Hi Daniel! On Mon, Jun 03, 2019 at 12:24:08PM -0400, Daniel Kahn Gillmor wrote: > On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote: > > Source: libreswan > > Version: 3.27-4 > > Severity: grave > > Tags: patch security upstream fixed-upstream > > Justification: user security hole > > Forwarded: https://github.com/libreswan/libreswan/issues/246 > > Control: fixed -1 3.28-1 > > > > The following vulnerability was published for libreswan. > > > > CVE-2019-12312[0]: > > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE > > | daemon restart. An attacker can trigger a NULL pointer dereference by > > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode > > | to a Libreswan server. This affects send_v2N_spi_response_from_state > > | in programs/pluto/ikev2_send.c when built with Network Security > > | Services (NSS). > > thanks for this heads-up, Salvatore. > > I'm working with upstream libreswan at patching this now, publishing my > work on the debian/master branch in salsa.
The upstream issue lists as https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 as the fixing commit, fwiw. > out of curiosity, how was this CVE applied for, and how was it > coordinated? When I pointed it out to libreswan upstream on the > freenode IRC #swan, it sounded like they had never heard of it. I do not know. The CVE appeared for us on the radar via the MITRE feed update. Could be that the reporter of the upstream issue did request a CVE on its own. If you ask MITRE they though would not disclose who requested a specific CVE, so we might not know in the end. I suspect it was not coordinated at all with upstream. > thanks for all you do for debian security! likewise for all your contributions within Debian! Regards, Salvatore
