Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509832 (CVE-2014-2891) - <net-misc/strongswan-5.1.3: "ID_DER_ASN1_DN" ID Payload Parsing Denial of Service Vulnerability (CVE-2014-2891)
Summary: <net-misc/strongswan-5.1.3: "ID_DER_ASN1_DN" ID Payload Parsing Denial of Ser...
Alias: CVE-2014-2891
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: CVE-2014-2338
  Show dependency tree
Reported: 2014-05-08 07:36 UTC by Agostino Sarubbo
Modified: 2014-12-13 19:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-08 07:36:12 UTC
From ${URL} :


A vulnerability has been reported in strongSwan, which can be exploited by malicious people to cause a DoS 
(Denial of Service).

The vulnerability is caused due to an error within the "asn1_unwrap()" function 
(src/libstrongswan/asn1/asn1.c) when parsing "ID_DER_ASN1_DN" ID payload and can be exploited to cause a 
crash via a specially crafted request.

The vulnerability is reported in versions 4.3.3 and later.

Apply patches.

Further details available to Secunia VIM customers

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-05-08 07:59:14 UTC
The 5.1.3 version is already in the tree, and only the PPC arch is missing from stable.

So if just PPC could stabilize it, we can remove the 5.1.1 version completely, and be done.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-05-09 23:06:09 UTC
Versions since 4.3.3 and before 5.1.2 are affected.

5.1.3 is being stabilized as part of Bug 507722.
Setting as blocker.
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2014-05-10 15:23:04 UTC
Old version has been removed, so now only the fixed version is in the tree.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-10-14 21:22:33 UTC
CVE-2014-2891 (
  strongSwan before 5.1.2 allows remote attackers to cause a denial of service
  (NULL pointer dereference and IKE daemon crash) via a crafted ID_DER_ASN1_DN
  ID payload.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2014-10-15 01:18:05 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:21:02 UTC
This issue was resolved and addressed in
 GLSA 201412-26 at
by GLSA coordinator Sean Amoss (ackle).