Ubuntu
ipsec-tools package

Merge lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185 into lp:ubuntu/intrepid/ipsec-tools

  1. Intrepid (8.10)
  2. src-374185
  3. Merge into intrepid
Proposed by Chuck Short
Status: Needs review
Proposed branch: lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185
Merge into: lp:ubuntu/intrepid/ipsec-tools
Diff against target: 235 lines
5 files modified
debian/changelog (+25/-0)
src/racoon/crypto_openssl.c (+2/-0)
src/racoon/ipsec_doi.c (+41/-23)
src/racoon/isakmp_frag.c (+2/-1)
src/racoon/nattraversal.c (+11/-4)
To merge this branch: bzr merge lp:~zulcss/ubuntu/intrepid/ipsec-tools/src-374185
Reviewer Review Type Date Requested Status
Steve Beattie (community) sru Approve
Review via email: mp+12725@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Looks okay, modulo similar comments about including the prior security fix and making sure to update bug descriptions rather than merely adding a comment. Thanks!

review: Approve (sru)
Reply

Unmerged revisions

20. By Chuck Short

src/racoon/ipsec_doi.c: Patched to fix segfault when using
ipv6 addresses in sainfo section of racoon.conf. Thanks to
Fredrik Ljunggren. (LP: #374185)

19. By Marc Deslauriers

* SECURITY UPDATE: denial of service via fragmented packets without a
  payload.
  - src/racoon/isakmp_frag.c: validate size of payload data.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
  - CVE-2009-1574
* SECURITY UPDATE: denial of service via multiple memory leaks.
  - src/racoon/crypto_openssl.c: call X509_free().
  - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
    that also frees ka->src and ka->dst.
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
  - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
  - CVE-2009-1632

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2008-06-18 17:34:55 +0000
+++ debian/changelog 2009-10-01 15:25:20 +0000
@@ -1,3 +1,28 @@
1ipsec-tools (1:0.7-2.1ubuntu1.8.10.2) intrepid-proposed; urgency=low
2
3 * src/racoon/ipsec_doi.c: Patched to fix segfault when using
4 ipv6 addresses in sainfo section of racoon.conf. Thanks to
5 Fredrik Ljunggren. (LP: #374185)
6
7 -- Chuck Short <zulcss@ubuntu.com> Thu, 01 Oct 2009 11:15:27 -0400
8
9ipsec-tools (1:0.7-2.1ubuntu1.8.10.1) intrepid-security; urgency=low
10
11 * SECURITY UPDATE: denial of service via fragmented packets without a
12 payload.
13 - src/racoon/isakmp_frag.c: validate size of payload data.
14 - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.4&r2=1.4.6.1&f=h
15 - CVE-2009-1574
16 * SECURITY UPDATE: denial of service via multiple memory leaks.
17 - src/racoon/crypto_openssl.c: call X509_free().
18 - src/racoon/nattraversal.c: add new natt_keepalive_delete() function
19 that also frees ka->src and ka->dst.
20 - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c.diff?r1=1.11.6.4&r2=1.11.6.5&f=u
21 - http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/nattraversal.c.diff?r1=1.6&r2=1.6.6.1&f=u
22 - CVE-2009-1632
23
24 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 04 Jun 2009 14:35:06 -0400
25
1ipsec-tools (1:0.7-2.1ubuntu1) intrepid; urgency=low26ipsec-tools (1:0.7-2.1ubuntu1) intrepid; urgency=low
227
3 * Merge from debian unstable, remaining changes:28 * Merge from debian unstable, remaining changes:
429
=== modified file 'src/racoon/crypto_openssl.c'
--- src/racoon/crypto_openssl.c 2008-06-18 17:34:55 +0000
+++ src/racoon/crypto_openssl.c 2009-10-01 15:25:20 +0000
@@ -900,12 +900,14 @@
900 evp = X509_get_pubkey(x509);900 evp = X509_get_pubkey(x509);
901 if (! evp) {901 if (! evp) {
902 plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());902 plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
903 X509_free(x509);
903 return -1;904 return -1;
904 }905 }
905906
906 res = eay_rsa_verify(source, sig, evp->pkey.rsa);907 res = eay_rsa_verify(source, sig, evp->pkey.rsa);
907908
908 EVP_PKEY_free(evp);909 EVP_PKEY_free(evp);
910 X509_free(x509);
909911
910 return res;912 return res;
911}913}
912914
=== modified file 'src/racoon/ipsec_doi.c'
--- src/racoon/ipsec_doi.c 2008-06-18 17:34:55 +0000
+++ src/racoon/ipsec_doi.c 2009-10-01 15:25:20 +0000
@@ -4396,20 +4396,29 @@
4396 char *dat;4396 char *dat;
4397 static char buf[BUFLEN];4397 static char buf[BUFLEN];
4398 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;4398 struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
4399 struct sockaddr saddr;4399 struct sockaddr_storage saddr_storage;
4400 struct sockaddr *saddr;
4401 struct sockaddr_in *saddr_in;
4402 struct sockaddr_in6 *saddr_in6;
4400 u_int plen = 0;4403 u_int plen = 0;
44014404
4405 saddr = (struct sockaddr *)&saddr_storage;
4406 saddr_in = (struct sockaddr_in *)&saddr_storage;
4407 saddr_in6 = (struct sockaddr_in6 *)&saddr_storage;
4408
4409
4402 switch (id_b->type) {4410 switch (id_b->type) {
4403 case IPSECDOI_ID_IPV4_ADDR:4411 case IPSECDOI_ID_IPV4_ADDR:
4404 case IPSECDOI_ID_IPV4_ADDR_SUBNET:4412 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
4405 case IPSECDOI_ID_IPV4_ADDR_RANGE:4413 case IPSECDOI_ID_IPV4_ADDR_RANGE:
44064414
4407#ifndef __linux__4415#ifndef __linux__
4408 saddr.sa_len = sizeof(struct sockaddr_in);4416 saddr->sa_len = sizeof(struct sockaddr_in);
4409#endif4417#endif
4410 saddr.sa_family = AF_INET;4418 saddr->sa_family = AF_INET;
4411 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;4419
4412 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,4420 saddr_in->sin_port = IPSEC_PORT_ANY;
4421 memcpy(&saddr_in->sin_addr,
4413 id->v + sizeof(*id_b), sizeof(struct in_addr));4422 id->v + sizeof(*id_b), sizeof(struct in_addr));
4414 break;4423 break;
4415#ifdef INET64424#ifdef INET6
@@ -4418,12 +4427,17 @@
4418 case IPSECDOI_ID_IPV6_ADDR_RANGE:4427 case IPSECDOI_ID_IPV6_ADDR_RANGE:
44194428
4420#ifndef __linux__4429#ifndef __linux__
4421 saddr.sa_len = sizeof(struct sockaddr_in6);4430 saddr->sa_len = sizeof(struct sockaddr_in6);
4422#endif4431#endif
4423 saddr.sa_family = AF_INET6;4432 saddr->sa_family = AF_INET6;
4424 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;4433
4425 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,4434 saddr_in6->sin6_port = IPSEC_PORT_ANY;
4435 memcpy(&saddr_in6->sin6_addr,
4426 id->v + sizeof(*id_b), sizeof(struct in6_addr));4436 id->v + sizeof(*id_b), sizeof(struct in6_addr));
4437 saddr_in6->sin6_scope_id =
4438 (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
4439 ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
4440 : 0);
4427 break;4441 break;
4428#endif4442#endif
4429 }4443 }
@@ -4433,7 +4447,7 @@
4433#ifdef INET64447#ifdef INET6
4434 case IPSECDOI_ID_IPV6_ADDR:4448 case IPSECDOI_ID_IPV6_ADDR:
4435#endif4449#endif
4436 len = snprintf( buf, BUFLEN, "%s", saddrwop2str(&saddr));4450 len = snprintf( buf, BUFLEN, "%s", saddrwop2str(saddr));
4437 break;4451 break;
44384452
4439 case IPSECDOI_ID_IPV4_ADDR_SUBNET:4453 case IPSECDOI_ID_IPV4_ADDR_SUBNET:
@@ -4489,42 +4503,46 @@
4489 plen += l;4503 plen += l;
4490 }4504 }
44914505
4492 len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(&saddr), plen);4506 len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(saddr), plen);
4493 }4507 }
4494 break;4508 break;
44954509
4496 case IPSECDOI_ID_IPV4_ADDR_RANGE:4510 case IPSECDOI_ID_IPV4_ADDR_RANGE:
44974511
4498 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));4512 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
44994513
4500#ifndef __linux__4514#ifndef __linux__
4501 saddr.sa_len = sizeof(struct sockaddr_in);4515 saddr->sa_len = sizeof(struct sockaddr_in);
4502#endif4516#endif
4503 saddr.sa_family = AF_INET;4517 saddr->sa_family = AF_INET;
4504 ((struct sockaddr_in *)&saddr)->sin_port = IPSEC_PORT_ANY;4518 saddr_in->sin_port = IPSEC_PORT_ANY;
4505 memcpy(&((struct sockaddr_in *)&saddr)->sin_addr,4519 memcpy(&saddr_in->sin_addr,
4506 id->v + sizeof(*id_b) + sizeof(struct in_addr),4520 id->v + sizeof(*id_b) + sizeof(struct in_addr),
4507 sizeof(struct in_addr));4521 sizeof(struct in_addr));
45084522
4509 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));4523 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
45104524
4511 break;4525 break;
45124526
4513#ifdef INET64527#ifdef INET6
4514 case IPSECDOI_ID_IPV6_ADDR_RANGE:4528 case IPSECDOI_ID_IPV6_ADDR_RANGE:
45154529
4516 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(&saddr));4530 len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
45174531
4518#ifndef __linux__4532#ifndef __linux__
4519 saddr.sa_len = sizeof(struct sockaddr_in6);4533 saddr->sa_len = sizeof(struct sockaddr_in6);
4520#endif4534#endif
4521 saddr.sa_family = AF_INET6;4535 saddr->sa_family = AF_INET6;
4522 ((struct sockaddr_in6 *)&saddr)->sin6_port = IPSEC_PORT_ANY;4536 saddr_in6->sin6_port = IPSEC_PORT_ANY;
4523 memcpy(&((struct sockaddr_in6 *)&saddr)->sin6_addr,4537 memcpy(&saddr_in6->sin6_addr,
4524 id->v + sizeof(*id_b) + sizeof(struct in6_addr),4538 id->v + sizeof(*id_b) + sizeof(struct in6_addr),
4525 sizeof(struct in6_addr));4539 sizeof(struct in6_addr));
4540 saddr_in6->sin6_scope_id =
4541 (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
4542 ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
4543 : 0);
45264544
4527 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(&saddr));4545 len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
45284546
4529 break;4547 break;
4530#endif4548#endif
45314549
=== modified file 'src/racoon/isakmp_frag.c'
--- src/racoon/isakmp_frag.c 2008-06-18 17:34:55 +0000
+++ src/racoon/isakmp_frag.c 2009-10-01 15:25:20 +0000
@@ -199,7 +199,8 @@
199 * frag->len is the frag payload data plus the frag payload header,199 * frag->len is the frag payload data plus the frag payload header,
200 * whose size is sizeof(*frag) 200 * whose size is sizeof(*frag)
201 */201 */
202 if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {202 if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
203 ntohs(frag->len) < sizeof(*frag) + 1) {
203 plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");204 plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
204 return -1;205 return -1;
205 }206 }
206207
=== modified file 'src/racoon/nattraversal.c'
--- src/racoon/nattraversal.c 2008-06-18 17:34:55 +0000
+++ src/racoon/nattraversal.c 2009-10-01 15:25:20 +0000
@@ -319,6 +319,15 @@
319 iph1->natt_flags |= NAT_ANNOUNCED;319 iph1->natt_flags |= NAT_ANNOUNCED;
320}320}
321321
322static void
323natt_keepalive_delete (struct natt_ka_addrs *ka)
324{
325 TAILQ_REMOVE (&ka_tree, ka, chain);
326 racoon_free (ka->src);
327 racoon_free (ka->dst);
328 racoon_free (ka);
329}
330
322/* NAT keepalive functions */331/* NAT keepalive functions */
323static void332static void
324natt_keepalive_send (void *param)333natt_keepalive_send (void *param)
@@ -333,8 +342,7 @@
333 342
334 s = getsockmyaddr(ka->src);343 s = getsockmyaddr(ka->src);
335 if (s == -1) {344 if (s == -1) {
336 TAILQ_REMOVE (&ka_tree, ka, chain);345 natt_keepalive_delete(ka);
337 racoon_free (ka);
338 continue;346 continue;
339 }347 }
340 plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", 348 plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
@@ -435,8 +443,7 @@
435443
436 plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");444 plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
437445
438 TAILQ_REMOVE (&ka_tree, ka, chain);446 natt_keepalive_delete (ka);
439 racoon_free (ka);
440 /* Should we break here? Every pair of addresses should 447 /* Should we break here? Every pair of addresses should
441 be inserted only once, but who knows :-) Lets traverse 448 be inserted only once, but who knows :-) Lets traverse
442 the whole list... */449 the whole list... */

Subscribers

People subscribed via source and target branches

to all changes: