Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624832 (CVE-2016-10396) - <net-vpn/ipsec-tools-0.8.2-r6: Parsing and storing ISAKMP fragments in malicious order can exhaust resources (CVE-2016-10396)
Summary: <net-vpn/ipsec-tools-0.8.2-r6: Parsing and storing ISAKMP fragments in malici...
Status: RESOLVED FIXED
Alias: CVE-2016-10396
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-13 05:15 UTC by Aleksandr Wagner (Kivak)
Modified: 2020-07-16 00:33 UTC (History)
1 user (show)

See Also:
Package list:
net-vpn/ipsec-tools-0.8.2-r6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-07-13 05:15:38 UTC
The racoon daemon in IPsec-Tools 0.8.2 contains a remotely exploitable computational-complexity attack when parsing and storing ISAKMP fragments. The implementation permits a remote attacker to exhaust computational resources on the remote endpoint by repeatedly sending ISAKMP fragment packets in a particular order such that the worst-case computational complexity is realized in the algorithm utilized to determine if reassembly of the fragments can take place.

References:

https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682

Upstream patch:

http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/isakmp_frag.c.diff?r1=1.5&r2=1.5.36.1
Comment 1 Sam James gentoo-dev Security 2020-03-18 17:16:11 UTC
@maintainer(s), can we apply this patch?

Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since 2014:
>Important Note
>The development of ipsec-tools has been ABANDONED.
>ipsec-tools has security issues, and you should not use it.
>Please switch to a secure alternative!

Should we instead drop the package? Thanks.
Comment 2 Anthony Basile gentoo-dev 2020-03-19 01:40:50 UTC
(In reply to sam_c (Security Padawan) from comment #1)
> @maintainer(s), can we apply this patch?
> 
> Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since
> 2014:
> >Important Note
> >The development of ipsec-tools has been ABANDONED.
> >ipsec-tools has security issues, and you should not use it.
> >Please switch to a secure alternative!
> 
> Should we instead drop the package? Thanks.

It saddens me but maybe it is time to drop it. :(
Comment 3 Anthony Basile gentoo-dev 2020-06-17 15:21:12 UTC
(In reply to Anthony Basile from comment #2)
> (In reply to sam_c (Security Padawan) from comment #1)
> > @maintainer(s), can we apply this patch?
> > 
> > Also, the upstream site (http://ipsec-tools.sourceforge.net/) says since
> > 2014:
> > >Important Note
> > >The development of ipsec-tools has been ABANDONED.
> > >ipsec-tools has security issues, and you should not use it.
> > >Please switch to a secure alternative!
> > 
> > Should we instead drop the package? Thanks.
> 
> It saddens me but maybe it is time to drop it. :(

Okay sam_c pointed out 

https://sources.debian.org/patches/ipsec-tools/1:0.8.2+20140711-8+deb9u1/CVE-2016-10396.patch/

which addresses CVE-2016-10396.  I've added it for ipsec-tools-0.8.2-r6.ebuild.  I'm going to cc the arches to stabilize it.
Comment 4 Anthony Basile gentoo-dev 2020-06-17 15:28:37 UTC
@arch teams, please stabilize net-vpn/ipsec-tools-0.8.2-r6.  This is a security fix.

KEYWORDS="amd64 arm ppc ppc64 x86"
Comment 5 Sam James gentoo-dev Security 2020-06-17 15:39:03 UTC
Thanks blueness!
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-06-20 13:49:57 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-21 17:00:00 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-21 17:05:24 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-21 17:10:14 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-06-22 06:58:55 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Anthony Basile gentoo-dev 2020-06-22 12:59:37 UTC
(In reply to Agostino Sarubbo from comment #10)
> amd64 stable.
> 
> Maintainer(s), please cleanup.
> Security, please vote.

I just removed the vulnerable version.
Comment 12 Sam James gentoo-dev Security 2020-07-16 00:33:09 UTC
(In reply to Anthony Basile from comment #11)
> (In reply to Agostino Sarubbo from comment #10)
> > amd64 stable.
> > 
> > Maintainer(s), please cleanup.
> > Security, please vote.
> 
> I just removed the vulnerable version.

Thanks!

GLSA vote: no.

Closing.