[openswan/f14] Fixes for cve-2011-4073

avesh agarwal avesh at fedoraproject.org
Sat Oct 29 00:41:40 UTC 2011 

commit 247629f1d4705d57afda950edf07a50fc4881953
Author: Avesh Agarwal <avagarwa at redhat.com>
Date:   Fri Oct 28 20:41:34 2011 -0400

    Fixes for cve-2011-4073

 openswan-2.6-relpath.patch              |   12 ++--
 openswan-cve-2011-3380.patch            |    4 +-
 openswan-cve-2011-4073.patch            |  101 +++++++++++++++++++++++++++++++
 openswan-ipsec-help-524146-509318.patch |    6 +-
 openswan.spec                           |    7 ++-
 5 files changed, 118 insertions(+), 12 deletions(-)
---
diff --git a/openswan-2.6-relpath.patch b/openswan-2.6-relpath.patch
index 7d98edc..8658ca6 100644
--- a/openswan-2.6-relpath.patch
+++ b/openswan-2.6-relpath.patch
@@ -1,6 +1,6 @@
-diff -urNp openswan-2.6.32-orig/Makefile.inc openswan-2.6.32-cvs-patched/Makefile.inc
---- openswan-2.6.32-orig/Makefile.inc	2010-12-20 12:44:19.113079987 -0500
-+++ openswan-2.6.32-cvs-patched/Makefile.inc	2010-12-20 12:51:03.383330043 -0500
+diff -urNp openswan-2.6.33-patched/Makefile.inc openswan-2.6.33-current/Makefile.inc
+--- openswan-2.6.33-patched/Makefile.inc	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/Makefile.inc	2011-10-28 20:29:38.377473469 -0400
 @@ -123,6 +123,8 @@ FINALRCDIR?=$(shell for d in $(INC_RCDIR
  		do if test -d $(DESTDIR)/$$d ; \
  		then echo $$d ; exit 0 ; \
@@ -10,9 +10,9 @@ diff -urNp openswan-2.6.32-orig/Makefile.inc openswan-2.6.32-cvs-patched/Makefil
  RCDIR?=$(DESTDIR)$(FINALRCDIR)
  
  
-diff -urNp openswan-2.6.32-orig/programs/setup/Makefile openswan-2.6.32-cvs-patched/programs/setup/Makefile
---- openswan-2.6.32-orig/programs/setup/Makefile	2010-12-20 12:44:19.124080258 -0500
-+++ openswan-2.6.32-cvs-patched/programs/setup/Makefile	2010-12-20 12:51:46.128322171 -0500
+diff -urNp openswan-2.6.33-patched/programs/setup/Makefile openswan-2.6.33-current/programs/setup/Makefile
+--- openswan-2.6.33-patched/programs/setup/Makefile	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/setup/Makefile	2011-10-28 20:29:38.378473468 -0400
 @@ -37,7 +37,7 @@ doinstall:: $(PROGRAM) $(CONFFILES) $(EX
  	@mkdir -p $(RCDIR) $(BINDIR)
  	# install and link everything
diff --git a/openswan-cve-2011-3380.patch b/openswan-cve-2011-3380.patch
index 5dc58a0..ef44072 100644
--- a/openswan-cve-2011-3380.patch
+++ b/openswan-cve-2011-3380.patch
@@ -1,6 +1,6 @@
 diff -urNp openswan-2.6.33-patched/programs/pluto/ike_alg.c openswan-2.6.33-current/programs/pluto/ike_alg.c
---- openswan-2.6.33-patched/programs/pluto/ike_alg.c	2011-10-05 11:13:11.596816659 -0400
-+++ openswan-2.6.33-current/programs/pluto/ike_alg.c	2011-10-05 11:16:54.917104728 -0400
+--- openswan-2.6.33-patched/programs/pluto/ike_alg.c	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ike_alg.c	2011-10-28 20:31:43.335418426 -0400
 @@ -115,7 +115,7 @@ bool ike_alg_enc_ok(int ealg, unsigned k
  				ealg, key_len);
  		}
diff --git a/openswan-cve-2011-4073.patch b/openswan-cve-2011-4073.patch
new file mode 100644
index 0000000..bcce6bc
--- /dev/null
+++ b/openswan-cve-2011-4073.patch
@@ -0,0 +1,101 @@
+diff -urNp openswan-2.6.33-patched/programs/pluto/ikev1_continuations.h openswan-2.6.33-current/programs/pluto/ikev1_continuations.h
+--- openswan-2.6.33-patched/programs/pluto/ikev1_continuations.h	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ikev1_continuations.h	2011-10-28 20:34:01.363356981 -0400
+@@ -7,8 +7,6 @@
+ 
+ struct qke_continuation {
+     struct pluto_crypto_req_cont qke_pcrc;
+-    struct state                *st;            /* need to use abstract # */
+-    struct state                *isakmp_sa;     /* used in initiator */
+     so_serial_t                  replacing;
+     struct msg_digest           *md;            /* used in responder */
+ };
+diff -urNp openswan-2.6.33-patched/programs/pluto/ikev1_quick.c openswan-2.6.33-current/programs/pluto/ikev1_quick.c
+--- openswan-2.6.33-patched/programs/pluto/ikev1_quick.c	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/pluto/ikev1_quick.c	2011-10-28 20:35:55.331305748 -0400
+@@ -701,7 +701,8 @@ init_phase2_iv(struct state *st, const m
+ 
+ static stf_status
+ quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
+-		 , struct pluto_crypto_req *r);
++		 , struct pluto_crypto_req *r
++		 , struct state *st);
+ 
+ static void
+ quick_outI1_continue(struct pluto_crypto_req_cont *pcrc
+@@ -709,7 +710,7 @@ quick_outI1_continue(struct pluto_crypto
+ 		     , err_t ugh)
+ {
+     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+-    struct state *const st = qke->st;
++    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
+     stf_status e;
+ 
+     DBG(DBG_CONTROLMORE
+@@ -732,7 +733,9 @@ quick_outI1_continue(struct pluto_crypto
+ 
+     set_cur_state(st);	/* we must reset before exit */
+     set_suspended(st, NULL);
+-    e = quick_outI1_tail(pcrc, r);
++    e = quick_outI1_tail(pcrc, r, st);
++    if (e == STF_INTERNAL_ERROR)
++	loglog(RC_LOG_SERIOUS, "%s: quick_outI1_tail() failed with STF_INTERNAL_ERROR", __FUNCTION__);
+ 
+     reset_globals();
+ }
+@@ -815,8 +818,6 @@ quick_outI1(int whack_sock
+ 		     , isakmp_sa->st_serialno, st->st_msgid, p2alg, pfsgroupname);
+     }
+ 
+-    qke->st = st;
+-    qke->isakmp_sa = isakmp_sa;
+     qke->replacing = replacing;
+     pcrc_init(&qke->qke_pcrc);
+     qke->qke_pcrc.pcrc_func = quick_outI1_continue;
+@@ -834,12 +835,12 @@ quick_outI1(int whack_sock
+     
+ static stf_status
+ quick_outI1_tail(struct pluto_crypto_req_cont *pcrc
+-		 , struct pluto_crypto_req *r)
++		 , struct pluto_crypto_req *r
++		 , struct state *st)
+ {
+     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+-    struct state *st = qke->st;
++    struct state *isakmp_sa = state_with_serialno(st->st_clonedfrom);
+     struct connection *c = st->st_connection;
+-    struct state *isakmp_sa = qke->isakmp_sa;
+     pb_stream rbody;
+     u_char	/* set by START_HASH_PAYLOAD: */
+ 	*r_hashval,	/* where in reply to jam hash value */
+@@ -848,7 +849,11 @@ quick_outI1_tail(struct pluto_crypto_req
+ 		      c->spd.this.protocol || c->spd.that.protocol ||
+ 		      c->spd.this.port || c->spd.that.port;
+ 
+-    st->st_connection = c;
++    if(isakmp_sa == NULL) {
++	/* phase1 state got deleted while cryptohelper was working */
++	loglog(RC_LOG_SERIOUS,"phase2 initiation failed because parent ISAKMP #%lu is gone", st->st_clonedfrom);
++	return STF_FATAL;
++    }
+ 
+ #ifdef NAT_TRAVERSAL
+     if (isakmp_sa->hidden_variables.st_nat_traversal & NAT_T_DETECTED) {
+@@ -1984,8 +1989,6 @@ quick_inI1_outR1_authtail(struct verify_
+ 	    ci = pcim_ongoing_crypto;
+ 	    if(ci < st->st_import) ci = st->st_import;
+ 
+-	    qke->st = st;
+-	    qke->isakmp_sa = p1st;
+ 	    qke->md = md;
+ 	    pcrc_init(&qke->qke_pcrc);
+ 	    qke->qke_pcrc.pcrc_func = quick_inI1_outR1_cryptocontinue1;
+@@ -2010,7 +2013,7 @@ quick_inI1_outR1_cryptocontinue1(struct 
+ {
+     struct qke_continuation *qke = (struct qke_continuation *)pcrc;
+     struct msg_digest *md = qke->md;
+-    struct state *const st = qke->st;
++    struct state *const st = state_with_serialno(qke->qke_pcrc.pcrc_serialno);
+     stf_status e;
+ 
+     DBG(DBG_CONTROLMORE
diff --git a/openswan-ipsec-help-524146-509318.patch b/openswan-ipsec-help-524146-509318.patch
index 812d0ea..28d2aba 100644
--- a/openswan-ipsec-help-524146-509318.patch
+++ b/openswan-ipsec-help-524146-509318.patch
@@ -1,6 +1,6 @@
-diff -urNp openswan-2.6.32-orig/programs/ipsec/ipsec.in openswan-2.6.32-cvs-patched/programs/ipsec/ipsec.in
---- openswan-2.6.32-orig/programs/ipsec/ipsec.in	2010-12-20 12:44:19.150080076 -0500
-+++ openswan-2.6.32-cvs-patched/programs/ipsec/ipsec.in	2010-12-20 12:55:34.269071757 -0500
+diff -urNp openswan-2.6.33-patched/programs/ipsec/ipsec.in openswan-2.6.33-current/programs/ipsec/ipsec.in
+--- openswan-2.6.33-patched/programs/ipsec/ipsec.in	2011-02-21 15:11:19.000000000 -0500
++++ openswan-2.6.33-current/programs/ipsec/ipsec.in	2011-10-28 20:30:38.719446959 -0400
 @@ -80,9 +80,9 @@ case "$1" in
  --help)
  	echo "Usage: ipsec command argument ..."
diff --git a/openswan.spec b/openswan.spec
index 89bd688..f0984f1 100644
--- a/openswan.spec
+++ b/openswan.spec
@@ -9,7 +9,7 @@ Summary: IPSEC implementation with IKEv1 and IKEv2 keying protocols
 Name: openswan
 Version: 2.6.33
 
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Url: http://www.openswan.org/
 Source: openswan-%{version}.tar.gz
@@ -19,6 +19,7 @@ Source2: ipsec.conf
 Patch1: openswan-2.6-relpath.patch
 Patch2: openswan-ipsec-help-524146-509318.patch
 Patch3: openswan-cve-2011-3380.patch
+Patch4: openswan-cve-2011-4073.patch
 
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -75,6 +76,7 @@ system.
 %patch1 -p1 -b .relpath
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 
@@ -224,6 +226,9 @@ fi
 chkconfig --add ipsec || :
 
 %changelog
+* Fri Oct 28 2011 Avesh Agarwal <avagarwa at redhat.com> - 2.6.33-3
+- Fixes for cve-2011-4073
+
 * Wed Oct 5 2011 Avesh Agarwal <avagarwa at redhat.com> - 2.6.33-2
 - Fixes for cve-2011-3380

More information about the scm-commits mailing list