Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 232831 (CVE-2008-3651) - net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652)
Summary: net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652)
Status: RESOLVED FIXED
Alias: CVE-2008-3651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://marc.info/?l=ipsec-tools-devel...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 213695
Blocks:
  Show dependency tree
 
Reported: 2008-07-24 11:21 UTC by Natanael Copa
Modified: 2008-12-02 17:50 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ipsec-tools-0.7.1.ebuild (with selinux fix) (ipsec-tools-0.7.1.ebuild,7.86 KB, text/plain)
2008-09-08 19:22 UTC, Stefan Behte (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Natanael Copa 2008-07-24 11:21:44 UTC
From ipsec-tools mailing list

Ipsec-tools 0.7.1 is out, with some fixes and features, which includes
a fix for memory leak when receiving invalid proposals.

As this leak may lead to a DoS (it will take time.... but it can be
done in some configurations), everybody is advised to update to this
version ASAP.


Archives are available here
ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-0.7.1.tar.bz2
(please have a look at http://www.netbsd.org/mirrors/#ftp).
and soon here:
http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.7.1.tar.bz2
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-07-24 12:40:43 UTC
Maintainer-needed package.
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-24 13:02:38 UTC
(In reply to comment #1)
> Maintainer-needed package.
> 
so it should be assigned to maintainer-needed, not security :)
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-24 13:04:24 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > Maintainer-needed package.
> > 
> so it should be assigned to maintainer-needed, not security :)
> 

err, didn't catch the DoS issue. sorry for the bugspam.
Comment 5 Natanael Copa 2008-07-25 13:59:00 UTC
(In reply to comment #4)
> This seems to be an upstream patch:
> http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h
> 

well... as i understand, the fix is included in 0.7.1. version bump should be enough.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 13:34:06 UTC
CVE-2008-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3651):
  Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before
  0.7.1 allows remote authenticated users to cause a denial of service (memory
  consumption) via invalid proposals.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 13:38:05 UTC
hardened, netmon: Would you be willing to maintain this package?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 13:39:18 UTC
CVE-2008-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3652):
  src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned
  ph1" (phase 1) handle when it has been initiated remotely, which allows
  remote attackers to cause a denial of service (resource consumption).
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2008-09-05 13:02:59 UTC
A fix would be cool. Isn't security@gentoo.org in charge when there is no maintainer?!

Well, you usually firewall your IKE-Ports for Point-to-Point VPN but when you've got some roadwarriors, you can't do that. :(
Comment 10 solar (RETIRED) gentoo-dev 2008-09-05 14:57:33 UTC
(In reply to comment #7)
> hardened, netmon: Would you be willing to maintain this package?

Hardened will have to decline at this point in time. Perhaps crypto@gentoo..

Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-06 15:36:58 UTC
So, hardened declined, crypto was proposed, changing CC accordingly.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2008-09-08 19:21:46 UTC
The attached ebuild is much more cleaner and also fixes that only selinux needs --enable-security-context (stolen from #213695).

:)
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2008-09-08 19:22:59 UTC
Created attachment 164950 [details]
ipsec-tools-0.7.1.ebuild (with selinux fix)
Comment 14 Daniel Black (RETIRED) gentoo-dev 2008-09-09 21:27:01 UTC
(In reply to comment #13)
> Created an attachment (id=164950) [edit]
> ipsec-tools-0.7.1.ebuild (with selinux fix)
> 

Thanks Craig for the inclusion of selinux and the cleanup. I've added it after making a few USE flags enabled by default. Please tell me if there is a major impact here.

Of note this actually failed a self test that I've run out of time to diagnose.
 f346bb67 7075a9b5 27cf458f 7d302e68 6aa5c5b4 832f903b 5ea73298 0143abd2
 fbf5d927 d845aae9 13788714 989c5784 9b914c71 72f745e6 8b039819 3085bf4d
 ca3e46ee 00b36bcc 85fc210e bbde5da7 a05519fe 7f56ffec afebd3c5 ae2069e7
ERROR: sharing gxy mismatched.

!!!!! Test 'dh' failed. !!!!!

FAIL: eaytest
===================
1 of 1 tests failed
===================

Users: please test and note weither it works and wheither it should be marked stable on this bug report.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-09-10 07:55:57 UTC
Daniel this test failure is not new, see bug 196517. So if you have setup to test this package, please, bump it. BTW there some other bugs ipsec-tools and some of them either should be marked fixed with this version bump or have patch applied.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-09-14 11:30:13 UTC
Daniel, are you going to have a look at the remaining bugs, or should we go ahead stabling this version?
Comment 17 Daniel Black (RETIRED) gentoo-dev 2008-10-08 11:40:46 UTC
(In reply to comment #16)
> Daniel, are you going to have a look at the remaining bugs, or should we go
> ahead stabling this version?
> 

only 223319 seems still revelant. rest are upstream or are included.

as i've lost cvs access in my few weeks off moving house if someone could commit the patch from 223319 and go stable from there that would be good.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-10-08 12:19:58 UTC
> commit the patch from 223319 and go stable from there that would be good.

done, thanks for investigating
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-10-08 12:22:14 UTC
Arches, please test and mark stable:
=net-firewall/ipsec-tools-0.7.1
Target keywords : "amd64 ppc sparc x86"
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-08 16:52:06 UTC
Daniel, it's a shame you lost cvs.
The updated racoon runs stable since 14hrs for me.
Comment 21 Markus Meier gentoo-dev 2008-10-08 19:10:01 UTC
amd64/x86 stable
Comment 22 Friedrich Oslage (RETIRED) gentoo-dev 2008-10-11 13:07:14 UTC
sparc stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-16 18:15:24 UTC
ppc stable
Comment 24 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-16 18:52:50 UTC
Ready for vote, I vote YES.
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:44:58 UTC
YES, filed
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:50:42 UTC
GLSA 200812-03