Bug 232831 - net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652)
|
Bug#:
232831
(CVE-2008-3651)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: natanael.copa@gmail.com
|
|
Component: Vulnerabilities
|
|
|
URL:
http://marc.info/?l=ipsec-tools-devel&m=121688914101709&w=2
|
|
Summary: net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652)
|
|
Keywords:
|
|
Status Whiteboard: B3 [glsa]
|
|
Opened: 2008-07-24 11:21 0000
|
Maintainer-needed package.
(In reply to comment #1)
> Maintainer-needed package.
>
so it should be assigned to maintainer-needed, not security :)
(In reply to comment #2)
> (In reply to comment #1)
> > Maintainer-needed package.
> >
> so it should be assigned to maintainer-needed, not security :)
>
err, didn't catch the DoS issue. sorry for the bugspam.
CVE-2008-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3651):
Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before
0.7.1 allows remote authenticated users to cause a denial of service (memory
consumption) via invalid proposals.
hardened, netmon: Would you be willing to maintain this package?
CVE-2008-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3652):
src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned
ph1" (phase 1) handle when it has been initiated remotely, which allows
remote attackers to cause a denial of service (resource consumption).
A fix would be cool. Isn't security@gentoo.org in charge when there is no
maintainer?!
Well, you usually firewall your IKE-Ports for Point-to-Point VPN but when
you've got some roadwarriors, you can't do that. :(
(In reply to comment #7)
> hardened, netmon: Would you be willing to maintain this package?
Hardened will have to decline at this point in time. Perhaps crypto@gentoo..
So, hardened declined, crypto was proposed, changing CC accordingly.
The attached ebuild is much more cleaner and also fixes that only selinux needs
--enable-security-context (stolen from #213695).
:)
(In reply to comment #13)
> Created an attachment (id=164950) [edit] [details]
> ipsec-tools-0.7.1.ebuild (with selinux fix)
>
Thanks Craig for the inclusion of selinux and the cleanup. I've added it after
making a few USE flags enabled by default. Please tell me if there is a major
impact here.
Of note this actually failed a self test that I've run out of time to diagnose.
f346bb67 7075a9b5 27cf458f 7d302e68 6aa5c5b4 832f903b 5ea73298 0143abd2
fbf5d927 d845aae9 13788714 989c5784 9b914c71 72f745e6 8b039819 3085bf4d
ca3e46ee 00b36bcc 85fc210e bbde5da7 a05519fe 7f56ffec afebd3c5 ae2069e7
ERROR: sharing gxy mismatched.
!!!!! Test 'dh' failed. !!!!!
FAIL: eaytest
===================
1 of 1 tests failed
===================
Users: please test and note weither it works and wheither it should be marked
stable on this bug report.
Daniel this test failure is not new, see bug 196517. So if you have setup to
test this package, please, bump it. BTW there some other bugs ipsec-tools and
some of them either should be marked fixed with this version bump or have patch
applied.
Daniel, are you going to have a look at the remaining bugs, or should we go
ahead stabling this version?
(In reply to comment #16)
> Daniel, are you going to have a look at the remaining bugs, or should we go
> ahead stabling this version?
>
only 223319 seems still revelant. rest are upstream or are included.
as i've lost cvs access in my few weeks off moving house if someone could
commit the patch from 223319 and go stable from there that would be good.
> commit the patch from 223319 and go stable from there that would be good.
done, thanks for investigating
Arches, please test and mark stable:
=net-firewall/ipsec-tools-0.7.1
Target keywords : "amd64 ppc sparc x86"
Daniel, it's a shame you lost cvs.
The updated racoon runs stable since 14hrs for me.
Ready for vote, I vote YES.
