hy,
attached patch will fix this bug and also #533837
Ruben
--
Ruben Puettmann
ru...@puettmann.net
http://www.puettmann.net
diff -Nru strongswan-4.2.14/debian/changelog strongswan-4.2.14/debian/changelog
--- strongswan-4.2.14/debian/changelog 2009-06-21 18:34:54.000000000 +0200
+++ strongswan-4.2.14/debian/changelog 2009-06-21 18:34:55.000000000 +0200
@@ -1,3 +1,14 @@
+strongswan (4.2.14-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix build on i386
+ Closes: #525652: FTBFS on i386:
+ libstrongswan-padlock.so*': No such file or directory
+ * Fix Two Denial of Service Vulnerabilities
+ Closes: #533837: strongSwan Two Denial of Service Vulnerabilities
+
+ -- Ruben Puettmann <ru...@puettmann.net> Sun, 21 Jun 2009 17:50:02 +0200
+
strongswan (4.2.14-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru strongswan-4.2.14/debian/rules strongswan-4.2.14/debian/rules
--- strongswan-4.2.14/debian/rules 2009-06-21 18:34:54.000000000 +0200
+++ strongswan-4.2.14/debian/rules 2009-06-21 18:34:55.000000000 +0200
@@ -41,7 +41,7 @@
# the padlock plugin only makes sense on i386
# but it actually doesn't do much, so maybe we don't need it
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
- CONFIGURE_ARGS += --enable-padlock
+ CONFIGUREARGS += --enable-padlock
endif
patch:
diff -Nru strongswan-4.2.14/src/libstrongswan/asn1/asn1.c
strongswan-4.2.14/src/libstrongswan/asn1/asn1.c
--- strongswan-4.2.14/src/libstrongswan/asn1/asn1.c 2009-04-01
08:16:00.000000000 +0200
+++ strongswan-4.2.14/src/libstrongswan/asn1/asn1.c 2009-06-21
18:34:55.000000000 +0200
@@ -261,6 +261,11 @@
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG2("length is larger than remaining blob size");
+ return ASN1_INVALID_LENGTH;
+ }
return len;
}
@@ -283,14 +288,20 @@
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone
offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone
offset */
}
else
@@ -303,14 +314,20 @@
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-
&t.tm_hour, &t.tm_min);
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon,
&t.tm_mday,
+
&t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time
format */
+ }
}
/* is there a seconds field? */
if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
}
else
{
diff -Nru strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c
strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c
--- strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c 2009-04-01
08:16:00.000000000 +0200
+++ strongswan-4.2.14/src/libstrongswan/asn1/asn1_parser.c 2009-06-21
18:34:55.000000000 +0200
@@ -160,7 +160,7 @@
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG1("L%d - %s: length of ASN.1 object invalid or too large",
level, obj.name);
diff -Nru strongswan-4.2.14/src/pluto/asn1.c strongswan-4.2.14/src/pluto/asn1.c
--- strongswan-4.2.14/src/pluto/asn1.c 2009-04-01 08:16:04.000000000 +0200
+++ strongswan-4.2.14/src/pluto/asn1.c 2009-06-21 18:34:55.000000000 +0200
@@ -191,6 +191,13 @@
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("length is larger than remaining blob size")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return len;
}
@@ -368,14 +375,20 @@
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
}
else
@@ -388,14 +401,20 @@
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
- &t.tm_hour, &t.tm_min);
- }
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time format */
+ }
+ }
/* is there a seconds field? */
if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
}
else
{
@@ -592,7 +611,7 @@
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN.1 object invalid or too large",
signature.asc
Description: Digital signature
