Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550118 (CVE-2015-4047) - <net-firewall/ipsec-tools-0.8.2-r5: null pointer dereference (CVE-2015-4047)
Summary: <net-firewall/ipsec-tools-0.8.2-r5: null pointer dereference (CVE-2015-4047)
Status: RESOLVED FIXED
Alias: CVE-2015-4047
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
: 550082 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-22 07:07 UTC by Agostino Sarubbo
Modified: 2016-12-13 07:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 07:07:35 UTC
From ${URL} :

Javantea reports a null pointer dereference in the ipsec-tools package on
the full-disclosure mail list:
http://seclists.org/fulldisclosure/2015/May/81

Christos Zoulas proposed a fix on the same list:
http://seclists.org/fulldisclosure/2015/May/83

--- gssapi.c    9 Sep 2006 16:22:09 -0000       1.4
+++ gssapi.c    19 May 2015 15:16:00 -0000      1.6
@@ -192,6 +192,11 @@
        gss_name_t princ, canon_princ;
        OM_uint32 maj_stat, min_stat;
 
+       if (iph1->rmconf == NULL) {
+               plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
+               return -1;
+       }
+
        gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
        if (gps == NULL) {
                plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2015-05-22 08:06:03 UTC
*** Bug 550082 has been marked as a duplicate of this bug. ***
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 12:59:45 UTC
CVE-2015-4047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4047):
  racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a
  denial of service (NULL pointer dereference and IKE daemon crash) via a
  series of crafted UDP requests.
Comment 3 Anthony Basile gentoo-dev 2016-07-01 03:21:11 UTC
Note: this is a low impact vuln so don't go around p.masking this.  Upstream has not acted on it, and I'm not 100% convince that that patch is the right way to go.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 02:31:07 UTC
@ Anthony: Are you sure about your rating? Debian has a high rating and is carrying the patch like SuSE and RHEL.
Comment 5 Anthony Basile gentoo-dev 2016-11-19 15:16:51 UTC
(In reply to Thomas Deutschmann from comment #4)
> @ Anthony: Are you sure about your rating? Debian has a high rating and is
> carrying the patch like SuSE and RHEL.

i get that this is a null pointer deref which can be potentially serious, but i saw no poc and couldn't see how to trigger it.  also upstream didn't act on it at that time.

anyhow, if other distros have added this patch then i feel there's been enough testing that we can put it into gentoo.  i'll rev bump and reset to ~arch just in case and we can restabilize.
Comment 6 Anthony Basile gentoo-dev 2016-11-19 15:39:34 UTC
(In reply to Anthony Basile from comment #5)
> (In reply to Thomas Deutschmann from comment #4)
> > @ Anthony: Are you sure about your rating? Debian has a high rating and is
> > carrying the patch like SuSE and RHEL.
> 
> i get that this is a null pointer deref which can be potentially serious,
> but i saw no poc and couldn't see how to trigger it.  also upstream didn't
> act on it at that time.
> 

@whissi, thanks for bringing my attention back to this!  i see now how this exploit works.  i've got the patch in the tree with ipsec-tools-0.8.2-r5.ebuild.  we should stabilize it.

KEYWORDS="amd64 arm ppc ppc64 x86"
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 17:01:48 UTC
No problem, thanks for the bump!


@ Arches,

please mark stable: =net-firewall/ipsec-tools-0.8.2-r5

Stable target(s): amd64 arm ppc ppc64 x86
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-20 13:05:28 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-11-20 13:08:59 UTC
x86 stable
Comment 10 Anthony Basile gentoo-dev 2016-11-25 13:21:26 UTC
i forgot to remove ppc and ppc64 which i marked as stable.  only arm to go.
Comment 11 Anthony Basile gentoo-dev 2016-12-13 02:05:08 UTC
stable on arm
Comment 12 Anthony Basile gentoo-dev 2016-12-13 02:13:07 UTC
all vulnerable versions are off the tree
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2016-12-13 07:14:00 UTC
(In reply to Anthony Basile from comment #12)
> all vulnerable versions are off the tree

Thanks, Anthony!

GLSA Vote: No