Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 483204 (CVE-2013-2053)

Summary: <net-misc/openswan-2.6.39: Buffer overflow (CVE-2013-2053)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: floppym
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 483576    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 22:10:00 UTC
CVE-2013-2053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2053):
  Buffer overflow in the atodn function in Openswan before 2.6.39, when
  Opportunistic Encryption is enabled and an RSA key is being used, allows
  remote attackers to cause a denial of service (pluto IKE daemon crash) and
  possibly execute arbitrary code via crafted DNS TXT records.  NOTE: this
  might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054.
Comment 1 Mike Gilbert gentoo-dev 2013-09-01 06:06:14 UTC
+*openswan-2.6.39 (01 Sep 2013)
+
+  01 Sep 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/openswan-2.6.39-gentoo.patch, +openswan-2.6.39.ebuild:
+  Version bump.
Comment 2 Agostino Sarubbo gentoo-dev 2013-09-01 09:38:01 UTC
B2 as discussed with Chris on IRC.

Arches, please test and mark stable:
=net-misc/openswan-2.6.39
Target keywords : "amd64 x86"
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-09-01 12:38:27 UTC
@ago, you forgot about arches ? ;)
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-01 15:27:26 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-01 15:27:34 UTC
x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-01 18:43:43 UTC
GLSA drafted and ready for review.
Comment 7 Sergey Popov gentoo-dev 2013-12-05 12:32:15 UTC
@maintainer, please drop vulnerable versions
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 05:34:11 UTC
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 9 Mike Gilbert gentoo-dev 2013-12-30 06:05:20 UTC
I will not be dropping openswan-2.6.38 from the tree for the foreseeable future due to bug 483576.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-11-06 01:06:40 UTC
This issue was resolved and addressed in
 GLSA 201401-09 at http://security.gentoo.org/glsa/glsa-201401-09.xml
by GLSA coordinator Sean Amoss (ackle).