Bug#1031821: libreswan: remote crash, CVE-2023-23009

Daniel Kahn Gillmor Wed, 01 Mar 2023 10:54:19 -0800

On Wed 2023-03-01 12:52:58 +0100, Salvatore Bonaccorso wrote:
> Yes it does thank you. So even tough that's a bit a borderline case
> (mean with it as with the vpn service case, where you have
> authennticated users, but you might not entirely trust the entities)
> let's release a DSA for it. Can you prepare a final debdiff for a
> quick review for bullseye-security?


Sure, a proposed final debdiff is attached.  The code is also in the
debian/bullseye branch on https://salsa.debian.org/debian/libreswan.

Please let me know if you think anything else should be done
differently.

Thanks for keeping an eye on this, Salvatore!

  --dkg

diff --git libreswan-4.3/debian/changelog libreswan-4.3/debian/changelog
index ff60ad1b7b..8f709eec58 100644
--- libreswan-4.3/debian/changelog
+++ libreswan-4.3/debian/changelog
@@ -1,3 +1,9 @@
+libreswan (4.3-1+deb11u2) bullseye-security; urgency=high
+
+  * Fixes CVE-2023-23009 (Closes: #1031821)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Wed, 01 Mar 2023 13:11:05 -0500
+
 libreswan (4.3-1+deb11u1) bullseye-security; urgency=high
 
   * Fixes CVE-2022-23094
diff --git libreswan-4.3/debian/patches/0004-Fix-CVE-2023-23009.patch libreswan-4.3/debian/patches/0004-Fix-CVE-2023-23009.patch
new file mode 100644
index 0000000000..851aa0d71d
--- /dev/null
+++ libreswan-4.3/debian/patches/0004-Fix-CVE-2023-23009.patch
@@ -0,0 +1,25 @@
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Wed, 22 Feb 2023 14:57:02 -0500
+Subject: Fix CVE-2023-23009
+
+See https://github.com/libreswan/libreswan/issues/954
+---
+ programs/pluto/ikev2_ts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index fba776a..c8ce761 100644
+--- a/programs/pluto/ikev2_ts.c
++++ b/programs/pluto/ikev2_ts.c
+@@ -421,6 +421,11 @@ static bool v2_parse_ts(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
++		if (d != NULL) {
++			llog_diag(RC_LOG, logger, &d, "%s", "");
++			return false;
++		}
++
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE:
diff --git libreswan-4.3/debian/patches/series libreswan-4.3/debian/patches/series
index ccb5ae82f7..7039666566 100644
--- libreswan-4.3/debian/patches/series
+++ libreswan-4.3/debian/patches/series
@@ -1,3 +1,4 @@
 0001-do-not-use-git-version.patch
 0002-debian-pam.d-pluto.patch
 CVE-2022-23094.patch
+0004-Fix-CVE-2023-23009.patch

signature.asc
Description: PGP signature

Bug#1031821: libreswan: remote crash, CVE-2023-23009

Reply via email to