There is a validation problem in isakmp_parsewoh(). The exploit may not be able to do something else than a malloc error, or, in the worst case, a racoon crash, and it's not sure this could be done without appropriate credentials.
Created attachment 52903 [details, diff] patch-isakmp.c Patch from Yvan VANHULLEBUS. Discovery credits go to Sebastian Krahmer (SuSE)
Patch is now public @ http://cvs.sourceforge.net/viewcvs.py/ipsec-tools/ipsec-tools/src/racoon/isakmp.c?r1=1.32.2.1&r2=1.32.2.2 "Fixed a buffer underrun (CAN-2005-0398)" latexer, plasmaroo: please bump ipsec-tools with patch.
Koon, I've just commited 0.4-r1 and 0.5-r1 with the changes. Since 0.4 has been in portage for a while, I suggest we target 0.4-r1 for stabalization in the next few days so we can have a stable fixed version.
*** Bug 85307 has been marked as a duplicate of this bug. ***
Arches, please test and mark ipsec-tools-0.4-r1 stable
Kugelfang, plasmaroo, weeve: you marked it stable last time, do you think you can test and mark this one stable as well ?
stable on amd64
SPARCtastic.
x86/latexer/plasmaroo: please test and mark ipsec-tools-0.4-r1 stable on x86 if you can.
Marked stable on x86.
Thx Peter Security: GLSA vote needed, a vote YES
Pre-authentication remote crash -> I vote YES.
GLSA 200503-33 thanks everyone