Hi, I intent to upload a 0-day NMU to fix this. Attached is a patch for a debdiff.
Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ipsec-tools-0.7.1/debian/changelog ipsec-tools-0.7.1/debian/changelog
--- ipsec-tools-0.7.1/debian/changelog
+++ ipsec-tools-0.7.1/debian/changelog
@@ -1,3 +1,12 @@
+ipsec-tools (1:0.7.1-1.4) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix possible denial of service via a fragment without
+ any payload (all item lengths = 0) which triggers a
+ null ptr dereference (Closes: #527634).
+
+ -- Nico Golde <n...@debian.org> Wed, 13 May 2009 13:24:22 +0200
+
ipsec-tools (1:0.7.1-1.3) unstable; urgency=low
* Non-maintainer upload
only in patch2:
unchanged:
--- ipsec-tools-0.7.1.orig/src/racoon/isakmp_frag.c
+++ ipsec-tools-0.7.1/src/racoon/isakmp_frag.c
@@ -199,7 +199,7 @@
* frag->len is the frag payload data plus the frag payload header,
* whose size is sizeof(*frag)
*/
- if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
+ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) || ntohs(frag->len) < sizeof(*frag) + 1) {
plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
return -1;
}
pgp004BCOJvGy.pgp
Description: PGP signature
