Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 897916 (CVE-2023-23009) - <net-vpn/libreswan-4.10: denial of service
Summary: <net-vpn/libreswan-4.10: denial of service
Status: CONFIRMED
Alias: CVE-2023-23009
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/libreswan/libreswa...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: CVE-2023-30570 908647
Blocks:
  Show dependency tree
 
Reported: 2023-02-26 17:34 UTC by John Helmert III
Modified: 2023-07-13 03:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-26 17:34:18 UTC 
CVE-2023-23009:

Libreswan 4.9 allows remote attackers to cause a denial of service (assert failure and daemon restart) via crafted TS payload with an incorrect selector length.

Looks like this unreleased patch is the fix?

https://github.com/libreswan/libreswan/commit/7ceef9a79cb14ea1f53bbab7681523994b0ca25e
Comment 1 Larry the Git Cow gentoo-dev 2023-03-05 08:42:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d334e6df98206ec75361deadca1e72542711fc3a

commit d334e6df98206ec75361deadca1e72542711fc3a
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-03-05 07:58:04 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-03-05 08:41:58 +0000

    net-vpn/libreswan: add 4.10
    
    Bug: https://bugs.gentoo.org/897916
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 net-vpn/libreswan/Manifest              |   1 +
 net-vpn/libreswan/libreswan-4.10.ebuild | 126 ++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-11 04:32:54 UTC 
graaff, does 4.10 fix this vulnerability?
Comment 3 Hans de Graaff gentoo-dev Security 2023-05-06 06:15:54 UTC 
v4.10 (February 28, 2023)
* SECURITY IKEv2: Fixes https://libreswan.org/security/CVE-2023-23009
* IKEv1: only clean up a connection when it isn't deleted [Andrew]
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-08 04:40:02 UTC 
Indeed then :)

Please stabilize 4.10 when ready.
Comment 5 Hans de Graaff gentoo-dev Security 2023-07-09 19:16:45 UTC 
libreswan 4.11 is marked stable due to another security issue.