Bug 232831 (CVE-2008-3651)

Summary:

net-firewall/ipsec-tools <0.7.1 racoon DoS (CVE-2008-3651,CVE-2008-3652)

Product:

Gentoo Security

Reporter:

Natanael Copa <natanael.copa>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

craig, crypto+disabled, maintainer-needed, netmon, ole+gentoo, wschlich

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://marc.info/?l=ipsec-tools-devel&m=121688914101709&w=2

Whiteboard:

B3 [glsa]

Package list:

Runtime testing required:

---

Bug Depends on:

213695

Bug Blocks:

Attachments:

Description	Flags
ipsec-tools-0.7.1.ebuild (with selinux fix)	none

Description Natanael Copa 2008-07-24 11:21:44 UTC

From ipsec-tools mailing list

Ipsec-tools 0.7.1 is out, with some fixes and features, which includes
a fix for memory leak when receiving invalid proposals.

As this leak may lead to a DoS (it will take time.... but it can be
done in some configurations), everybody is advised to update to this
version ASAP.


Archives are available here
ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-0.7.1.tar.bz2
(please have a look at http://www.netbsd.org/mirrors/#ftp).
and soon here:
http://prdownloads.sourceforge.net/ipsec-tools/ipsec-tools-0.7.1.tar.bz2

Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester

2008-07-24 12:40:43 UTC

Maintainer-needed package.

Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-24 13:02:38 UTC

(In reply to comment #1)
> Maintainer-needed package.
> 
so it should be assigned to maintainer-needed, not security :)

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-24 13:04:24 UTC

(In reply to comment #2)
> (In reply to comment #1)
> > Maintainer-needed package.
> > 
> so it should be assigned to maintainer-needed, not security :)
> 

err, didn't catch the DoS issue. sorry for the bugspam.

Comment 4 Tomas Hoger 2008-07-25 12:39:14 UTC

This seems to be an upstream patch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h

Comment 5 Natanael Copa 2008-07-25 13:59:00 UTC

(In reply to comment #4)
> This seems to be an upstream patch:
> http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h
> 

well... as i understand, the fix is included in 0.7.1. version bump should be enough.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-08-15 13:34:06 UTC

CVE-2008-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3651):
  Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools before
  0.7.1 allows remote authenticated users to cause a denial of service (memory
  consumption) via invalid proposals.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-08-15 13:38:05 UTC

hardened, netmon: Would you be willing to maintain this package?

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-08-15 13:39:18 UTC

CVE-2008-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3652):
  src/racoon/handler.c in racoon in ipsec-tools does not remove an "orphaned
  ph1" (phase 1) handle when it has been initiated remotely, which allows
  remote attackers to cause a denial of service (resource consumption).

Comment 9 Stefan Behte (RETIRED) gentoo-dev

2008-09-05 13:02:59 UTC

A fix would be cool. Isn't security@gentoo.org in charge when there is no maintainer?!

Well, you usually firewall your IKE-Ports for Point-to-Point VPN but when you've got some roadwarriors, you can't do that. :(

Comment 10 solar (RETIRED) gentoo-dev

2008-09-05 14:57:33 UTC

(In reply to comment #7)
> hardened, netmon: Would you be willing to maintain this package?

Hardened will have to decline at this point in time. Perhaps crypto@gentoo..

Comment 11 Christian Hoffmann (RETIRED) gentoo-dev

2008-09-06 15:36:58 UTC

So, hardened declined, crypto was proposed, changing CC accordingly.

Comment 12 Stefan Behte (RETIRED) gentoo-dev

2008-09-08 19:21:46 UTC

The attached ebuild is much more cleaner and also fixes that only selinux needs --enable-security-context (stolen from #213695).

:)

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2008-09-08 19:22:59 UTC

Created attachment 164950 [details]
ipsec-tools-0.7.1.ebuild (with selinux fix)

Comment 14 Daniel Black (RETIRED) gentoo-dev

2008-09-09 21:27:01 UTC

(In reply to comment #13)
> Created an attachment (id=164950) [edit]
> ipsec-tools-0.7.1.ebuild (with selinux fix)
> 

Thanks Craig for the inclusion of selinux and the cleanup. I've added it after making a few USE flags enabled by default. Please tell me if there is a major impact here.

Of note this actually failed a self test that I've run out of time to diagnose.
 f346bb67 7075a9b5 27cf458f 7d302e68 6aa5c5b4 832f903b 5ea73298 0143abd2
 fbf5d927 d845aae9 13788714 989c5784 9b914c71 72f745e6 8b039819 3085bf4d
 ca3e46ee 00b36bcc 85fc210e bbde5da7 a05519fe 7f56ffec afebd3c5 ae2069e7
ERROR: sharing gxy mismatched.

!!!!! Test 'dh' failed. !!!!!

FAIL: eaytest
===================
1 of 1 tests failed
===================

Users: please test and note weither it works and wheither it should be marked stable on this bug report.

Comment 15 Peter Volkov (RETIRED) gentoo-dev

2008-09-10 07:55:57 UTC

Daniel this test failure is not new, see bug 196517. So if you have setup to test this package, please, bump it. BTW there some other bugs ipsec-tools and some of them either should be marked fixed with this version bump or have patch applied.

Comment 16 Robert Buchholz (RETIRED) gentoo-dev

2008-09-14 11:30:13 UTC

Daniel, are you going to have a look at the remaining bugs, or should we go ahead stabling this version?

Comment 17 Daniel Black (RETIRED) gentoo-dev

2008-10-08 11:40:46 UTC

(In reply to comment #16)
> Daniel, are you going to have a look at the remaining bugs, or should we go
> ahead stabling this version?
> 

only 223319 seems still revelant. rest are upstream or are included.

as i've lost cvs access in my few weeks off moving house if someone could commit the patch from 223319 and go stable from there that would be good.

Comment 18 Robert Buchholz (RETIRED) gentoo-dev

2008-10-08 12:19:58 UTC

> commit the patch from 223319 and go stable from there that would be good.

done, thanks for investigating

Comment 19 Robert Buchholz (RETIRED) gentoo-dev

2008-10-08 12:22:14 UTC

Arches, please test and mark stable:
=net-firewall/ipsec-tools-0.7.1
Target keywords : "amd64 ppc sparc x86"

Comment 20 Stefan Behte (RETIRED) gentoo-dev

2008-10-08 16:52:06 UTC

Daniel, it's a shame you lost cvs.
The updated racoon runs stable since 14hrs for me.

Comment 21 Markus Meier gentoo-dev

2008-10-08 19:10:01 UTC

amd64/x86 stable

Comment 22 Friedrich Oslage (RETIRED) gentoo-dev

2008-10-11 13:07:14 UTC

sparc stable

Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-16 18:15:24 UTC

ppc stable

Comment 24 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-16 18:52:50 UTC

Ready for vote, I vote YES.

Comment 25 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 18:44:58 UTC

YES, filed

Comment 26 Robert Buchholz (RETIRED) gentoo-dev

2008-12-02 17:50:42 UTC

GLSA 200812-03