Regards, Salvatore