Quoting upstream: Orange Labs IKEv2 fuzzer discovers two DoS vulnerabilities ---------------------------------------------------------- Two DoS vulnerabilities in the charon daemon were discovered by fuzzing techniques: 1) Receiving a malformed IKE_SA_INIT request leaves an incomplete state which causes a crash of the IKEv2 charon daemon while dereferencing a null pointer if a subsequent CREATE_CHILD_SA request for the same connection is received. 2) Receiving an IKE_AUTH request with either a missing TSi or TSr traffic selector payload causes a crash of the IKEv2 charon daemon because the null pointer checks for TSi and TSr prior to deletion were swapped by mistake. The IKEv2 fuzzer used was developed by the Orange Labs vulnerability research team. The tool was initially written by Gabriel Campana and is now maintained by Laurent Butti. All strongSwan versions from 4.1.0 up to 4.3.0 are affected. Either apply the two security patches http://download.strongswan.org/patches/03_invalid_ike_state_patch/ http://download.strongswan.org/patches/04_swapped_ts_check_patch/ or upgrade to strongSwan 4.3.1 or 4.2.15.
Copying strongswan-4.2.8.ebuild to strongswan-4.3.1.ebuild works on AMD64 here.
+*strongswan-4.2.15 (07 Jun 2009) + + 07 Jun 2009; Robert Buchholz <rbu@gentoo.org> +strongswan-4.2.15.ebuild: + Version bump, fixes security bug 264346 and 272276. Remove old warning in + the code, fix dependencies and configure options. Comment in user and group + specification again. Added some TODOs. +
CVE-2009-1957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1957): charon/sa/ike_sa.c in the charon daemon in strongSWAN before 4.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid IKE_SA_INIT request that triggers "an incomplete state," followed by a CREATE_CHILD_SA request. CVE-2009-1958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1958): charon/sa/tasks/child_create.c in the charon daemon in strongSWAN before 4.3.1 switches the NULL checks for TSi and TSr payloads, which allows remote attackers to cause a denial of service via an IKE_AUTH request without a (1) TSi or (2) TSr traffic selector.