Hi, attached is a patch for a 0-day NMU I'm going to upload to fix this issue.
Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
diff -u strongswan-4.2.14/debian/changelog strongswan-4.2.14/debian/changelog
--- strongswan-4.2.14/debian/changelog
+++ strongswan-4.2.14/debian/changelog
@@ -1,3 +1,12 @@
+strongswan (4.2.14-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix two possible null pointer dereferences leading to denial
+ of service via crafted IKE_SA_INIT, CREATE_CHILD_SA or
+ IKE_AUTH request (CVE-2009-1957; CVE-2009-1958; Closes: #531612).
+
+ -- Nico Golde <n...@debian.org> Mon, 15 Jun 2009 13:06:05 +0200
+
strongswan (4.2.14-1) unstable; urgency=low
* New upstream release, which incorporates the fix. Removed dpatch for it.
only in patch2:
unchanged:
--- strongswan-4.2.14.orig/src/charon/sa/ike_sa.c
+++ strongswan-4.2.14/src/charon/sa/ike_sa.c
@@ -1438,6 +1438,11 @@
exchange_type_names, message->get_exchange_type(message),
message->get_request(message) ? "request" : "response",
message->get_message_id(message));
+
+ if (this->state == IKE_CREATED)
+ { /* invalid initiation attempt, close SA */
+ return DESTROY_ME;
+ }
return status;
}
else
only in patch2:
unchanged:
--- strongswan-4.2.14.orig/src/charon/sa/tasks/child_create.c
+++ strongswan-4.2.14/src/charon/sa/tasks/child_create.c
@@ -1137,11 +1137,11 @@
{
chunk_free(&this->my_nonce);
chunk_free(&this->other_nonce);
- if (this->tsi)
+ if (this->tsr)
{
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
}
- if (this->tsr)
+ if (this->tsi)
{
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
}
pgp2d6su4NDnj.pgp
Description: PGP signature
