Hi, I intent to upload an NMU for this. debdiff attached and archived on: http://people.debian.org/~nion/nmu-diff/ipsec-tools-0.7.1-1.1_0.7.1-1.2.patch
Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ipsec-tools-0.7.1/debian/changelog ipsec-tools-0.7.1/debian/changelog
--- ipsec-tools-0.7.1/debian/changelog
+++ ipsec-tools-0.7.1/debian/changelog
@@ -1,3 +1,13 @@
+ipsec-tools (1:0.7.1-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply upstream patch to remove orphaned phase 1 handles that were
+ initiated remotely if an invalid first exchange was received
+ which may lead to a denial of service attack
+ (CVE-2008-3652; Closes: #501026).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 07 Oct 2008 14:22:25 +0200
+
ipsec-tools (1:0.7.1-1.1) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- ipsec-tools-0.7.1.orig/src/racoon/isakmp.c
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c
@@ -798,20 +798,24 @@
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
+
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
#ifndef ENABLE_FRAG
pgpUF4qHtIzkJ.pgp
Description: PGP signature
