rpms/ipsec-tools/devel ipsec-tools-0.7.1-dpd-fixes.patch, NONE, 1.1 ipsec-tools-0.7.1-leaks.patch, NONE, 1.1 ipsec-tools-0.7.1-pie.patch, NONE, 1.1 ipsec-tools.spec, 1.59, 1.60
Tomáš Mráz
tmraz at fedoraproject.org
Fri Oct 17 16:24:22 UTC 2008
Author: tmraz
Update of /cvs/pkgs/rpms/ipsec-tools/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13966
Modified Files:
ipsec-tools.spec
Added Files:
ipsec-tools-0.7.1-dpd-fixes.patch
ipsec-tools-0.7.1-leaks.patch ipsec-tools-0.7.1-pie.patch
Log Message:
* Fri Oct 17 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-5
- fix CVE-2008-3652 (memory leak DoS)
- compile racoon as PIE
- another fix for teardown of the IPSEC SAs on DPD in some circumstances
ipsec-tools-0.7.1-dpd-fixes.patch:
--- NEW FILE ipsec-tools-0.7.1-dpd-fixes.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/isakmp_inf.c
--- ipsec-tools-0.7.1/src/racoon/isakmp_inf.c.dpd-fixes 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp_inf.c 2008-10-17 18:04:07.000000000 +0200
@@ -1202,7 +1202,7 @@ purge_ipsec_spi(dst0, proto, spi, n)
/* don't delete inbound SAs at the moment */
/* XXX should we remove SAs with opposite direction as well? */
- if (CMPSADDR(dst0, dst)) {
+ if (cmpsaddrwop(dst0, dst)) {
msg = next;
continue;
}
diff -up ipsec-tools-0.7.1/src/racoon/pfkey.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/pfkey.c
--- ipsec-tools-0.7.1/src/racoon/pfkey.c.dpd-fixes 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/pfkey.c 2008-10-17 18:17:16.000000000 +0200
@@ -902,13 +902,19 @@ pk_sendgetspi(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(pp)) {
- src = iph2->src_id;
- dst = iph2->dst_id;
+ src = dupsaddr(iph2->src_id);
+ dst = dupsaddr(iph2->dst_id);
} else {
- src = iph2->src;
- dst = iph2->dst;
+ src = dupsaddr(iph2->src);
+ dst = dupsaddr(iph2->dst);
}
-
+
+ if (src == NULL || dst == NULL) {
+ racoon_free(src);
+ racoon_free(dst);
+ return -1;
+ }
+
for (pr = pp->head; pr != NULL; pr = pr->next) {
/* validity check */
@@ -916,6 +922,8 @@ pk_sendgetspi(iph2)
if (satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
/* this works around a bug in Linux kernel where it allocates 4 byte
@@ -932,12 +940,12 @@ pk_sendgetspi(iph2)
if (mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
#ifdef ENABLE_NATT
- /* XXX should we do a copy of src/dst for each pr ?
- */
if (! pr->udp_encap) {
/* Remove port information, that SA doesn't use it */
set_port(src, 0);
@@ -956,6 +964,8 @@ pk_sendgetspi(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"ipseclib failed send getspi (%s)\n",
ipsec_strerror());
+ racoon_free(src);
+ racoon_free(dst);
return -1;
}
plog(LLV_DEBUG, LOCATION, NULL,
@@ -963,6 +973,8 @@ pk_sendgetspi(iph2)
sadbsecas2str(dst, src, satype, 0, mode));
}
+ racoon_free(src);
+ racoon_free(dst);
return 0;
}
@@ -1146,11 +1158,17 @@ pk_sendupdate(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
- sa_args.dst = iph2->src_id;
- sa_args.src = iph2->dst_id;
+ sa_args.dst = dupsaddr(iph2->src_id);
+ sa_args.src = dupsaddr(iph2->dst_id);
} else {
- sa_args.dst = iph2->src;
- sa_args.src = iph2->dst;
+ sa_args.dst = dupsaddr(iph2->src);
+ sa_args.src = dupsaddr(iph2->dst);
+ }
+
+ if (sa_args.src == NULL || sa_args.dst == NULL) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+ return -1;
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
@@ -1159,6 +1177,8 @@ pk_sendupdate(iph2)
if (sa_args.satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1172,6 +1192,8 @@ pk_sendupdate(iph2)
if (sa_args.mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
#endif
@@ -1183,8 +1205,11 @@ pk_sendupdate(iph2)
pr->head->authtype,
&sa_args.e_type, &sa_args.e_keylen,
&sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0)
+ &sa_args.flags) < 0) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
+ }
#if 0
sa_args.l_bytes = iph2->approval->lifebyte * 1024,
@@ -1227,6 +1252,8 @@ pk_sendupdate(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"libipsec failed send update (%s)\n",
ipsec_strerror());
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
@@ -1256,6 +1283,8 @@ pk_sendupdate(iph2)
sa_args.satype, sa_args.spi, sa_args.mode));
}
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return 0;
}
@@ -1449,11 +1478,17 @@ pk_sendadd(iph2)
/* for mobile IPv6 */
if (proxy && iph2->src_id && iph2->dst_id &&
ipsecdoi_transportmode(iph2->approval)) {
- sa_args.src = iph2->src_id;
- sa_args.dst = iph2->dst_id;
+ sa_args.src = dupsaddr(iph2->src_id);
+ sa_args.dst = dupsaddr(iph2->dst_id);
} else {
- sa_args.src = iph2->src;
- sa_args.dst = iph2->dst;
+ sa_args.src = dupsaddr(iph2->src);
+ sa_args.dst = dupsaddr(iph2->dst);
+ }
+
+ if (sa_args.src == NULL || sa_args.dst == NULL) {
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
+ return -1;
}
for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
@@ -1462,6 +1497,8 @@ pk_sendadd(iph2)
if (sa_args.satype == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid proto_id %d\n", pr->proto_id);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
@@ -1475,6 +1512,8 @@ pk_sendadd(iph2)
if (sa_args.mode == ~0) {
plog(LLV_ERROR, LOCATION, NULL,
"invalid encmode %d\n", pr->encmode);
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
#endif
@@ -1488,6 +1527,8 @@ pk_sendadd(iph2)
&sa_args.e_type, &sa_args.e_keylen,
&sa_args.a_type, &sa_args.a_keylen,
&sa_args.flags) < 0)
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
#if 0
@@ -1539,6 +1580,8 @@ pk_sendadd(iph2)
plog(LLV_ERROR, LOCATION, NULL,
"libipsec failed send add (%s)\n",
ipsec_strerror());
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return -1;
}
@@ -1566,6 +1609,8 @@ pk_sendadd(iph2)
sa_args.satype, sa_args.spi, sa_args.mode));
}
iph2->sa_count = sa_sent;
+ racoon_free(sa_args.src);
+ racoon_free(sa_args.dst);
return 0;
}
diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.dpd-fixes ipsec-tools-0.7.1/src/racoon/isakmp.c
--- ipsec-tools-0.7.1/src/racoon/isakmp.c.dpd-fixes 2008-10-17 14:34:15.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c 2008-10-17 17:58:44.000000000 +0200
@@ -3255,6 +3255,14 @@ purge_remote(iph1)
continue;
}
+#ifdef ENABLE_NATT
+ if (extract_port(src) == 0 && extract_port(dst) == 0 &&
+ extract_port(iph1->local) == PORT_ISAKMP && extract_port(iph1->remote) == PORT_ISAKMP) {
+ set_port(src, PORT_ISAKMP);
+ set_port(dst, PORT_ISAKMP);
+ }
+#endif
+
/*
* check in/outbound SAs.
* Select only SAs where src == local and dst == remote (outgoing)
ipsec-tools-0.7.1-leaks.patch:
--- NEW FILE ipsec-tools-0.7.1-leaks.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/isakmp.c.leaks ipsec-tools-0.7.1/src/racoon/isakmp.c
--- ipsec-tools-0.7.1/src/racoon/isakmp.c.leaks 2008-10-17 14:18:44.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/isakmp.c 2008-10-17 14:34:15.000000000 +0200
@@ -798,20 +798,23 @@ ph1_main(iph1, msg)
[iph1->side]
[iph1->status])(iph1, msg);
if (error != 0) {
-#if 0
/* XXX
* When an invalid packet is received on phase1, it should
* be selected to process this packet. That is to respond
* with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler.
+ * and keep phase 1 handler. However, in PHASE1ST_START when
+ * acting as RESPONDER we must not keep phase 1 handler or else
+ * it will stay forever.
*/
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
-#else
- /* ignore the error and keep phase 1 handler */
- return 0;
-#endif
+
+ if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
+ plog(LLV_ERROR, LOCATION, iph1->remote,
+ "failed to pre-process packet.\n");
+ return -1;
+ } else {
+ /* ignore the error and keep phase 1 handler */
+ return 0;
+ }
}
#ifndef ENABLE_FRAG
ipsec-tools-0.7.1-pie.patch:
--- NEW FILE ipsec-tools-0.7.1-pie.patch ---
diff -up ipsec-tools-0.7.1/src/racoon/Makefile.am.pie ipsec-tools-0.7.1/src/racoon/Makefile.am
--- ipsec-tools-0.7.1/src/racoon/Makefile.am.pie 2008-10-17 14:13:24.000000000 +0200
+++ ipsec-tools-0.7.1/src/racoon/Makefile.am 2008-10-17 14:16:53.000000000 +0200
@@ -12,7 +12,7 @@ adminsockdir=${localstatedir}/racoon
BUILT_SOURCES = cfparse.h prsa_par.h
INCLUDES = -I${srcdir}/../libipsec
AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
- -DADMINPORTDIR=\"${adminsockdir}\"
+ -DADMINPORTDIR=\"${adminsockdir}\" -fPIE
AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto
AM_YFLAGS = -d ${$*_YFLAGS}
AM_LFLAGS = ${$*_LFLAGS}
@@ -38,6 +38,7 @@ racoon_SOURCES = \
cftoken.l cfparse.y prsa_tok.l prsa_par.y
EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
+racoon_LDFLAGS = -pie -Wl,-z,relro
racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
$(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la @AUDIT_LIBS@
racoon_DEPENDENCIES = \
diff -up ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie ipsec-tools-0.7.1/src/libipsec/Makefile.am
--- ipsec-tools-0.7.1/src/libipsec/Makefile.am.pie 2008-07-23 11:07:03.000000000 +0200
+++ ipsec-tools-0.7.1/src/libipsec/Makefile.am 2008-10-17 14:13:24.000000000 +0200
@@ -7,7 +7,7 @@ libipsec_HEADERS = libpfkey.h
man3_MANS = ipsec_set_policy.3 ipsec_strerror.3
-AM_CFLAGS = @GLIBC_BUGS@
+AM_CFLAGS = @GLIBC_BUGS@ -fPIE
AM_YFLAGS = -d -p __libipsec
AM_LFLAGS = -P__libipsec -olex.yy.c
Index: ipsec-tools.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ipsec-tools/devel/ipsec-tools.spec,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -r1.59 -r1.60
--- ipsec-tools.spec 10 Aug 2008 15:40:05 -0000 1.59
+++ ipsec-tools.spec 17 Oct 2008 16:23:52 -0000 1.60
@@ -1,6 +1,6 @@
Name: ipsec-tools
Version: 0.7.1
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
@@ -17,6 +17,9 @@
Patch6: ipsec-tools-0.7-dupsplit.patch
Patch9: ipsec-tools-0.7-splitcidr.patch
Patch10: ipsec-tools-0.7.1-natt-linux.patch
+Patch11: ipsec-tools-0.7.1-pie.patch
+Patch12: ipsec-tools-0.7.1-leaks.patch
+Patch13: ipsec-tools-0.7.1-dpd-fixes.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2
@@ -40,6 +43,9 @@
%patch6 -p1 -b .dupsplit
%patch9 -p1 -b .splitcidr
%patch10 -p1 -b .natt-linux
+%patch11 -p1 -b .pie
+%patch12 -p1 -b .leaks
+%patch13 -p1 -b .dpd-fixes
./bootstrap
@@ -118,6 +124,11 @@
%config(noreplace) /etc/racoon/racoon.conf
%changelog
+* Fri Oct 17 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-5
+- fix CVE-2008-3652 (memory leak DoS)
+- compile racoon as PIE
+- another fix for teardown of the IPSEC SAs on DPD in some circumstances
+
* Sun Aug 10 2008 Tomas Mraz <tmraz at redhat.com> - 0.7.1-4
- Even better fix for IPSEC SA purging avoiding code duplication
(original idea by Darrel Goeddel)
More information about the scm-commits
mailing list