Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 483204 (CVE-2013-2053) - <net-misc/openswan-2.6.39: Buffer overflow (CVE-2013-2053)
Summary: <net-misc/openswan-2.6.39: Buffer overflow (CVE-2013-2053)
Status: RESOLVED FIXED
Alias: CVE-2013-2053
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords: PMASKED
Depends on: 483576
Blocks:
  Show dependency tree
 
Reported: 2013-08-31 22:10 UTC by GLSAMaker/CVETool Bot
Modified: 2014-11-06 01:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 22:10:00 UTC
CVE-2013-2053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2053):
  Buffer overflow in the atodn function in Openswan before 2.6.39, when
  Opportunistic Encryption is enabled and an RSA key is being used, allows
  remote attackers to cause a denial of service (pluto IKE daemon crash) and
  possibly execute arbitrary code via crafted DNS TXT records.  NOTE: this
  might be the same vulnerability as CVE-2013-2052 and CVE-2013-2054.
Comment 1 Mike Gilbert gentoo-dev 2013-09-01 06:06:14 UTC
+*openswan-2.6.39 (01 Sep 2013)
+
+  01 Sep 2013; Mike Gilbert <floppym@gentoo.org>
+  +files/openswan-2.6.39-gentoo.patch, +openswan-2.6.39.ebuild:
+  Version bump.
Comment 2 Agostino Sarubbo gentoo-dev 2013-09-01 09:38:01 UTC
B2 as discussed with Chris on IRC.

Arches, please test and mark stable:
=net-misc/openswan-2.6.39
Target keywords : "amd64 x86"
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-09-01 12:38:27 UTC
@ago, you forgot about arches ? ;)
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-01 15:27:26 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-01 15:27:34 UTC
x86 stable
Comment 6 Sean Amoss gentoo-dev Security 2013-09-01 18:43:43 UTC
GLSA drafted and ready for review.
Comment 7 Sergey Popov gentoo-dev 2013-12-05 12:32:15 UTC
@maintainer, please drop vulnerable versions
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 05:34:11 UTC
Ping!

Maintainer(s), please drop the vulnerable version.
Comment 9 Mike Gilbert gentoo-dev 2013-12-30 06:05:20 UTC
I will not be dropping openswan-2.6.38 from the tree for the foreseeable future due to bug 483576.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-11-06 01:06:40 UTC
This issue was resolved and addressed in
 GLSA 201401-09 at http://security.gentoo.org/glsa/glsa-201401-09.xml
by GLSA coordinator Sean Amoss (ackle).