Bug 620256 (CVE-2017-9022, CVE-2017-9023)

Summary:	<net-vpn/strongswan-5.5.3: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gurligebis, patrick
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa cve]
Package list:	net-vpn/strongswan-5.5.3	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2017-05-31 14:31:08 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1457121:

It was found that RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and 
crash of the process. A certificate with an appropriately prepared public key sent by a peer could be used for a denial-of-service attack.

External References:

https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html



From https://bugzilla.redhat.com/show_bug.cgi?id=1457122:


It was found that ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread 
parsing a specifically crafted certificate.

External References:

https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2017-06-02 12:24:54 UTC

5.5.2 has been added to the tree, and 5.5.1 has been removed.
Please stabilize, so we can remove the last old version.

Comment 2 Andreas Steinmetz 2017-06-02 15:00:43 UTC

Please note that according to:
https://strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html
5.5.2 is still a vulnerable version, 5.5.3 is actually required.

Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2017-06-02 15:38:26 UTC

Indeed - I have changed it to 5.5.3 instead :)

Comment 4 Yury German Gentoo Infrastructure

2017-06-03 06:28:37 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 5 Bjarke Istrup Pedersen (RETIRED) gentoo-dev

2017-06-04 06:58:34 UTC

Yes, please stabilize

Comment 6 Agostino Sarubbo gentoo-dev

2017-06-17 17:26:36 UTC

x86 stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-06-18 14:02:33 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2017-06-21 12:01:36 UTC

ppc stable

Comment 9 Markus Meier gentoo-dev

2017-06-23 04:39:06 UTC

arm stable, all arches done.

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-28 12:37:46 UTC

GLSA Vote: No

@ Maintainer(s): Please cleanup and drop =net-vpn/strongswan-5.3.4!

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2017-07-16 00:19:35 UTC

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bea4795e774fd839e1d0b27784c34cbf00f7631