Bug#867986: CVE-2016-10396

[Moritz Muehlenhoff]

On Thu, Jul 27, 2017 at 10:35:36AM -0700, Noah Meyerhans wrote:
> On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> > 
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   
> 
> Hi Moritz. I assume your intent was not to issue a DSA for this since
> it's been a known issue for nearly a year. Under that assumption I've
> gone ahead with a package update targeting the next stable release
> update and am planning on updating oldstable as well. Apologies if I was
> incorrect in my assumption.

Ack, that makes perfect sense. 

Cheers,
Moritz

Bug#867986: CVE-2016-10396

[Noah Meyerhans]

On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> 
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   

Hi Moritz. I assume your intent was not to issue a DSA for this since
it's been a known issue for nearly a year. Under that assumption I've
gone ahead with a package update targeting the next stable release
update and am planning on updating oldstable as well. Apologies if I was
incorrect in my assumption.

noah



signature.asc
Description: PGP signature

Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396

[Noah Meyerhans]

On Wed, Jul 19, 2017 at 10:29:41AM -0400, Antoine Beaupre wrote:
> It sure looks like that patch is not correct. Jiri Bohac from Novell
> found that it introduced a regression that could lead to another DoS:
> 
> https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1

Updated debdiff is attached. Still haven't been able to perform any
meaningful tests.

diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog 
ipsec-tools-0.8.2+20140711/debian/changelog
--- ipsec-tools-0.8.2+20140711/debian/changelog 2016-12-01 01:49:16.0 
-0800
+++ ipsec-tools-0.8.2+20140711/debian/changelog 2017-07-18 10:22:32.0 
-0700
@@ -1,3 +1,9 @@
+ipsec-tools (1:0.8.2+20140711-9) UNRELEASED; urgency=medium
+
+  * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986)
+
+ -- Noah Meyerhans   Tue, 18 Jul 2017 17:22:32 +
+
 ipsec-tools (1:0.8.2+20140711-8) unstable; urgency=medium
 
   * Depend on libfl-dev to follow flex changes (Closes: #846430)
diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 
ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch
--- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch  
1969-12-31 16:00:00.0 -0800
+++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch  
2017-07-18 10:22:32.0 -0700
@@ -0,0 +1,201 @@
+Description: Fix remotely exploitable DoS. 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
+Source: vendor; 
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
+Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
+
+Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
+===
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
 pkg-ipsec-tools/src/racoon/isakmp_frag.c
+@@ -1,4 +1,4 @@
+-/*$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $   */
++/*$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $  
*/
+ 
+ /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
+ 
+@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
+   return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
+ }
+ 
++static int 
++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
++{
++  struct isakmp_frag_item *pitem = NULL;
++  struct isakmp_frag_item *citem = iph1->frag_chain;
++
++  /* no frag yet, just insert at beginning of list */
++  if (iph1->frag_chain == NULL) {
++  iph1->frag_chain = item;
++  return 0;
++  }
++
++  do {
++  /* duplicate fragment number, abort (CVE-2016-10396) */
++  if (citem->frag_num == item->frag_num)
++  return -1;
++
++  /* need to insert before current item */
++  if (citem->frag_num > item->frag_num) {
++  if (pitem != NULL)
++  pitem->frag_next = item;
++  else
++  /* insert at the beginning of the list  */
++  iph1->frag_chain = item;
++  item->frag_next = citem;
++  return 0;
++  }
++
++  pitem = citem;
++  citem = citem->frag_next;
++  } while (citem != NULL);
++
++  /* we reached the end of the list, insert */
++  pitem->frag_next = item;
++  return 0;
++}
++
+ int 
+ isakmp_frag_extract(iph1, msg)
+   struct ph1handle *iph1;
+@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
+   item->frag_next = NULL;
+   item->frag_packet = buf;
+ 
+-  /* Look for the last frag while inserting the new item in the chain */
+-  if (item->frag_last)
+-  last_frag = item->frag_num;
++  /* Check for the last frag before inserting the new item in the chain */
++  if (item->frag_last) {
++  /* if we have the last fragment, indices must match */
++  if (iph1->frag_last_index != 0 &&
++  item->frag_last != iph1->frag_last_index) {
++  plog(LLV_ERROR, LOCATION, NULL,
++   "Repeated last fragment index mismatch\n");
++  racoon_free(item);
++  vfree(buf);
++  return -1;
++  }
+ 
+-  if (iph1->frag_chain == NULL) {
+-  iph1->frag_chain = item;
+-  } else {
+-  struct isakmp_frag_item *current;
++  last_frag = iph1->frag_last_index = item->frag_num;
++  }
+ 
+-  current = iph1->frag_chain;
+-  while (current->frag_next) {
+-  if (current->frag_last)
+-  last_frag = item->frag_num;
+-  current = current->frag_next;
+-  }
+-  current->frag_next = item;
++  /* insert fragment into chain */
++  if (isakmp_frag_insert(iph1, item) == -1) {
++ 

Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396

[Antoine Beaupre]

On Tue, Jul 18, 2017 at 01:53:09PM -0400, Noah Meyerhans wrote:
> Control: tags -1 + pending patch
> 
> On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> > 
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   
> > 
> 
> I believe that the attached debdiff, derived from NetBSD's fix, should
> address this problem. It should apply with only metadata modifications
> as far back as oldstable.
> 
> I'll upload to unstable as soon as I've satisfied myself that the update
> doesn't introduce any regressions. I don't believe there's a PoC for the
> attack, so I don't know that we'll be able to confirm definitively that
> the issue is resolved. If anybody has PoC code or is interested in
> putting some together, I'd be interested in testing the fix more
> thoroughly...
> 
> Uploads targeting (old)stable will follow shortly after unstable,
> assuming no issues.

It sure looks like that patch is not correct. Jiri Bohac from Novell
found that it introduced a regression that could lead to another DoS:

https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1

This was added to the NetBSD bug, but no response yet.

I'll see if I can test this, but hold on to your uploads for now.

A.


signature.asc
Description: PGP signature

Processed: Re: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending patch
Bug #867986 [racoon] CVE-2016-10396
Added tag(s) pending and patch.

-- 
867986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396

[Noah Meyerhans]

Control: tags -1 + pending patch

On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> 
> Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   
> 

I believe that the attached debdiff, derived from NetBSD's fix, should
address this problem. It should apply with only metadata modifications
as far back as oldstable.

I'll upload to unstable as soon as I've satisfied myself that the update
doesn't introduce any regressions. I don't believe there's a PoC for the
attack, so I don't know that we'll be able to confirm definitively that
the issue is resolved. If anybody has PoC code or is interested in
putting some together, I'd be interested in testing the fix more
thoroughly...

Uploads targeting (old)stable will follow shortly after unstable,
assuming no issues.

noah

diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog 
ipsec-tools-0.8.2+20140711/debian/changelog
--- ipsec-tools-0.8.2+20140711/debian/changelog 2016-12-01 09:49:16.0 
+
+++ ipsec-tools-0.8.2+20140711/debian/changelog 2017-07-18 17:22:32.0 
+
@@ -1,3 +1,9 @@
+ipsec-tools (1:0.8.2+20140711-9) UNRELEASED; urgency=medium
+
+  * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986)
+
+ -- Noah Meyerhans   Tue, 18 Jul 2017 17:22:32 +
+
 ipsec-tools (1:0.8.2+20140711-8) unstable; urgency=medium
 
   * Depend on libfl-dev to follow flex changes (Closes: #846430)
diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 
ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch
--- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch  
1970-01-01 00:00:00.0 +
+++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch  
2017-07-18 17:22:32.0 +
@@ -0,0 +1,194 @@
+Description: Fix remotely exploitable DoS. 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
+Source: vendor; 
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
+Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
+
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
 pkg-ipsec-tools/src/racoon/isakmp_frag.c
+@@ -1,4 +1,4 @@
+-/*$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $   */
++/*$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $  
*/
+ 
+ /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
+ 
+@@ -173,6 +173,38 @@ vendorid_frag_cap(gen)
+   return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
+ }
+ 
++static int 
++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
++{
++  struct isakmp_frag_item *pitem = NULL;
++  struct isakmp_frag_item *citem = iph1->frag_chain;
++
++  if (iph1->frag_chain == NULL) {
++  iph1->frag_chain = item;
++  return 0;
++  }
++
++  do {
++  if (citem->frag_num == item->frag_num)
++  return -1;
++
++  if (citem->frag_num > item->frag_num) {
++  if (pitem)
++  pitem->frag_next = item;
++  item->frag_next = citem;
++  break;
++  }
++
++  pitem = citem;
++  citem = citem->frag_next;
++  } while (citem != NULL);
++
++  /* we reached the end of the list, insert */
++  if (citem == NULL)
++pitem->frag_next = item;
++  return 0;
++}
++
+ int 
+ isakmp_frag_extract(iph1, msg)
+   struct ph1handle *iph1;
+@@ -224,39 +256,43 @@ isakmp_frag_extract(iph1, msg)
+   item->frag_next = NULL;
+   item->frag_packet = buf;
+ 
+-  /* Look for the last frag while inserting the new item in the chain */
+-  if (item->frag_last)
+-  last_frag = item->frag_num;
++  /* Check for the last frag before inserting the new item in the chain */
++  if (item->frag_last) {
++  /* if we have the last fragment, indices must match */
++  if (iph1->frag_last_index != 0 &&
++  item->frag_last != iph1->frag_last_index) {
++  plog(LLV_ERROR, LOCATION, NULL,
++   "Repeated last fragment index mismatch\n");
++  racoon_free(item);
++  vfree(buf);
++  return -1;
++  }
+ 
+-  if (iph1->frag_chain == NULL) {
+-  iph1->frag_chain = item;
+-  } else {
+-  struct isakmp_frag_item *current;
++  last_frag = iph1->frag_last_index = item->frag_num;
++  }
+ 
+-  current = iph1->frag_chain;
+-  while (current->frag_next) {
+-  if (current->frag_last)
+-  last_frag = item->frag_num;
+-  current = current->frag_next;
+-  }
+-  current->frag_next = item;
++  /* insert fragment into chain */
++  if (isakmp_frag_insert(iph1, item) == -1) {
++  

Bug#867986: CVE-2016-10396

[Moritz Muehlenhoff]

Package: racoon
Severity: grave
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   

Cheers,
Moritz