| Summary: | <net-firewall/ipsec-tools-0.8.2-r5: null pointer dereference (CVE-2015-4047) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | blueness, confabulate |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/05/20/1 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
*** Bug 550082 has been marked as a duplicate of this bug. *** CVE-2015-4047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4047): racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. Note: this is a low impact vuln so don't go around p.masking this. Upstream has not acted on it, and I'm not 100% convince that that patch is the right way to go. @ Anthony: Are you sure about your rating? Debian has a high rating and is carrying the patch like SuSE and RHEL. (In reply to Thomas Deutschmann from comment #4) > @ Anthony: Are you sure about your rating? Debian has a high rating and is > carrying the patch like SuSE and RHEL. i get that this is a null pointer deref which can be potentially serious, but i saw no poc and couldn't see how to trigger it. also upstream didn't act on it at that time. anyhow, if other distros have added this patch then i feel there's been enough testing that we can put it into gentoo. i'll rev bump and reset to ~arch just in case and we can restabilize. (In reply to Anthony Basile from comment #5) > (In reply to Thomas Deutschmann from comment #4) > > @ Anthony: Are you sure about your rating? Debian has a high rating and is > > carrying the patch like SuSE and RHEL. > > i get that this is a null pointer deref which can be potentially serious, > but i saw no poc and couldn't see how to trigger it. also upstream didn't > act on it at that time. > @whissi, thanks for bringing my attention back to this! i see now how this exploit works. i've got the patch in the tree with ipsec-tools-0.8.2-r5.ebuild. we should stabilize it. KEYWORDS="amd64 arm ppc ppc64 x86" No problem, thanks for the bump! @ Arches, please mark stable: =net-firewall/ipsec-tools-0.8.2-r5 Stable target(s): amd64 arm ppc ppc64 x86 amd64 stable x86 stable i forgot to remove ppc and ppc64 which i marked as stable. only arm to go. stable on arm all vulnerable versions are off the tree (In reply to Anthony Basile from comment #12) > all vulnerable versions are off the tree Thanks, Anthony! GLSA Vote: No |
From ${URL} : Javantea reports a null pointer dereference in the ipsec-tools package on the full-disclosure mail list: http://seclists.org/fulldisclosure/2015/May/81 Christos Zoulas proposed a fix on the same list: http://seclists.org/fulldisclosure/2015/May/83 --- gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 +++ gssapi.c 19 May 2015 15:16:00 -0000 1.6 @@ -192,6 +192,11 @@ gss_name_t princ, canon_princ; OM_uint32 maj_stat, min_stat; + if (iph1->rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); + return -1; + } + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); if (gps == NULL) { plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.