Package: ipsec-tools Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for ipsec-tools.
CVE-2008-3652[0]: | src/racoon/handler.c in racoon in ipsec-tools does not remove an | "orphaned ph1" (phase 1) handle when it has been initiated remotely, | which allows remote attackers to cause a denial of service (resource | consumption). A patch of the relevant changes extracted from upstream rcs is attached. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3652 http://security-tracker.debian.net/tracker/CVE-2008-3652 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
index 5b81e5b..4d4e2f2 100644
--- a/src/racoon/isakmp.c
+++ b/src/racoon/isakmp.c
@@ -801,20 +801,24 @@ ph1_main(iph1, msg)
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
+
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
#ifndef ENABLE_FRAG
pgp1r2SUrKQtD.pgp
Description: PGP signature
