[Pkg-swan-devel] [strongswan] 01/01: Fix CVE-2014-9221
Yves-Alexis Perez
corsac at moszumanska.debian.org
Thu Jul 7 08:44:19 UTC 2016
This is an automated email from the git hooks/post-receive script.
corsac pushed a commit to branch wheezy-backports
in repository strongswan.
commit c36ee22f82cba01193873bc96dfd3a7150ccfa26
Author: Yves-Alexis Perez <corsac at debian.org>
Date: Mon Dec 15 21:03:18 2014 +0100
Fix CVE-2014-9221
* debian/patches:
- debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
denial of service in IKEv2 when using custom MODP value.
---
debian/changelog | 8 +++
debian/patches/CVE-2014-9221_modp_custom.patch | 67 ++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 76 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index edad081..fc4a400 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+strongswan (5.2.1-5) UNRELEASED; urgency=high
+
+ * debian/patches:
+ - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
+ denial of service in IKEv2 when using custom MODP value.
+
+ -- Yves-Alexis Perez <corsac at debian.org> Mon, 15 Dec 2014 21:02:08 +0100
+
strongswan (5.2.1-4~bpo70+1) wheezy-backports; urgency=medium
* Rebuild for wheezy-backports.
diff --git a/debian/patches/CVE-2014-9221_modp_custom.patch b/debian/patches/CVE-2014-9221_modp_custom.patch
new file mode 100644
index 0000000..187eaf9
--- /dev/null
+++ b/debian/patches/CVE-2014-9221_modp_custom.patch
@@ -0,0 +1,67 @@
+From 11ddb58cadb10b558575484f1cad0c683c77b8fa Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Mon, 1 Dec 2014 17:21:59 +0100
+Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range
+
+Before this fix it was possible to crash charon with an IKE_SA_INIT
+message containing a KE payload with DH group MODP_CUSTOM(1025).
+Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
+prevents it from getting negotiated.
+
+Fixes CVE-2014-9221 in version 5.1.2 and newer.
+---
+ src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++-----
+ src/libstrongswan/crypto/diffie_hellman.h | 6 ++++--
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
+index 87c9b21f8dd8..393eece49522 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.c
++++ b/src/libstrongswan/crypto/diffie_hellman.c
+@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
+ "ECP_256_BP",
+ "ECP_384_BP",
+ "ECP_512_BP");
+-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
+- "MODP_NULL",
+- "MODP_CUSTOM");
+-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
++ "MODP_NULL");
++ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
+ "NTRU_112",
+ "NTRU_128",
+ "NTRU_192",
+ "NTRU_256");
+-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
++ "MODP_CUSTOM");
++ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+
+
+ /**
+diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
+index 105db22f14d4..d5161d077bb2 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.h
++++ b/src/libstrongswan/crypto/diffie_hellman.h
+@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
+ /** insecure NULL diffie hellman group for testing, in PRIVATE USE */
+ MODP_NULL = 1024,
+ /** MODP group with custom generator/prime */
+- MODP_CUSTOM = 1025,
+ /** Parameters defined by IEEE 1363.1, in PRIVATE USE */
+ NTRU_112_BIT = 1030,
+ NTRU_128_BIT = 1031,
+ NTRU_192_BIT = 1032,
+- NTRU_256_BIT = 1033
++ NTRU_256_BIT = 1033,
++ /** internally used DH group with additional parameters g and p, outside
++ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
++ MODP_CUSTOM = 65536,
+ };
+
+ /**
+--
+1.9.1
+
+
\ No newline at end of file
diff --git a/debian/patches/series b/debian/patches/series
index c14ab5d..e12f917 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
02_chunk-endianness.patch
03_systemd-service.patch
04_disable-libtls-tests.patch
+CVE-2014-9221_modp_custom.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list