From: Nicolas Thill Date: Sat, 23 May 2009 03:43:11 +0000 (+0000) Subject: fix DoS vulnerabilities in ipsec-tools X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=1896823dec061779d5d4cb298ec9405206cc6bf8;p=openwrt%2Fsvn-archive%2Fpackages.git fix DoS vulnerabilities in ipsec-tools SVN-Revision: 16009 --- diff --git a/net/ipsec-tools/Makefile b/net/ipsec-tools/Makefile index 363692b31..3b3fd230f 100644 --- a/net/ipsec-tools/Makefile +++ b/net/ipsec-tools/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ipsec-tools PKG_VERSION:=0.7 -PKG_RELEASE:=1 +PKG_RELEASE:=1.1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/ipsec-tools diff --git a/net/ipsec-tools/patches/901-cve-2009-1574.patch b/net/ipsec-tools/patches/901-cve-2009-1574.patch new file mode 100644 index 000000000..b8d82e23b --- /dev/null +++ b/net/ipsec-tools/patches/901-cve-2009-1574.patch @@ -0,0 +1,14 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1574 + +--- a/src/racoon/isakmp_frag.c ++++ b/src/racoon/isakmp_frag.c +@@ -199,7 +199,8 @@ isakmp_frag_extract(iph1, msg) + * frag->len is the frag payload data plus the frag payload header, + * whose size is sizeof(*frag) + */ +- if (msg->l < sizeof(*isakmp) + ntohs(frag->len)) { ++ if (msg->l < sizeof(*isakmp) + ntohs(frag->len) || ++ ntohs(frag->len) < sizeof(*frag) + 1) { + plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n"); + return -1; + } diff --git a/net/ipsec-tools/patches/902-cve-2009-1632.patch b/net/ipsec-tools/patches/902-cve-2009-1632.patch new file mode 100644 index 000000000..586ce45e3 --- /dev/null +++ b/net/ipsec-tools/patches/902-cve-2009-1632.patch @@ -0,0 +1,56 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1632 +--- a/src/racoon/crypto_openssl.c ++++ b/src/racoon/crypto_openssl.c +@@ -900,12 +900,14 @@ eay_check_x509sign(source, sig, cert) + evp = X509_get_pubkey(x509); + if (! evp) { + plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror()); ++ X509_free(x509); + return -1; + } + + res = eay_rsa_verify(source, sig, evp->pkey.rsa); + + EVP_PKEY_free(evp); ++ X509_free(x509); + + return res; + } +--- a/src/racoon/nattraversal.c ++++ b/src/racoon/nattraversal.c +@@ -319,6 +319,15 @@ natt_handle_vendorid (struct ph1handle * + iph1->natt_flags |= NAT_ANNOUNCED; + } + ++static void ++natt_keepalive_delete (struct natt_ka_addrs *ka) ++{ ++ TAILQ_REMOVE (&ka_tree, ka, chain); ++ racoon_free (ka->src); ++ racoon_free (ka->dst); ++ racoon_free (ka); ++} ++ + /* NAT keepalive functions */ + static void + natt_keepalive_send (void *param) +@@ -333,8 +342,7 @@ natt_keepalive_send (void *param) + + s = getsockmyaddr(ka->src); + if (s == -1) { +- TAILQ_REMOVE (&ka_tree, ka, chain); +- racoon_free (ka); ++ natt_keepalive_delete(ka); + continue; + } + plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", +@@ -435,8 +443,7 @@ natt_keepalive_remove (struct sockaddr * + + plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); + +- TAILQ_REMOVE (&ka_tree, ka, chain); +- racoon_free (ka); ++ natt_keepalive_delete (ka); + /* Should we break here? Every pair of addresses should + be inserted only once, but who knows :-) Lets traverse + the whole list... */