fix DoS vulnerabilities in ipsec-tools
authorNicolas Thill <nico@openwrt.org>
Sat, 23 May 2009 03:43:11 +0000 (03:43 +0000)
committerNicolas Thill <nico@openwrt.org>
Sat, 23 May 2009 03:43:11 +0000 (03:43 +0000)
SVN-Revision: 16009

net/ipsec-tools/Makefile
net/ipsec-tools/patches/901-cve-2009-1574.patch [new file with mode: 0644]
net/ipsec-tools/patches/902-cve-2009-1632.patch [new file with mode: 0644]

index 363692b3120cac89d7a5e32c5bf8ccbd79c13fd3..3b3fd230ff42b00c5b4999e8d21a2a1dd4794b80 100644 (file)
@@ -1,5 +1,5 @@
 # 
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ipsec-tools
 PKG_VERSION:=0.7
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/ipsec-tools
diff --git a/net/ipsec-tools/patches/901-cve-2009-1574.patch b/net/ipsec-tools/patches/901-cve-2009-1574.patch
new file mode 100644 (file)
index 0000000..b8d82e2
--- /dev/null
@@ -0,0 +1,14 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1574
+
+--- a/src/racoon/isakmp_frag.c
++++ b/src/racoon/isakmp_frag.c
+@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg)
+        * frag->len is the frag payload data plus the frag payload header,
+        * whose size is sizeof(*frag) 
+        */
+-      if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) {
++      if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
++          ntohs(frag->len) < sizeof(*frag) + 1) {
+               plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
+               return -1;
+       }
diff --git a/net/ipsec-tools/patches/902-cve-2009-1632.patch b/net/ipsec-tools/patches/902-cve-2009-1632.patch
new file mode 100644 (file)
index 0000000..586ce45
--- /dev/null
@@ -0,0 +1,56 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1632
+--- a/src/racoon/crypto_openssl.c
++++ b/src/racoon/crypto_openssl.c
+@@ -900,12 +900,14 @@ eay_check_x509sign(source, sig, cert)
+       evp = X509_get_pubkey(x509);
+       if (! evp) {
+               plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
++              X509_free(x509);
+               return -1;
+       }
+       res = eay_rsa_verify(source, sig, evp->pkey.rsa);
+       EVP_PKEY_free(evp);
++      X509_free(x509);
+       return res;
+ }
+--- a/src/racoon/nattraversal.c
++++ b/src/racoon/nattraversal.c
+@@ -319,6 +319,15 @@ natt_handle_vendorid (struct ph1handle *
+       iph1->natt_flags |= NAT_ANNOUNCED;
+ }
++static void
++natt_keepalive_delete (struct natt_ka_addrs *ka)
++{
++  TAILQ_REMOVE (&ka_tree, ka, chain);
++  racoon_free (ka->src);
++  racoon_free (ka->dst);
++  racoon_free (ka);
++}
++
+ /* NAT keepalive functions */
+ static void
+ natt_keepalive_send (void *param)
+@@ -333,8 +342,7 @@ natt_keepalive_send (void *param)
+     
+     s = getsockmyaddr(ka->src);
+     if (s == -1) {
+-      TAILQ_REMOVE (&ka_tree, ka, chain);
+-      racoon_free (ka);
++      natt_keepalive_delete(ka);
+       continue;
+     }
+     plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", 
+@@ -435,8 +443,7 @@ natt_keepalive_remove (struct sockaddr *
+       plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
+-      TAILQ_REMOVE (&ka_tree, ka, chain);
+-      racoon_free (ka);
++      natt_keepalive_delete (ka);
+       /* Should we break here? Every pair of addresses should 
+          be inserted only once, but who knows :-) Lets traverse 
+        the whole list... */