CVE-2009-2661: incomplete fix for CVE-2009-2185

Debian Bug report logs - #540144
CVE-2009-2661: incomplete fix for CVE-2009-2185

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-2661: incomplete fix for CVE-2009-2185

Date: Thu, 06 Aug 2009 08:59:28 +0200

Package: strongswan
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for strongswan.

CVE-2009-2661[0]:
| The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before
| 4.2.17, and 4.3 before 4.3.3 does not properly handle X.509
| certificates with crafted Relative Distinguished Names (RDNs), which
| allows remote attackers to cause a denial of service (pluto IKE daemon
| crash) via malformed ASN.1 data.  NOTE: this is due to an incomplete
| fix for CVE-2009-2185.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2661
    http://security-tracker.debian.net/tracker/CVE-2009-2661
    Patch: http://download.strongswan.org/patches/07_asn1_length_patch/

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp6f00ACgkQNxpp46476aqs8gCeJOTbmBQVtDZI7WJ5f/xy7tNk
F4oAni7A4FaHHaq/5CHSZfhZkdo9r2Jm
=mQTb
-----END PGP SIGNATURE-----

Message #8 received at 540144@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 540144@bugs.debian.org

Subject: strongswan: diff for NMU version 4.3.2-1.1

Date: Tue, 8 Sep 2009 21:22:26 -0500

Dear maintainer,

I've prepared an NMU for strongswan (versioned as 4.3.2-1.1). The diff
is attached to this message.

Regards.
diff -u strongswan-4.3.2/debian/changelog strongswan-4.3.2/debian/changelog
--- strongswan-4.3.2/debian/changelog
+++ strongswan-4.3.2/debian/changelog
@@ -1,3 +1,13 @@
+strongswan (4.3.2-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix incomplete fix for CVE-2009-2185 leading to a denial of service
+    via malformed ASN.1 data (CVE-2009-2661; Closes: #540144).
+  * Use dh_prep instead of dh_clean in install target
+    + Fixes bug where the arch: all package is not included in .changes
+
+ -- Raphael Geissert <geissert@debian.org>  Tue, 08 Sep 2009 18:37:35 -0500
+
 strongswan (4.3.2-1) unstable; urgency=HIGH
 
   Urgency high because of security issue and FTBFS.
diff -u strongswan-4.3.2/debian/rules strongswan-4.3.2/debian/rules
--- strongswan-4.3.2/debian/rules
+++ strongswan-4.3.2/debian/rules
@@ -85,7 +85,7 @@
 install: build-stamp
 	dh_testdir
 	dh_testroot
-	dh_clean
+	dh_prep
 	dh_installdirs
 	$(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
 
only in patch4:
unchanged:
--- strongswan-4.3.2.orig/src/libstrongswan/asn1/asn1.c
+++ strongswan-4.3.2/src/libstrongswan/asn1/asn1.c
@@ -260,25 +260,32 @@
 	u_char n;
 	size_t len;
 	
-	/* advance from tag field on to length field */
-	blob->ptr++;
-	blob->len--;
-	
-	/* read first octet of length field */
-	n = *blob->ptr++;
-	blob->len--;
+	if (blob->len < 2)
+	{
+		DBG2("insufficient number of octets to parse ASN.1 length");
+		return ASN1_INVALID_LENGTH;
+	}
+	
+	/* read length field, skip tag and length */
+	n = blob->ptr[1];
+	*blob = chunk_skip(*blob, 2);
 	
 	if ((n & 0x80) == 0) 
-	{/* single length octet */
+	{	/* single length octet */
+		if (n > blob->len)
+		{
+			DBG2("length is larger than remaining blob size");
+			return ASN1_INVALID_LENGTH;
+		}
 		return n;
 	}
 	
 	/* composite length, determine number of length octets */
 	n &= 0x7f;
 	
-	if (n > blob->len)
+	if (n == 0 || n > blob->len)
 	{
-		DBG2("number of length octets is larger than ASN.1 object");
+		DBG2("number of length octets invalid");
 		return ASN1_INVALID_LENGTH;
 	}
 	

Message #13 received at 540144-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 540144-close@bugs.debian.org

Subject: Bug#540144: fixed in strongswan 4.3.2-1.1

Date: Wed, 09 Sep 2009 01:55:28 +0000

Source: strongswan
Source-Version: 4.3.2-1.1

We believe that the bug you reported is fixed in the latest version of
strongswan, which is due to be installed in the Debian FTP archive:

libstrongswan_4.3.2-1.1_i386.deb
  to pool/main/s/strongswan/libstrongswan_4.3.2-1.1_i386.deb
strongswan-ikev1_4.3.2-1.1_i386.deb
  to pool/main/s/strongswan/strongswan-ikev1_4.3.2-1.1_i386.deb
strongswan-ikev2_4.3.2-1.1_i386.deb
  to pool/main/s/strongswan/strongswan-ikev2_4.3.2-1.1_i386.deb
strongswan-nm_4.3.2-1.1_i386.deb
  to pool/main/s/strongswan/strongswan-nm_4.3.2-1.1_i386.deb
strongswan-starter_4.3.2-1.1_i386.deb
  to pool/main/s/strongswan/strongswan-starter_4.3.2-1.1_i386.deb
strongswan_4.3.2-1.1.diff.gz
  to pool/main/s/strongswan/strongswan_4.3.2-1.1.diff.gz
strongswan_4.3.2-1.1.dsc
  to pool/main/s/strongswan/strongswan_4.3.2-1.1.dsc
strongswan_4.3.2-1.1_all.deb
  to pool/main/s/strongswan/strongswan_4.3.2-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 540144@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated strongswan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Sep 2009 18:37:35 -0500
Source: strongswan
Binary: strongswan libstrongswan strongswan-starter strongswan-ikev1 strongswan-ikev2 strongswan-nm
Architecture: source all i386
Version: 4.3.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 libstrongswan - strongSwan utility and crypto library
 strongswan - IPsec VPN solution metapackage
 strongswan-ikev1 - strongSwan Internet Key Exchange (v1) daemon
 strongswan-ikev2 - strongSwan Internet Key Exchange (v2) daemon
 strongswan-nm - strongSwan plugin to interact with NetworkManager
 strongswan-starter - strongSwan daemon starter and configuration file parser
Closes: 540144
Changes: 
 strongswan (4.3.2-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix incomplete fix for CVE-2009-2185 leading to a denial of service
     via malformed ASN.1 data (CVE-2009-2661; Closes: #540144).
   * Use dh_prep instead of dh_clean in install target
     + Fixes bug where the arch: all package is not included in .changes
Checksums-Sha1: 
 2b3c6859cb577b23894c646fba59fe0677e8ca8a 1495 strongswan_4.3.2-1.1.dsc
 a8a2aabbf36845d7c79c1247cdb4b3a04affcca5 76936 strongswan_4.3.2-1.1.diff.gz
 db36d2d1d24749e55d2c52b0ac71b5a8e84b1f8a 70072 strongswan_4.3.2-1.1_all.deb
 1cfee186b2a4680c1ec92655811414aacde13b41 173936 libstrongswan_4.3.2-1.1_i386.deb
 38b2a2a18569446ace2598d5557092b43d6efa86 264686 strongswan-starter_4.3.2-1.1_i386.deb
 a17401b1e09fd1345140819a9d067604dc421f3e 330364 strongswan-ikev1_4.3.2-1.1_i386.deb
 0c99ea0e1839268ebf04d13665c6cac286373a8c 226274 strongswan-ikev2_4.3.2-1.1_i386.deb
 309c54c522346662915aea87603d1b3c6bcfc827 44008 strongswan-nm_4.3.2-1.1_i386.deb
Checksums-Sha256: 
 58a1330d7ee81fd21c085fc2c299891aebb0e98335e47230586e29f34d9eb22f 1495 strongswan_4.3.2-1.1.dsc
 4964670e212409ad6d53bddc78efa9689d1ed88ade42a80d389b77d13044ff67 76936 strongswan_4.3.2-1.1.diff.gz
 6de4f82ea36cc7e5e522abbbf5731a05b240c39463e12ce4f463d0412f38f4a2 70072 strongswan_4.3.2-1.1_all.deb
 236ceb853d4bab984667c763e5546d0a84f384004f7fa4ce5f491af7d258484f 173936 libstrongswan_4.3.2-1.1_i386.deb
 b3ba75bfba39a33d261c70b94030ccd7d07c0d5589980041d61a203b77e9b2c2 264686 strongswan-starter_4.3.2-1.1_i386.deb
 b85ec11b7a4844591fed559f595534f3ea96dc8f9cc6b3e43cc02422eea43939 330364 strongswan-ikev1_4.3.2-1.1_i386.deb
 6aaa1528761162c3504719b03d038e871bee8945e3410e6d40c5039b1b081ed4 226274 strongswan-ikev2_4.3.2-1.1_i386.deb
 68f92099374b3ba963b477f530cda23110dade1c97e8c68ff8a1abab323452cc 44008 strongswan-nm_4.3.2-1.1_i386.deb
Files: 
 daf00497ebd545a050e9da66ffaff928 1495 net optional strongswan_4.3.2-1.1.dsc
 3470f28145607104795de9eb56e327cf 76936 net optional strongswan_4.3.2-1.1.diff.gz
 9af957943f4968cacce69ca469f2a194 70072 net optional strongswan_4.3.2-1.1_all.deb
 7ce68bb6f84f6b8018677b69b71a1ad5 173936 net optional libstrongswan_4.3.2-1.1_i386.deb
 1335fb1fb076161c28c24a963da01321 264686 net optional strongswan-starter_4.3.2-1.1_i386.deb
 1413ebbdb9655b5f4778935b05107b06 330364 net optional strongswan-ikev1_4.3.2-1.1_i386.deb
 82b98ed14fad105a62e61bc1884afddf 226274 net optional strongswan-ikev2_4.3.2-1.1_i386.deb
 c6b5b5e224a424f9dafc5e5b44a5b184 44008 net optional strongswan-nm_4.3.2-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqnCgsACgkQYy49rUbZzlrIVgCfaarUVsW16/5mdYbL6pyVdMWO
yB8AniZydc/p4gjVR1hUckqdQA+tfnQz
=CKdM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.