Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 330845

Summary: net-misc/strongswan (versions < 4.3.7, < 4.4.1): remote code execution vulnerability
Product: Gentoo Security Reporter: Matthias Dahl <ua_gentoo_bugzilla>
Component: VulnerabilitiesAssignee: Matthias Dahl <ua_gentoo_bugzilla>
Status: RESOLVED FIXED    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lists.strongswan.org/pipermail/users/2010-August/005167.html
Whiteboard:
Package list:
Runtime testing required: ---

Description Matthias Dahl 2010-08-02 14:46:12 UTC 
Taken straight from the 4.4.1 announcement:

"
A potential remote code execution vulnerability resulting from
the misuse of snprintf() was fixed. The vulnerability was
introduced with the strongswan-4.3.3 release and is exploitable
by unauthenticated users."

Patches and new releases are available.

Reproducible: Always
Comment 1 Matthias Dahl 2010-08-02 14:47:14 UTC 
The 4.4.0 patch currently does not cleanly apply. Investigating this.
Comment 2 Matthias Dahl 2010-08-02 18:43:47 UTC 
Updates sent to my proxy Markos Chandras. Closing this bug once the commit hits the tree.

Summary:

- bumping 4.3.6 to 4.3.7 which contains only the security fix
- replacing 4.4.0 w/ 4.4.1 because there is currently no working standalone patch available
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-08-03 08:03:57 UTC 
Bumped

Affected versions removed. No need to call security team since there is no stable version for that

Thank you for the ebuilds