From ${URL} : Javantea reports a null pointer dereference in the ipsec-tools package on the full-disclosure mail list: http://seclists.org/fulldisclosure/2015/May/81 Christos Zoulas proposed a fix on the same list: http://seclists.org/fulldisclosure/2015/May/83 --- gssapi.c 9 Sep 2006 16:22:09 -0000 1.4 +++ gssapi.c 19 May 2015 15:16:00 -0000 1.6 @@ -192,6 +192,11 @@ gss_name_t princ, canon_princ; OM_uint32 maj_stat, min_stat; + if (iph1->rmconf == NULL) { + plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); + return -1; + } + gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); if (gps == NULL) { plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*** Bug 550082 has been marked as a duplicate of this bug. ***
CVE-2015-4047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4047): racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests.
Note: this is a low impact vuln so don't go around p.masking this. Upstream has not acted on it, and I'm not 100% convince that that patch is the right way to go.
@ Anthony: Are you sure about your rating? Debian has a high rating and is carrying the patch like SuSE and RHEL.
(In reply to Thomas Deutschmann from comment #4) > @ Anthony: Are you sure about your rating? Debian has a high rating and is > carrying the patch like SuSE and RHEL. i get that this is a null pointer deref which can be potentially serious, but i saw no poc and couldn't see how to trigger it. also upstream didn't act on it at that time. anyhow, if other distros have added this patch then i feel there's been enough testing that we can put it into gentoo. i'll rev bump and reset to ~arch just in case and we can restabilize.
(In reply to Anthony Basile from comment #5) > (In reply to Thomas Deutschmann from comment #4) > > @ Anthony: Are you sure about your rating? Debian has a high rating and is > > carrying the patch like SuSE and RHEL. > > i get that this is a null pointer deref which can be potentially serious, > but i saw no poc and couldn't see how to trigger it. also upstream didn't > act on it at that time. > @whissi, thanks for bringing my attention back to this! i see now how this exploit works. i've got the patch in the tree with ipsec-tools-0.8.2-r5.ebuild. we should stabilize it. KEYWORDS="amd64 arm ppc ppc64 x86"
No problem, thanks for the bump! @ Arches, please mark stable: =net-firewall/ipsec-tools-0.8.2-r5 Stable target(s): amd64 arm ppc ppc64 x86
amd64 stable
x86 stable
i forgot to remove ppc and ppc64 which i marked as stable. only arm to go.
stable on arm
all vulnerable versions are off the tree
(In reply to Anthony Basile from comment #12) > all vulnerable versions are off the tree Thanks, Anthony! GLSA Vote: No
