[Pkg-swan-devel] [strongswan] 01/01: Fix CVE-2014-9221

Yves-Alexis Perez corsac at moszumanska.debian.org
Thu Jul 7 08:44:19 UTC 2016 

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch wheezy-backports
in repository strongswan.

commit c36ee22f82cba01193873bc96dfd3a7150ccfa26
Author: Yves-Alexis Perez <corsac at debian.org>
Date:   Mon Dec 15 21:03:18 2014 +0100

    Fix CVE-2014-9221
    
    * debian/patches:
      - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
      denial of service in IKEv2 when using custom MODP value.
---
 debian/changelog                               |  8 +++
 debian/patches/CVE-2014-9221_modp_custom.patch | 67 ++++++++++++++++++++++++++
 debian/patches/series                          |  1 +
 3 files changed, 76 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index edad081..fc4a400 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+strongswan (5.2.1-5) UNRELEASED; urgency=high
+
+  * debian/patches:
+    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
+    denial of service in IKEv2 when using custom MODP value.
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Mon, 15 Dec 2014 21:02:08 +0100
+
 strongswan (5.2.1-4~bpo70+1) wheezy-backports; urgency=medium
 
   * Rebuild for wheezy-backports.
diff --git a/debian/patches/CVE-2014-9221_modp_custom.patch b/debian/patches/CVE-2014-9221_modp_custom.patch
new file mode 100644
index 0000000..187eaf9
--- /dev/null
+++ b/debian/patches/CVE-2014-9221_modp_custom.patch
@@ -0,0 +1,67 @@
+From 11ddb58cadb10b558575484f1cad0c683c77b8fa Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Mon, 1 Dec 2014 17:21:59 +0100
+Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range
+
+Before this fix it was possible to crash charon with an IKE_SA_INIT
+message containing a KE payload with DH group MODP_CUSTOM(1025).
+Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
+prevents it from getting negotiated.
+
+Fixes CVE-2014-9221 in version 5.1.2 and newer.
+---
+ src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++-----
+ src/libstrongswan/crypto/diffie_hellman.h |  6 ++++--
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
+index 87c9b21f8dd8..393eece49522 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.c
++++ b/src/libstrongswan/crypto/diffie_hellman.c
+@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
+ 	"ECP_256_BP",
+ 	"ECP_384_BP",
+ 	"ECP_512_BP");
+-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
+-	"MODP_NULL",
+-	"MODP_CUSTOM");
+-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
++	"MODP_NULL");
++ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
+ 	"NTRU_112",
+ 	"NTRU_128",
+ 	"NTRU_192",
+ 	"NTRU_256");
+-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
++	"MODP_CUSTOM");
++ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+ 
+ 
+ /**
+diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
+index 105db22f14d4..d5161d077bb2 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.h
++++ b/src/libstrongswan/crypto/diffie_hellman.h
+@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
+ 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
+ 	MODP_NULL = 1024,
+ 	/** MODP group with custom generator/prime */
+-	MODP_CUSTOM = 1025,
+ 	/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
+ 	NTRU_112_BIT = 1030,
+ 	NTRU_128_BIT = 1031,
+ 	NTRU_192_BIT = 1032,
+-	NTRU_256_BIT = 1033
++	NTRU_256_BIT = 1033,
++	/** internally used DH group with additional parameters g and p, outside
++	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
++	MODP_CUSTOM = 65536,
+ };
+ 
+ /**
+-- 
+1.9.1
+
+
\ No newline at end of file
diff --git a/debian/patches/series b/debian/patches/series
index c14ab5d..e12f917 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 02_chunk-endianness.patch
 03_systemd-service.patch
 04_disable-libtls-tests.patch
+CVE-2014-9221_modp_custom.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

More information about the Pkg-swan-devel mailing list