Hi Daniel!

On Mon, Jun 03, 2019 at 12:24:08PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote:
> > Source: libreswan
> > Version: 3.27-4
> > Severity: grave
> > Tags: patch security upstream fixed-upstream
> > Justification: user security hole
> > Forwarded: https://github.com/libreswan/libreswan/issues/246
> > Control: fixed -1 3.28-1
> >
> > The following vulnerability was published for libreswan.
> >
> > CVE-2019-12312[0]:
> > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
> > | daemon restart. An attacker can trigger a NULL pointer dereference by
> > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
> > | to a Libreswan server. This affects send_v2N_spi_response_from_state
> > | in programs/pluto/ikev2_send.c when built with Network Security
> > | Services (NSS).
> 
> thanks for this heads-up, Salvatore.
> 
> I'm working with upstream libreswan at patching this now, publishing my
> work on the debian/master branch in salsa.

The upstream issue lists as
https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8
as the fixing commit, fwiw.

> out of curiosity, how was this CVE applied for, and how was it
> coordinated?  When I pointed it out to libreswan upstream on the
> freenode IRC #swan, it sounded like they had never heard of it.

I do not know. The CVE appeared for us on the radar via the MITRE feed
update. Could be that the reporter of the upstream issue did request a
CVE on its own. If you ask MITRE they though would not disclose who
requested a specific CVE, so we might not know in the end. I suspect
it was not coordinated at all with upstream.

> thanks for all you do for debian security!

likewise for all your contributions within Debian!

Regards,
Salvatore

Reply via email to