libreswan: CVE-2019-12312

Debian Bug report logs - #929916
libreswan: CVE-2019-12312

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libreswan: CVE-2019-12312

Date: Mon, 03 Jun 2019 06:26:28 +0200

Source: libreswan
Version: 3.27-4
Severity: grave
Tags: patch security upstream fixed-upstream
Justification: user security hole
Forwarded: https://github.com/libreswan/libreswan/issues/246
Control: fixed -1 3.28-1

Hi,

The following vulnerability was published for libreswan.

CVE-2019-12312[0]:
| In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
| daemon restart. An attacker can trigger a NULL pointer dereference by
| sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
| to a Libreswan server. This affects send_v2N_spi_response_from_state
| in programs/pluto/ikev2_send.c when built with Network Security
| Services (NSS).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12312
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12312
[1] https://github.com/libreswan/libreswan/issues/246
[2] https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8

Regards,
Salvatore

Message #12 received at 929916@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Salvatore Bonaccorso <carnil@debian.org>, 929916@bugs.debian.org

Subject: Re: Bug#929916: libreswan: CVE-2019-12312

Date: Mon, 03 Jun 2019 12:24:08 -0400

[Message part 1 (text/plain, inline)]

On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote:
> Source: libreswan
> Version: 3.27-4
> Severity: grave
> Tags: patch security upstream fixed-upstream
> Justification: user security hole
> Forwarded: https://github.com/libreswan/libreswan/issues/246
> Control: fixed -1 3.28-1
>
> The following vulnerability was published for libreswan.
>
> CVE-2019-12312[0]:
> | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
> | daemon restart. An attacker can trigger a NULL pointer dereference by
> | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
> | to a Libreswan server. This affects send_v2N_spi_response_from_state
> | in programs/pluto/ikev2_send.c when built with Network Security
> | Services (NSS).

thanks for this heads-up, Salvatore.

I'm working with upstream libreswan at patching this now, publishing my
work on the debian/master branch in salsa.

out of curiosity, how was this CVE applied for, and how was it
coordinated?  When I pointed it out to libreswan upstream on the
freenode IRC #swan, it sounded like they had never heard of it.

thanks for all you do for debian security!

    --dkg

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 929916@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 929916@bugs.debian.org

Subject: Re: Bug#929916: libreswan: CVE-2019-12312

Date: Mon, 3 Jun 2019 20:54:09 +0200

Hi Daniel!

On Mon, Jun 03, 2019 at 12:24:08PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2019-06-03 06:26:28 +0200, Salvatore Bonaccorso wrote:
> > Source: libreswan
> > Version: 3.27-4
> > Severity: grave
> > Tags: patch security upstream fixed-upstream
> > Justification: user security hole
> > Forwarded: https://github.com/libreswan/libreswan/issues/246
> > Control: fixed -1 3.28-1
> >
> > The following vulnerability was published for libreswan.
> >
> > CVE-2019-12312[0]:
> > | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE
> > | daemon restart. An attacker can trigger a NULL pointer dereference by
> > | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode
> > | to a Libreswan server. This affects send_v2N_spi_response_from_state
> > | in programs/pluto/ikev2_send.c when built with Network Security
> > | Services (NSS).
> 
> thanks for this heads-up, Salvatore.
> 
> I'm working with upstream libreswan at patching this now, publishing my
> work on the debian/master branch in salsa.

The upstream issue lists as
https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8
as the fixing commit, fwiw.

> out of curiosity, how was this CVE applied for, and how was it
> coordinated?  When I pointed it out to libreswan upstream on the
> freenode IRC #swan, it sounded like they had never heard of it.

I do not know. The CVE appeared for us on the radar via the MITRE feed
update. Could be that the reporter of the upstream issue did request a
CVE on its own. If you ask MITRE they though would not disclose who
requested a specific CVE, so we might not know in the end. I suspect
it was not coordinated at all with upstream.

> thanks for all you do for debian security!

likewise for all your contributions within Debian!

Regards,
Salvatore

Message #22 received at 929916-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 929916-close@bugs.debian.org

Subject: Bug#929916: fixed in libreswan 3.27-5

Date: Mon, 03 Jun 2019 23:49:09 +0000

Source: libreswan
Source-Version: 3.27-5

We believe that the bug you reported is fixed in the latest version of
libreswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929916@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated libreswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 Jun 2019 19:36:16 -0400
Source: libreswan
Architecture: source
Version: 3.27-5
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Closes: 929916
Changes:
 libreswan (3.27-5) unstable; urgency=medium
 .
   * fix CVE-2019-12312 (Closes: #929916)
   * bump Standards-Version to 4.3.0 (no changes needed)
Checksums-Sha1:
 270ff238d6dd9b177cc483b4e3d95cd80b238761 1973 libreswan_3.27-5.dsc
 49decf20caa34f9f25996480f06f1a74bebad774 16152 libreswan_3.27-5.debian.tar.xz
 225bc6930865b62943ae7e203229fa61a3bac57e 10088 libreswan_3.27-5_amd64.buildinfo
Checksums-Sha256:
 2b2cb5642d276f8f2d6e18512cf84f555e34c38f1d70a01de577807808ebafb0 1973 libreswan_3.27-5.dsc
 b6736bf1a5f46c9c2a5f826d85c84dec3d2f2d13e3f685054675e767aa9c2864 16152 libreswan_3.27-5.debian.tar.xz
 49824a2f8601e87b2b76aa86cd2269bccba064dd1b440af058b07e14cc177163 10088 libreswan_3.27-5_amd64.buildinfo
Files:
 19465178eda3773e95972b419605e67b 1973 net optional libreswan_3.27-5.dsc
 a7896e4e0324fc18a507ef3a2e07183d 16152 net optional libreswan_3.27-5.debian.tar.xz
 35d238db4c5ef28fe9c0ecab05000d9f 10088 net optional libreswan_3.27-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXPWwoAAKCRB2GBllKa5f
+GUmAQDIHK0AbjIXMD3I8eCVtaXkkx6t+gGdXtEqcWu2iyU05gEAxEUX7LqXphsJ
MuGL1g2Z/t/ANeEPPi9ObtTatWJr/gg=
=u5IM
-----END PGP SIGNATURE-----

Message #27 received at 929916-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 929916-close@bugs.debian.org

Subject: Bug#929916: fixed in libreswan 3.29-1

Date: Tue, 11 Jun 2019 06:49:02 +0000

Source: libreswan
Source-Version: 3.29-1

We believe that the bug you reported is fixed in the latest version of
libreswan, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929916@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kahn Gillmor <dkg@fifthhorseman.net> (supplier of updated libreswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jun 2019 07:24:44 +0100
Source: libreswan
Architecture: source
Version: 3.29-1
Distribution: experimental
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Closes: 929916 930338
Changes:
 libreswan (3.29-1) experimental; urgency=medium
 .
   * New upstream release
    - fixes CVE 2019-10155 and CVE-2019-12312
     (Closes: #930338, #929916)
   * refresh patches
   * d/watch: avoid development releases
Checksums-Sha1:
 9a897e46ef384bce3b54dcac95d0fbfaeec00f36 2001 libreswan_3.29-1.dsc
 492cd1cf18c06e47b2864a57a355a7f5393f80cc 3848730 libreswan_3.29.orig.tar.gz
 b192b07cfbe1ae25f1f487aba9f2a4d44b6a1443 862 libreswan_3.29.orig.tar.gz.asc
 8503c2190e8290f26200eb2e7380876e518c87a4 18484 libreswan_3.29-1.debian.tar.xz
 91881ebecbd06a313f060c3fe4c263bd89cfcc1f 10110 libreswan_3.29-1_amd64.buildinfo
Checksums-Sha256:
 db03223700a0683d119428e7a3b3c74c2979f75b2666a71071bc1bb9cd631854 2001 libreswan_3.29-1.dsc
 d60e4160f43272b6307b697a13f79f56b5ec2bca61d83097ddadd8586a58ab3e 3848730 libreswan_3.29.orig.tar.gz
 60af75e5178b0667d00075aa84ff0b14562906417538d59d25a38ff70393880e 862 libreswan_3.29.orig.tar.gz.asc
 a5fff20d7aedd8045cff8a560d584186e66df492c09cb8d6f80045cd92a87f48 18484 libreswan_3.29-1.debian.tar.xz
 228ba94b6e2499ce7fb53cb659d55c9c9d778f9d7036fc092fcfc40354f4e6a1 10110 libreswan_3.29-1_amd64.buildinfo
Files:
 f44b572f8fc05c15d29f6396738bc965 2001 net optional libreswan_3.29-1.dsc
 5b35b39a04f63a8e528b965aad515c01 3848730 net optional libreswan_3.29.orig.tar.gz
 37ba796f047b2be272f574eba451d8ab 862 net optional libreswan_3.29.orig.tar.gz.asc
 d416fb2b31cf646279bc536cf6600379 18484 net optional libreswan_3.29-1.debian.tar.xz
 502f510e42a489b8488fb1b5f6b7dac2 10110 net optional libreswan_3.29-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXP9NdgAKCRB2GBllKa5f
+Gn+AQDHcxrEGjzLB5upUlhbuePIdjakBRJ1v/2Ftut/GVMjIQD/QhVCgVJ8nC4T
8ZwY18zy0XlcJxKuavgfUB5RBWxkewg=
=8ccY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.