Debian Bug report logs -
#960458
libreswan: CVE-2020-1763
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#960458; Package src:libreswan.
(Tue, 12 May 2020 19:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Tue, 12 May 2020 19:39:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libreswan
Version: 3.29-2
Severity: important
Tags: security upstream
Control: found -1 3.27-6
Hi,
The following vulnerability was published for libreswan.
CVE-2020-1763[0]:
| An out-of-bounds buffer read flaw was found in the pluto daemon of
| libreswan from versions 3.27 till 3.31 where, an unauthenticated
| attacker could use this flaw to crash libreswan by sending specially-
| crafted IKEv1 Informational Exchange packets. The daemon respawns
| after the crash.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-1763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1763
[1] https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libreswan/3.27-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 12 May 2020 19:39:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#960458; Package src:libreswan.
(Tue, 12 May 2020 21:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Tue, 12 May 2020 21:54:02 GMT) (full text, mbox, link).
Message #12 received at 960458@bugs.debian.org (full text, mbox, reply):
Closes: #960458
---
.../0006-security-Fix-for-CVE-2020-1763.patch | 28 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 29 insertions(+)
create mode 100644 debian/patches/0006-security-Fix-for-CVE-2020-1763.patch
diff --git a/debian/patches/0006-security-Fix-for-CVE-2020-1763.patch b/debian/patches/0006-security-Fix-for-CVE-2020-1763.patch
new file mode 100644
index 000000000000..b689161b4500
--- /dev/null
+++ b/debian/patches/0006-security-Fix-for-CVE-2020-1763.patch
@@ -0,0 +1,28 @@
+From: "D. Hugh Redelmeier" <hugh@mimosa.com>
+Date: Thu, 19 Mar 2020 14:21:06 -0400
+Subject: security: Fix for CVE-2020-1763
+Origin: https://github.com/libreswan/libreswan/commit/471a3e41a449d7c753bc4edbba4239501bb62ba8
+Bug-Debian: https://bugs.debian.org/960458
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-1763
+
+pluto will crash on a null pointer dereference when trying to log an error
+for an IKEv1 packet containing bogus information and/or flags.
+
+Signed-off-by: Paul Wouters <pwouters@redhat.com>
+[Salvatore Bonaccorso: Backport to 3.29 based on
+https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt advisory]
+---
+ programs/pluto/ikev1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -2160,7 +2160,7 @@ void process_packet_tail(struct msg_dige
+ "%smessage ignored because it contains a payload type (%s) unexpected by state %s",
+ excuse,
+ enum_show(&ikev1_payload_names, np),
+- st->st_state_name);
++ (st == NULL) ? "<no state>" : st->st_state_name);
+ if (!md->encrypted) {
+ SEND_NOTIFICATION(INVALID_PAYLOAD_TYPE);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 223f63a60df1..34c732b58e44 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
0003-update-README.nss-to-match-debian-defaults-for-IPSEC.patch
0004-move-to-python3-scripts-are-compatible.patch
0005-minor-Fix-spelling-and-grammar.patch
+0006-security-Fix-for-CVE-2020-1763.patch
--
2.20.1
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 12 May 2020 21:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Bug#960458; Package src:libreswan.
(Tue, 12 May 2020 22:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
(Tue, 12 May 2020 22:03:02 GMT) (full text, mbox, link).
Message #19 received at 960458@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi!
Attached as well the debdiff as prepared for buster-security.
Regards,
Salvatore
[libreswan_3.27-6+deb10u1.debdiff (text/plain, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 13 10:20:17 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon