Bug#867986: CVE-2016-10396
On Thu, Jul 27, 2017 at 10:35:36AM -0700, Noah Meyerhans wrote: > On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 > > Hi Moritz. I assume your intent was not to issue a DSA for this since > it's been a known issue for nearly a year. Under that assumption I've > gone ahead with a package update targeting the next stable release > update and am planning on updating oldstable as well. Apologies if I was > incorrect in my assumption. Ack, that makes perfect sense. Cheers, Moritz
Bug#867986: CVE-2016-10396
On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 Hi Moritz. I assume your intent was not to issue a DSA for this since it's been a known issue for nearly a year. Under that assumption I've gone ahead with a package update targeting the next stable release update and am planning on updating oldstable as well. Apologies if I was incorrect in my assumption. noah signature.asc Description: PGP signature
Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396
On Wed, Jul 19, 2017 at 10:29:41AM -0400, Antoine Beaupre wrote: > It sure looks like that patch is not correct. Jiri Bohac from Novell > found that it introduced a regression that could lead to another DoS: > > https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1 Updated debdiff is attached. Still haven't been able to perform any meaningful tests. diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog ipsec-tools-0.8.2+20140711/debian/changelog --- ipsec-tools-0.8.2+20140711/debian/changelog 2016-12-01 01:49:16.0 -0800 +++ ipsec-tools-0.8.2+20140711/debian/changelog 2017-07-18 10:22:32.0 -0700 @@ -1,3 +1,9 @@ +ipsec-tools (1:0.8.2+20140711-9) UNRELEASED; urgency=medium + + * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986) + + -- Noah MeyerhansTue, 18 Jul 2017 17:22:32 + + ipsec-tools (1:0.8.2+20140711-8) unstable; urgency=medium * Depend on libfl-dev to follow flex changes (Closes: #846430) diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch --- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 1969-12-31 16:00:00.0 -0800 +++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 2017-07-18 10:22:32.0 -0700 @@ -0,0 +1,201 @@ +Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 +Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 +Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 + +Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c +=== +--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c pkg-ipsec-tools/src/racoon/isakmp_frag.c +@@ -1,4 +1,4 @@ +-/*$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ ++/*$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ + + /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ + +@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) + return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + } + ++static int ++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) ++{ ++ struct isakmp_frag_item *pitem = NULL; ++ struct isakmp_frag_item *citem = iph1->frag_chain; ++ ++ /* no frag yet, just insert at beginning of list */ ++ if (iph1->frag_chain == NULL) { ++ iph1->frag_chain = item; ++ return 0; ++ } ++ ++ do { ++ /* duplicate fragment number, abort (CVE-2016-10396) */ ++ if (citem->frag_num == item->frag_num) ++ return -1; ++ ++ /* need to insert before current item */ ++ if (citem->frag_num > item->frag_num) { ++ if (pitem != NULL) ++ pitem->frag_next = item; ++ else ++ /* insert at the beginning of the list */ ++ iph1->frag_chain = item; ++ item->frag_next = citem; ++ return 0; ++ } ++ ++ pitem = citem; ++ citem = citem->frag_next; ++ } while (citem != NULL); ++ ++ /* we reached the end of the list, insert */ ++ pitem->frag_next = item; ++ return 0; ++} ++ + int + isakmp_frag_extract(iph1, msg) + struct ph1handle *iph1; +@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) + item->frag_next = NULL; + item->frag_packet = buf; + +- /* Look for the last frag while inserting the new item in the chain */ +- if (item->frag_last) +- last_frag = item->frag_num; ++ /* Check for the last frag before inserting the new item in the chain */ ++ if (item->frag_last) { ++ /* if we have the last fragment, indices must match */ ++ if (iph1->frag_last_index != 0 && ++ item->frag_last != iph1->frag_last_index) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated last fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; ++ } + +- if (iph1->frag_chain == NULL) { +- iph1->frag_chain = item; +- } else { +- struct isakmp_frag_item *current; ++ last_frag = iph1->frag_last_index = item->frag_num; ++ } + +- current = iph1->frag_chain; +- while (current->frag_next) { +- if (current->frag_last) +- last_frag = item->frag_num; +- current = current->frag_next; +- } +- current->frag_next = item; ++ /* insert fragment into chain */ ++ if (isakmp_frag_insert(iph1, item) == -1) { ++
Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396
On Tue, Jul 18, 2017 at 01:53:09PM -0400, Noah Meyerhans wrote: > Control: tags -1 + pending patch > > On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 > > > > I believe that the attached debdiff, derived from NetBSD's fix, should > address this problem. It should apply with only metadata modifications > as far back as oldstable. > > I'll upload to unstable as soon as I've satisfied myself that the update > doesn't introduce any regressions. I don't believe there's a PoC for the > attack, so I don't know that we'll be able to confirm definitively that > the issue is resolved. If anybody has PoC code or is interested in > putting some together, I'd be interested in testing the fix more > thoroughly... > > Uploads targeting (old)stable will follow shortly after unstable, > assuming no issues. It sure looks like that patch is not correct. Jiri Bohac from Novell found that it introduced a regression that could lead to another DoS: https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1 This was added to the NetBSD bug, but no response yet. I'll see if I can test this, but hold on to your uploads for now. A. signature.asc Description: PGP signature
Processed: Re: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396
Processing control commands: > tags -1 + pending patch Bug #867986 [racoon] CVE-2016-10396 Added tag(s) pending and patch. -- 867986: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#867986: [Pkg-ipsec-tools-devel] Bug#867986: CVE-2016-10396
Control: tags -1 + pending patch On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 > I believe that the attached debdiff, derived from NetBSD's fix, should address this problem. It should apply with only metadata modifications as far back as oldstable. I'll upload to unstable as soon as I've satisfied myself that the update doesn't introduce any regressions. I don't believe there's a PoC for the attack, so I don't know that we'll be able to confirm definitively that the issue is resolved. If anybody has PoC code or is interested in putting some together, I'd be interested in testing the fix more thoroughly... Uploads targeting (old)stable will follow shortly after unstable, assuming no issues. noah diff -Nru ipsec-tools-0.8.2+20140711/debian/changelog ipsec-tools-0.8.2+20140711/debian/changelog --- ipsec-tools-0.8.2+20140711/debian/changelog 2016-12-01 09:49:16.0 + +++ ipsec-tools-0.8.2+20140711/debian/changelog 2017-07-18 17:22:32.0 + @@ -1,3 +1,9 @@ +ipsec-tools (1:0.8.2+20140711-9) UNRELEASED; urgency=medium + + * Import NetBSD's patch to address CVE-2016-10396 (Closes: #867986) + + -- Noah MeyerhansTue, 18 Jul 2017 17:22:32 + + ipsec-tools (1:0.8.2+20140711-8) unstable; urgency=medium * Depend on libfl-dev to follow flex changes (Closes: #846430) diff -Nru ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch --- ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 1970-01-01 00:00:00.0 + +++ ipsec-tools-0.8.2+20140711/debian/patches/CVE-2016-10396.patch 2017-07-18 17:22:32.0 + @@ -0,0 +1,194 @@ +Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 +Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682 +Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986 + +--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c pkg-ipsec-tools/src/racoon/isakmp_frag.c +@@ -1,4 +1,4 @@ +-/*$NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */ ++/*$NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */ + + /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */ + +@@ -173,6 +173,38 @@ vendorid_frag_cap(gen) + return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); + } + ++static int ++isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) ++{ ++ struct isakmp_frag_item *pitem = NULL; ++ struct isakmp_frag_item *citem = iph1->frag_chain; ++ ++ if (iph1->frag_chain == NULL) { ++ iph1->frag_chain = item; ++ return 0; ++ } ++ ++ do { ++ if (citem->frag_num == item->frag_num) ++ return -1; ++ ++ if (citem->frag_num > item->frag_num) { ++ if (pitem) ++ pitem->frag_next = item; ++ item->frag_next = citem; ++ break; ++ } ++ ++ pitem = citem; ++ citem = citem->frag_next; ++ } while (citem != NULL); ++ ++ /* we reached the end of the list, insert */ ++ if (citem == NULL) ++pitem->frag_next = item; ++ return 0; ++} ++ + int + isakmp_frag_extract(iph1, msg) + struct ph1handle *iph1; +@@ -224,39 +256,43 @@ isakmp_frag_extract(iph1, msg) + item->frag_next = NULL; + item->frag_packet = buf; + +- /* Look for the last frag while inserting the new item in the chain */ +- if (item->frag_last) +- last_frag = item->frag_num; ++ /* Check for the last frag before inserting the new item in the chain */ ++ if (item->frag_last) { ++ /* if we have the last fragment, indices must match */ ++ if (iph1->frag_last_index != 0 && ++ item->frag_last != iph1->frag_last_index) { ++ plog(LLV_ERROR, LOCATION, NULL, ++ "Repeated last fragment index mismatch\n"); ++ racoon_free(item); ++ vfree(buf); ++ return -1; ++ } + +- if (iph1->frag_chain == NULL) { +- iph1->frag_chain = item; +- } else { +- struct isakmp_frag_item *current; ++ last_frag = iph1->frag_last_index = item->frag_num; ++ } + +- current = iph1->frag_chain; +- while (current->frag_next) { +- if (current->frag_last) +- last_frag = item->frag_num; +- current = current->frag_next; +- } +- current->frag_next = item; ++ /* insert fragment into chain */ ++ if (isakmp_frag_insert(iph1, item) == -1) { ++
Bug#867986: CVE-2016-10396
Package: racoon Severity: grave Tags: security Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 Cheers, Moritz