Related Vulnerabilities: CVE-2023-23009

Source

Debian Bug report logs - #1031821
libreswan: remote crash, CVE-2023-23009

Package: src:libreswan; Maintainer for src:libreswan is Daniel Kahn Gillmor <dkg@fifthhorseman.net>;

Reported by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Thu, 23 Feb 2023 13:45:01 UTC

Severity: normal

Tags: fixed-upstream, patch, security

Found in versions libreswan/4.3-1, libreswan/4.7-1, libreswan/4.3-1+deb11u1, libreswan/4.9-1

Fixed in version libreswan/4.9-2

Forwarded to https://github.com/libreswan/libreswan/issues/954

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, unknown-package@qa.debian.org:
Bug#1031821; Package libreswan 4.9-1. (Thu, 23 Feb 2023 13:45:07 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, unknown-package@qa.debian.org. (Thu, 23 Feb 2023 13:45:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: libreswan 4.9-1
Control: found -1 4.3-1+deb11u1
Control: found -1 4.7-1
Control: fixed -1 4.9-2
Control: forwarded -1 https://github.com/libreswan/libreswan/issues/954
Control: tags -1 + security patch fixed-upstream

There is a remotely-triggerable crash in libreswan, known as
CVE-2023-23009, based on a null pointer dereference.  It is apparently
present in the versions of libreswan in bullseye, testing, and unstable
at least.

On the linked github issue, upstream says that the attached patch fixes
the problem (though i do not have a reproducer to verify).

I've applied the patch in unstable already.

I'll prepare an upload for bullseye if the security team is OK with
that.  Please confirm!

Thanks,

        --dkg

[0004-Fix-CVE-2023-23009.patch (text/x-diff, inline)]

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 22 Feb 2023 14:57:02 -0500
Subject: Fix CVE-2023-23009

See https://github.com/libreswan/libreswan/issues/954
---
 programs/pluto/ikev2_ts.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
index fba776a..c8ce761 100644
--- a/programs/pluto/ikev2_ts.c
+++ b/programs/pluto/ikev2_ts.c
@@ -421,6 +421,11 @@ static bool v2_parse_ts(struct payload_digest *const ts_pd,
 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
 
+		if (d != NULL) {
+			llog_diag(RC_LOG, logger, &d, "%s", "");
+			return false;
+		}
+
 		switch (ts_h.isath_type) {
 		case IKEv2_TS_IPV4_ADDR_RANGE:
 		case IKEv2_TS_IPV6_ADDR_RANGE:

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions libreswan/4.3-1+deb11u1. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Thu, 23 Feb 2023 13:45:07 GMT) (full text, mbox, link).

Marked as found in versions libreswan/4.7-1. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Thu, 23 Feb 2023 13:45:08 GMT) (full text, mbox, link).

Marked as fixed in versions libreswan/4.9-2. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Thu, 23 Feb 2023 13:45:08 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/libreswan/libreswan/issues/954'. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Thu, 23 Feb 2023 13:45:09 GMT) (full text, mbox, link).

Added tag(s) security, patch, and fixed-upstream. Request was from Daniel Kahn Gillmor <dkg@fifthhorseman.net> to submit@bugs.debian.org. (Thu, 23 Feb 2023 13:45:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, unknown-package@qa.debian.org:
Bug#1031821; Package libreswan 4.9-1. (Thu, 23 Feb 2023 14:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kahn Gillmor <dkg@fifthhorseman.net>, unknown-package@qa.debian.org. (Thu, 23 Feb 2023 14:06:03 GMT) (full text, mbox, link).

Message #20 received at 1031821@bugs.debian.org (full text, mbox, reply):

Hi Daniel,

[CC added for team@s.d.o]

On Wed, Feb 22, 2023 at 07:54:47PM -0500, Daniel Kahn Gillmor wrote:
> Package: libreswan 4.9-1
> Control: found -1 4.3-1+deb11u1
> Control: found -1 4.7-1
> Control: fixed -1 4.9-2
> Control: forwarded -1 https://github.com/libreswan/libreswan/issues/954
> Control: tags -1 + security patch fixed-upstream
> 
> There is a remotely-triggerable crash in libreswan, known as
> CVE-2023-23009, based on a null pointer dereference.  It is apparently
> present in the versions of libreswan in bullseye, testing, and unstable
> at least.
> 
> On the linked github issue, upstream says that the attached patch fixes
> the problem (though i do not have a reproducer to verify).
> 
> I've applied the patch in unstable already.
> 
> I'll prepare an upload for bullseye if the security team is OK with
> that.  Please confirm!

Can you confirm on the following point: Is my understanding from the
upstream issue discussion correct, that this requires an authenticated
peer and for an authenticated peer, and then it leads to at most
self-DoS'ing his own connection?

Regards,
Salvatore

Marked as found in versions libreswan/4.9-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:02 GMT) (full text, mbox, link).

Bug reassigned from package 'libreswan 4.9-1' to 'src:libreswan'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:04 GMT) (full text, mbox, link).

No longer marked as found in versions libreswan/4.9-1, libreswan/4.3-1+deb11u1, and libreswan/4.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:04 GMT) (full text, mbox, link).

No longer marked as fixed in versions libreswan/4.9-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:05 GMT) (full text, mbox, link).

Marked as found in versions libreswan/4.9-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:05 GMT) (full text, mbox, link).

Marked as found in versions libreswan/4.3-1+deb11u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:06 GMT) (full text, mbox, link).

Marked as found in versions libreswan/4.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:06 GMT) (full text, mbox, link).

Marked as found in versions libreswan/4.7-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:07 GMT) (full text, mbox, link).

Marked as fixed in versions libreswan/4.9-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 23 Feb 2023 17:21:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Feb 24 13:07:24 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

libreswan: remote crash, CVE-2023-23009

Debian Bug report logs - #1031821
libreswan: remote crash, CVE-2023-23009

Vulmon Search

About

Products

Connect

libreswan: remote crash, CVE-2023-23009

Debian Bug report logs - #1031821 libreswan: remote crash, CVE-2023-23009

Vulmon Search

About

Products

Connect

Debian Bug report logs - #1031821
libreswan: remote crash, CVE-2023-23009