[openswan/f14] Fixes for cve-2011-4073
avesh agarwal
avesh at fedoraproject.org
Sat Oct 29 00:41:40 UTC 2011
commit 247629f1d4705d57afda950edf07a50fc4881953
Author: Avesh Agarwal <avagarwa at redhat.com>
Date: Fri Oct 28 20:41:34 2011 -0400
Fixes for cve-2011-4073
openswan-2.6-relpath.patch | 12 ++--
openswan-cve-2011-3380.patch | 4 +-
openswan-cve-2011-4073.patch | 101 +++++++++++++++++++++++++++++++
openswan-ipsec-help-524146-509318.patch | 6 +-
openswan.spec | 7 ++-
5 files changed, 118 insertions(+), 12 deletions(-)
---
diff --git a/openswan-2.6-relpath.patch b/openswan-2.6-relpath.patch
index 7d98edc..8658ca6 100644
--- a/openswan-2.6-relpath.patch
+++ b/openswan-2.6-relpath.patch
@@ -1,6 +1,6 @@
-diff -urNp openswan-2.6.32-orig/Makefile.inc openswan-2.6.32-cvs-patched/Makefile.inc
---- openswan-2.6.32-orig/Makefile.inc 2010-12-20 12:44:19.113079987 -0500
-+++ openswan-2.6.32-cvs-patched/Makefile.inc 2010-12-20 12:51:03.383330043 -0500
+diff -urNp openswan-2.6.33-patched/Makefile.inc openswan-2.6.33-current/Makefile.inc
+--- openswan-2.6.33-patched/Makefile.inc 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/Makefile.inc 2011-10-28 20:29:38.377473469 -0400
@@ -123,6 +123,8 @@ FINALRCDIR?=$(shell for d in $(INC_RCDIR
do if test -d $(DESTDIR)/$$d ; \
then echo $$d ; exit 0 ; \
@@ -10,9 +10,9 @@ diff -urNp openswan-2.6.32-orig/Makefile.inc openswan-2.6.32-cvs-patched/Makefil
RCDIR?=$(DESTDIR)$(FINALRCDIR)
-diff -urNp openswan-2.6.32-orig/programs/setup/Makefile openswan-2.6.32-cvs-patched/programs/setup/Makefile
---- openswan-2.6.32-orig/programs/setup/Makefile 2010-12-20 12:44:19.124080258 -0500
-+++ openswan-2.6.32-cvs-patched/programs/setup/Makefile 2010-12-20 12:51:46.128322171 -0500
+diff -urNp openswan-2.6.33-patched/programs/setup/Makefile openswan-2.6.33-current/programs/setup/Makefile
+--- openswan-2.6.33-patched/programs/setup/Makefile 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/setup/Makefile 2011-10-28 20:29:38.378473468 -0400
@@ -37,7 +37,7 @@ doinstall:: $(PROGRAM) $(CONFFILES) $(EX
@mkdir -p $(RCDIR) $(BINDIR)
# install and link everything
diff --git a/openswan-cve-2011-3380.patch b/openswan-cve-2011-3380.patch
index 5dc58a0..ef44072 100644
--- a/openswan-cve-2011-3380.patch
+++ b/openswan-cve-2011-3380.patch
@@ -1,6 +1,6 @@
diff -urNp openswan-2.6.33-patched/programs/pluto/ike_alg.c openswan-2.6.33-current/programs/pluto/ike_alg.c
---- openswan-2.6.33-patched/programs/pluto/ike_alg.c 2011-10-05 11:13:11.596816659 -0400
-+++ openswan-2.6.33-current/programs/pluto/ike_alg.c 2011-10-05 11:16:54.917104728 -0400
+--- openswan-2.6.33-patched/programs/pluto/ike_alg.c 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ike_alg.c 2011-10-28 20:31:43.335418426 -0400
@@ -115,7 +115,7 @@ bool ike_alg_enc_ok(int ealg, unsigned k
ealg, key_len);
}
diff --git a/openswan-cve-2011-4073.patch b/openswan-cve-2011-4073.patch
new file mode 100644
index 0000000..bcce6bc
--- /dev/null
+++ b/openswan-cve-2011-4073.patch
@@ -0,0 +1,101 @@
+diff -urNp openswan-2.6.33-patched/programs/pluto/ikev1_continuations.h openswan-2.6.33-current/programs/pluto/ikev1_continuations.h
+--- openswan-2.6.33-patched/programs/pluto/ikev1_continuations.h 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ikev1_continuations.h 2011-10-28 20:34:01.363356981 -0400
+@@ -7,8 +7,6 @@
+
+ struct qke_continuation {
+ struct pluto_crypto_req_cont qke_pcrc;
+- struct state *st; /* need to use abstract # */
+- struct state *isakmp_sa; /* used in initiator */
+ so_serial_t replacing;
+ struct msg_digest *md; /* used in responder */
+ };
+diff -urNp openswan-2.6.33-patched/programs/pluto/ikev1_quick.c openswan-2.6.33-current/programs/pluto/ikev1_quick.c
+--- openswan-2.6.33-patched/programs/pluto/ikev1_quick.c 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ikev1_quick.c 2011-10-28 20:35:55.331305748 -0400
+@@ -701,7 +701,8 @@ init_phase2_iv(struct state *st, const m
+
+ static stf_status
+ quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
+- , struct pluto_crypto_req *r);
++ , struct pluto_crypto_req *r
++ , struct state *st);
+
+ static void
+ quick_outI1_continue(struct pluto_crypto_req_cont *pcrc
+@@ -709,7 +710,7 @@ quick_outI1_continue(struct pluto_crypto
+ , err_t ugh)
+ {
+ struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+- struct state *const st = qke->st;
++ struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
+ stf_status e;
+
+ DBG(DBG_CONTROLMORE
+@@ -732,7 +733,9 @@ quick_outI1_continue(struct pluto_crypto
+
+ set_cur_state(st); /* we must reset before exit */
+ set_suspended(st, NULL);
+- e = quick_outI1_tail(pcrc, r);
++ e = quick_outI1_tail(pcrc, r, st);
++ if (e == STF_INTERNAL_ERROR)
++ loglog(RC_LOG_SERIOUS, "%s: quick_outI1_tail() failed with STF_INTERNAL_ERROR", __FUNCTION__);
+
+ reset_globals();
+ }
+@@ -815,8 +818,6 @@ quick_outI1(int whack_sock
+ , isakmp_sa->st_serialno, st->st_msgid, p2alg, pfsgroupname);
+ }
+
+- qke->st = st;
+- qke->isakmp_sa = isakmp_sa;
+ qke->replacing = replacing;
+ pcrc_init(&qke->qke_pcrc);
+ qke->qke_pcrc.pcrc_func = quick_outI1_continue;
+@@ -834,12 +835,12 @@ quick_outI1(int whack_sock
+
+ static stf_status
+ quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
+- , struct pluto_crypto_req *r)
++ , struct pluto_crypto_req *r
++ , struct state *st)
+ {
+ struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+- struct state *st = qke->st;
++ struct state *isakmp_sa = state_with_serialno(st->st_clonedfrom);
+ struct connection *c = st->st_connection;
+- struct state *isakmp_sa = qke->isakmp_sa;
+ pb_stream rbody;
+ u_char /* set by START_HASH_PAYLOAD: */
+ *r_hashval, /* where in reply to jam hash value */
+@@ -848,7 +849,11 @@ quick_outI1_tail(struct pluto_crypto_req
+ c->spd.this.protocol || c->spd.that.protocol ||
+ c->spd.this.port || c->spd.that.port;
+
+- st->st_connection = c;
++ if(isakmp_sa == NULL) {
++ /* phase1 state got deleted while cryptohelper was working */
++ loglog(RC_LOG_SERIOUS,"phase2 initiation failed because parent ISAKMP #%lu is gone", st->st_clonedfrom);
++ return STF_FATAL;
++ }
+
+ #ifdef NAT_TRAVERSAL
+ if (isakmp_sa->hidden_variables.st_nat_traversal & NAT_T_DETECTED) {
+@@ -1984,8 +1989,6 @@ quick_inI1_outR1_authtail(struct verify_
+ ci = pcim_ongoing_crypto;
+ if(ci < st->st_import) ci = st->st_import;
+
+- qke->st = st;
+- qke->isakmp_sa = p1st;
+ qke->md = md;
+ pcrc_init(&qke->qke_pcrc);
+ qke->qke_pcrc.pcrc_func = quick_inI1_outR1_cryptocontinue1;
+@@ -2010,7 +2013,7 @@ quick_inI1_outR1_cryptocontinue1(struct
+ {
+ struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+ struct msg_digest *md = qke->md;
+- struct state *const st = qke->st;
++ struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
+ stf_status e;
+
+ DBG(DBG_CONTROLMORE
diff --git a/openswan-ipsec-help-524146-509318.patch b/openswan-ipsec-help-524146-509318.patch
index 812d0ea..28d2aba 100644
--- a/openswan-ipsec-help-524146-509318.patch
+++ b/openswan-ipsec-help-524146-509318.patch
@@ -1,6 +1,6 @@
-diff -urNp openswan-2.6.32-orig/programs/ipsec/ipsec.in openswan-2.6.32-cvs-patched/programs/ipsec/ipsec.in
---- openswan-2.6.32-orig/programs/ipsec/ipsec.in 2010-12-20 12:44:19.150080076 -0500
-+++ openswan-2.6.32-cvs-patched/programs/ipsec/ipsec.in 2010-12-20 12:55:34.269071757 -0500
+diff -urNp openswan-2.6.33-patched/programs/ipsec/ipsec.in openswan-2.6.33-current/programs/ipsec/ipsec.in
+--- openswan-2.6.33-patched/programs/ipsec/ipsec.in 2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/ipsec/ipsec.in 2011-10-28 20:30:38.719446959 -0400
@@ -80,9 +80,9 @@ case "$1" in
--help)
echo "Usage: ipsec command argument ..."
diff --git a/openswan.spec b/openswan.spec
index 89bd688..f0984f1 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -9,7 +9,7 @@ Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
Name: openswan
Version: 2.6.33
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -19,6 +19,7 @@ Source2: ipsec.conf
Patch1: openswan-2.6-relpath.patch
Patch2: openswan-ipsec-help-524146-509318.patch
Patch3: openswan-cve-2011-3380.patch
+Patch4: openswan-cve-2011-4073.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -75,6 +76,7 @@ system.
%patch1 -p1 -b .relpath
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
@@ -224,6 +226,9 @@ fi
chkconfig --add ipsec || :
%changelog
+* Fri Oct 28 2011 Avesh Agarwal <avagarwa at redhat.com> - 2.6.33-3
+- Fixes for cve-2011-4073
+
* Wed Oct 5 2011 Avesh Agarwal <avagarwa at redhat.com> - 2.6.33-2
- Fixes for cve-2011-3380
More information about the scm-commits
mailing list