Bug#521949: CVE-2009-0790: DoS

Mon, 30 Mar 2009 17:01:50 -0700 

Package: openswan
Severity: grave
Tags: security

Hi

>From the DSA:

CVE-2009-0790

Gerd v. Egidy discovered that the Pluto IKE daemon in openswan is prone
to a denial of service attack via a malicious packet.

I've attached the patch from stable-security, please consider including
it for unstable/testing.

Cheers
Steffen

diff -u openswan-2.4.12+dfsg/debian/changelog openswan-2.4.12+dfsg/debian/changelog
--- openswan-2.4.12+dfsg/debian/changelog
+++ openswan-2.4.12+dfsg/debian/changelog
@@ -1,3 +1,11 @@
+openswan (1:2.4.12+dfsg-1.3+lenny1) stable-security; urgency=high
+
+  * Non-maintainer upload by the security team
+  * Fix DoS issue via malicious Dead Peer Detection packet
+    Fixes: CVE-2009-0790
+
+ -- Steffen Joeris <wh...@debian.org>  Tue, 24 Mar 2009 13:20:43 +0000
+
 openswan (1:2.4.12+dfsg-1.3) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u openswan-2.4.12+dfsg/debian/patches/00list openswan-2.4.12+dfsg/debian/patches/00list
--- openswan-2.4.12+dfsg/debian/patches/00list
+++ openswan-2.4.12+dfsg/debian/patches/00list
@@ -3,0 +4 @@
+03-CVE-2009-0790.dpatch
only in patch2:
unchanged:
--- openswan-2.4.12+dfsg.orig/debian/patches/03-CVE-2009-0790.dpatch
+++ openswan-2.4.12+dfsg/debian/patches/03-CVE-2009-0790.dpatch
@@ -0,0 +1,30 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+...@dpatch@
+Index: demux.c
+===================================================================
+RCS file: /projects/xelerance/master/openswan-2/programs/pluto/demux.c,v
+retrieving revision 1.210.2.16
+diff -c -r1.210.2.16 demux.c
+*** openswan-2.x.x/programs/pluto/demux.c.old	16 Jun 2008 01:03:04 -0000	1.210.2.16
+--- openswan-2.4.12+dfsg/programs/pluto/demux.c	22 Mar 2009 20:11:13 -0000
+***************
+*** 1068,1076 ****
+--- 1068,1084 ----
+          switch (n->isan_type)
+          {
+          case R_U_THERE:
++ 	   if(st==NULL) {
++ 		loglog(RC_LOG_SERIOUS, "received bogus  R_U_THERE informational message");
++ 		return STF_IGNORE;
++ 	   }
+              return dpd_inI_outR(st, n, n_pbs);
+  
+          case R_U_THERE_ACK:
++ 	   if(st==NULL) {
++ 		loglog(RC_LOG_SERIOUS, "received bogus  R_U_THERE informational message");
++ 		return STF_IGNORE;
++ 	   }
+              return dpd_inR(st, n, n_pbs);
+  
+  	case PAYLOAD_MALFORMED:

Reply via email to