Ubuntu
ipsec-tools package

Merge lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185 into lp:ubuntu/intrepid/ipsec-tools

  1. Intrepid (8.10)
  2. src-374185
  3. Merge into intrepid
Proposed by Chuck Short
Status: Needs review
Proposed branch: lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185
Merge into: lp:ubuntu/intrepid/ipsec-tools
Diff against target: 235 lines
5 files modified
debian/changelog (+25/-0)
src/racoon/crypto_openssl.c (+2/-0)
src/racoon/ipsec_doi.c (+41/-23)
src/racoon/isakmp_frag.c (+2/-1)
src/racoon/nattraversal.c (+11/-4)
To merge this branch: bzr merge lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185
Reviewer Review Type Date Requested Status
Steve Beattie (community) sru Approve
Review via email: mp+12725@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Looks okay, modulo similar comments about including the prior security fix and making sure to update bug descriptions rather than merely adding a comment. Thanks!

review: Approve (sru)
Reply

Unmerged revisions

20. By Chuck Short

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

19. By Marc Deslauriers

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2008-06-18 17:34:55 +0000
3+++ debian/changelog 2009-10-01 15:25:20 +0000
4@@ -1,3 +1,28 @@
5+ipsec-tools (1:0.7-2.1ubuntu1.8.10.2) intrepid-proposed; urgency=low
6+
7+ * src/racoon/ipsec_doi.c: Patched to fix segfault when using
8+ ipv6 addresses in sainfo section of racoon.conf. Thanks to
9+ Fredrik Ljunggren. (LP: #374185)
10+
11+ -- Chuck Short <zulcss@ubuntu.com> Thu, 01 Oct 2009 11:15:27 -0400
12+
13+ipsec-tools (1:0.7-2.1ubuntu1.8.10.1) intrepid-security; urgency=low
14+
15+ * SECURITY UPDATE: denial of service via fragmented packets without a
16+ payload.
17+ - src/racoon/isakmp_frag.c: validate size of payload data.
18+ - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
19+ - CVE-2009-1574
20+ * SECURITY UPDATE: denial of service via multiple memory leaks.
21+ - src/racoon/crypto_openssl.c: call X509_free().
22+ - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
23+ that also frees ka->src and ka->dst.
24+ - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
25+ - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
26+ - CVE-2009-1632
27+
28+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 04 Jun 2009 14:35:06 -0400
29+
30 ipsec-tools (1:0.7-2.1ubuntu1) intrepid; urgency=low
31
32 * Merge from debian unstable, remaining changes:
33
34=== modified file 'src/racoon/crypto_openssl.c'
35--- src/racoon/crypto_openssl.c 2008-06-18 17:34:55 +0000
36+++ src/racoon/crypto_openssl.c 2009-10-01 15:25:20 +0000
37@@ -900,12 +900,14 @@
38 evp = X509_get_pubkey(x509);
39 if (! evp) {
40 plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
41+ X509_free(x509);
42 return -1;
43 }
44
45 res = eay_rsa_verify(source, sig, evp->pkey.rsa);
46
47 EVP_PKEY_free(evp);
48+ X509_free(x509);
49
50 return res;
51 }
52
53=== modified file 'src/racoon/ipsec_doi.c'
54--- src/racoon/ipsec_doi.c 2008-06-18 17:34:55 +0000
55+++ src/racoon/ipsec_doi.c 2009-10-01 15:25:20 +0000
56@@ -4396,20 +4396,29 @@
57 char *dat;
58 static char buf[BUFLEN];
59 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
60- struct sockaddr saddr;
61+ struct sockaddr_storage saddr_storage;
62+ struct sockaddr *saddr;
63+ struct sockaddr_in *saddr_in;
64+ struct sockaddr_in6 *saddr_in6;
65 u_int plen = 0;
66
67+ saddr = (struct sockaddr *)&saddr_storage;
68+ saddr_in = (struct sockaddr_in *)&saddr_storage;
69+ saddr_in6 = (struct sockaddr_in6 *)&saddr_storage;
70+
71+
72 switch (id_b->type) {
73 case IPSECDOI_ID_IPV4_ADDR:
74 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
75 case IPSECDOI_ID_IPV4_ADDR_RANGE:
76
77 #ifndef __linux__
78- saddr.sa_len = sizeof(struct sockaddr_in);
79+ saddr->sa_len = sizeof(struct sockaddr_in);
80 #endif
81- saddr.sa_family = AF_INET;
82- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
83- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
84+ saddr->sa_family = AF_INET;
85+
86+ saddr_in->sin_port = IPSEC_PORT_ANY;
87+ memcpy(&saddr_in->sin_addr,
88 id->v + sizeof(*id_b), sizeof(struct in_addr));
89 break;
90 #ifdef INET6
91@@ -4418,12 +4427,17 @@
92 case IPSECDOI_ID_IPV6_ADDR_RANGE:
93
94 #ifndef __linux__
95- saddr.sa_len = sizeof(struct sockaddr_in6);
96+ saddr->sa_len = sizeof(struct sockaddr_in6);
97 #endif
98- saddr.sa_family = AF_INET6;
99- ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
100- memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
101+ saddr->sa_family = AF_INET6;
102+
103+ saddr_in6->sin6_port = IPSEC_PORT_ANY;
104+ memcpy(&saddr_in6->sin6_addr,
105 id->v + sizeof(*id_b), sizeof(struct in6_addr));
106+ saddr_in6->sin6_scope_id =
107+ (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
108+ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
109+ : 0);
110 break;
111 #endif
112 }
113@@ -4433,7 +4447,7 @@
114 #ifdef INET6
115 case IPSECDOI_ID_IPV6_ADDR:
116 #endif
117- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr));
118+ len = snprintf( buf, BUFLEN, "%s", saddrwop2str(saddr));
119 break;
120
121 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
122@@ -4489,42 +4503,46 @@
123 plen += l;
124 }
125
126- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr), plen);
127+ len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(saddr), plen);
128 }
129 break;
130
131 case IPSECDOI_ID_IPV4_ADDR_RANGE:
132
133- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
134+ len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
135
136 #ifndef __linux__
137- saddr.sa_len = sizeof(struct sockaddr_in);
138+ saddr->sa_len = sizeof(struct sockaddr_in);
139 #endif
140- saddr.sa_family = AF_INET;
141- ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;
142- memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,
143+ saddr->sa_family = AF_INET;
144+ saddr_in->sin_port = IPSEC_PORT_ANY;
145+ memcpy(&saddr_in->sin_addr,
146 id->v + sizeof(*id_b) + sizeof(struct in_addr),
147 sizeof(struct in_addr));
148
149- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
150+ len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
151
152 break;
153
154 #ifdef INET6
155 case IPSECDOI_ID_IPV6_ADDR_RANGE:
156
157- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));
158+ len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
159
160 #ifndef __linux__
161- saddr.sa_len = sizeof(struct sockaddr_in6);
162+ saddr->sa_len = sizeof(struct sockaddr_in6);
163 #endif
164- saddr.sa_family = AF_INET6;
165- ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;
166- memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,
167+ saddr->sa_family = AF_INET6;
168+ saddr_in6->sin6_port = IPSEC_PORT_ANY;
169+ memcpy(&saddr_in6->sin6_addr,
170 id->v + sizeof(*id_b) + sizeof(struct in6_addr),
171 sizeof(struct in6_addr));
172+ saddr_in6->sin6_scope_id =
173+ (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
174+ ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
175+ : 0);
176
177- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));
178+ len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
179
180 break;
181 #endif
182
183=== modified file 'src/racoon/isakmp_frag.c'
184--- src/racoon/isakmp_frag.c 2008-06-18 17:34:55 +0000
185+++ src/racoon/isakmp_frag.c 2009-10-01 15:25:20 +0000
186@@ -199,7 +199,8 @@
187 * frag->len is the frag payload data plus the frag payload header,
188 * whose size is sizeof(*frag)
189 */
190- if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
191+ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
192+ ntohs(frag->len) < sizeof(*frag) + 1) {
193 plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
194 return -1;
195 }
196
197=== modified file 'src/racoon/nattraversal.c'
198--- src/racoon/nattraversal.c 2008-06-18 17:34:55 +0000
199+++ src/racoon/nattraversal.c 2009-10-01 15:25:20 +0000
200@@ -319,6 +319,15 @@
201 iph1->natt_flags |= NAT_ANNOUNCED;
202 }
203
204+static void
205+natt_keepalive_delete (struct natt_ka_addrs *ka)
206+{
207+ TAILQ_REMOVE (&ka_tree, ka, chain);
208+ racoon_free (ka->src);
209+ racoon_free (ka->dst);
210+ racoon_free (ka);
211+}
212+
213 /* NAT keepalive functions */
214 static void
215 natt_keepalive_send (void *param)
216@@ -333,8 +342,7 @@
217
218 s = getsockmyaddr(ka->src);
219 if (s == -1) {
220- TAILQ_REMOVE (&ka_tree, ka, chain);
221- racoon_free (ka);
222+ natt_keepalive_delete(ka);
223 continue;
224 }
225 plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
226@@ -435,8 +443,7 @@
227
228 plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
229
230- TAILQ_REMOVE (&ka_tree, ka, chain);
231- racoon_free (ka);
232+ natt_keepalive_delete (ka);
233 /* Should we break here? Every pair of addresses should
234 be inserted only once, but who knows :-) Lets traverse
235 the whole list... */

Subscribers

People subscribed via source and target branches

to all changes: