Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620256 (CVE-2017-9022, CVE-2017-9023) - <net-vpn/strongswan-5.5.3: multiple vulnerabilities
Summary: <net-vpn/strongswan-5.5.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-9022, CVE-2017-9023
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-31 14:31 UTC by Agostino Sarubbo
Modified: 2017-07-16 00:19 UTC (History)
2 users (show)

See Also:
Package list:
net-vpn/strongswan-5.5.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-31 14:31:08 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1457121:

It was found that RSA public keys passed to the gmp plugin aren't validated sufficiently before attempting signature verification, so that invalid input might lead to a floating point exception and 
crash of the process. A certificate with an appropriately prepared public key sent by a peer could be used for a denial-of-service attack.

External References:

https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html



From https://bugzilla.redhat.com/show_bug.cgi?id=1457122:


It was found that ASN.1 CHOICE types are not correctly handled by the ASN.1 parser when parsing X.509 certificates with extensions that use such types. This could lead to infinite looping of the thread 
parsing a specifically crafted certificate.

External References:

https://www.strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9023).html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2017-06-02 12:24:54 UTC
5.5.2 has been added to the tree, and 5.5.1 has been removed.
Please stabilize, so we can remove the last old version.
Comment 2 Andreas Steinmetz 2017-06-02 15:00:43 UTC
Please note that according to:
https://strongswan.org/blog/2017/05/30/strongswan-vulnerability-(cve-2017-9022).html
5.5.2 is still a vulnerable version, 5.5.3 is actually required.
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2017-06-02 15:38:26 UTC
Indeed - I have changed it to 5.5.3 instead :)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-06-03 06:28:37 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2017-06-04 06:58:34 UTC
Yes, please stabilize
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-17 17:26:36 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-18 14:02:33 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-21 12:01:36 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2017-06-23 04:39:06 UTC
arm stable, all arches done.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-06-28 12:37:46 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop =net-vpn/strongswan-5.3.4!