From ipsec-tools mailing list Ipsec-tools 0.7.1 is out, with some fixes and features, which includes a fix for memory leak when receiving invalid proposals. As this leak may lead to a DoS (it will take time.... but it can be done in some configurations), everybody is advised to update to this version ASAP. Archives are available here ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-0.7.1.tar.bz2 (please have a look at http://www.netbsd.org/mirrors/#ftp). and soon here: http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.7.1.tar.bz2
Maintainer-needed package.
(In reply to comment #1) > Maintainer-needed package. > so it should be assigned to maintainer-needed, not security :)
(In reply to comment #2) > (In reply to comment #1) > > Maintainer-needed package. > > > so it should be assigned to maintainer-needed, not security :) > err, didn't catch the DoS issue. sorry for the bugspam.
This seems to be an upstream patch: http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h
(In reply to comment #4) > This seems to be an upstream patch: > http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h > well... as i understand, the fix is included in 0.7.1. version bump should be enough.
CVE-2008-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3651): Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before 0.7.1 allows remote authenticated users to cause a denial of service (memory consumption) via invalid proposals.
hardened, netmon: Would you be willing to maintain this package?
CVE-2008-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3652): src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned ph1" (phase 1) handle when it has been initiated remotely, which allows remote attackers to cause a denial of service (resource consumption).
A fix would be cool. Isn't security@gentoo.org in charge when there is no maintainer?! Well, you usually firewall your IKE-Ports for Point-to-Point VPN but when you've got some roadwarriors, you can't do that. :(
(In reply to comment #7) > hardened, netmon: Would you be willing to maintain this package? Hardened will have to decline at this point in time. Perhaps crypto@gentoo..
So, hardened declined, crypto was proposed, changing CC accordingly.
The attached ebuild is much more cleaner and also fixes that only selinux needs --enable-security-context (stolen from #213695). :)
Created attachment 164950 [details] ipsec-tools-0.7.1.ebuild (with selinux fix)
(In reply to comment #13) > Created an attachment (id=164950) [edit] > ipsec-tools-0.7.1.ebuild (with selinux fix) > Thanks Craig for the inclusion of selinux and the cleanup. I've added it after making a few USE flags enabled by default. Please tell me if there is a major impact here. Of note this actually failed a self test that I've run out of time to diagnose. f346bb67 7075a9b5 27cf458f 7d302e68 6aa5c5b4 832f903b 5ea73298 0143abd2 fbf5d927 d845aae9 13788714 989c5784 9b914c71 72f745e6 8b039819 3085bf4d ca3e46ee 00b36bcc 85fc210e bbde5da7 a05519fe 7f56ffec afebd3c5 ae2069e7 ERROR: sharing gxy mismatched. !!!!! Test 'dh' failed. !!!!! FAIL: eaytest =================== 1 of 1 tests failed =================== Users: please test and note weither it works and wheither it should be marked stable on this bug report.
Daniel this test failure is not new, see bug 196517. So if you have setup to test this package, please, bump it. BTW there some other bugs ipsec-tools and some of them either should be marked fixed with this version bump or have patch applied.
Daniel, are you going to have a look at the remaining bugs, or should we go ahead stabling this version?
(In reply to comment #16) > Daniel, are you going to have a look at the remaining bugs, or should we go > ahead stabling this version? > only 223319 seems still revelant. rest are upstream or are included. as i've lost cvs access in my few weeks off moving house if someone could commit the patch from 223319 and go stable from there that would be good.
> commit the patch from 223319 and go stable from there that would be good. done, thanks for investigating
Arches, please test and mark stable: =net-firewall/ipsec-tools-0.7.1 Target keywords : "amd64 ppc sparc x86"
Daniel, it's a shame you lost cvs. The updated racoon runs stable since 14hrs for me.
amd64/x86 stable
sparc stable
ppc stable
Ready for vote, I vote YES.
YES, filed
GLSA 200812-03