[Pkg-swan-devel] [strongswan] 01/04: Fix CVE-2014-9221

Mon Jan 5 12:27:08 UTC 2015

This is an automated email from the git hooks/post-receive script.

corsac pushed a commit to branch wheezy-security
in repository strongswan.

commit efe13461e270b466f17b34477f049f825bae6cbc
Author: Yves-Alexis Perez <corsac at debian.org>
Date:   Sun Dec 14 20:51:46 2014 +0100

    Fix CVE-2014-9221
    
    * Non-maintainer upload by the Security Team.
    * debian/patches:
      - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
        denial of service in IKEv2 when using custom MODP value.
---
 debian/changelog                               |  9 +++++
 debian/patches/CVE-2014-9221_modp_custom.patch | 50 ++++++++++++++++++++++++++
 debian/patches/series                          |  1 +
 3 files changed, 60 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c6000f8..dbf25f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+strongswan (4.5.2-1.5+deb7u4.1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * debian/patches:
+    - debian/patches/CVE-2014-9221_modp_custom added, fix unauthenticated
+      denial of service in IKEv2 when using custom MODP value.
+
+ -- Yves-Alexis Perez <corsac at debian.org>  Sun, 14 Dec 2014 14:31:43 +0100
+
 strongswan (4.5.2-1.5+deb7u4) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/CVE-2014-9221_modp_custom.patch b/debian/patches/CVE-2014-9221_modp_custom.patch
new file mode 100644
index 0000000..dfc2faf
--- /dev/null
+++ b/debian/patches/CVE-2014-9221_modp_custom.patch
@@ -0,0 +1,50 @@
+From aeafb8269a66e90a3fe5fc8f0fdbf33ada57e0d3 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Thu, 4 Dec 2014 12:08:11 +0100
+Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range
+
+Before this fix it was possible to crash charon with an IKE_SA_INIT
+message containing a KE payload with DH group MODP_CUSTOM(1025).
+Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
+prevents it from getting negotiated.
+
+Fixes CVE-2014-9221 in versions before 4.5.4.
+---
+ src/libstrongswan/crypto/diffie_hellman.c | 5 +++--
+ src/libstrongswan/crypto/diffie_hellman.h | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
+index 5f7365321078..70961ed8281a 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.c
++++ b/src/libstrongswan/crypto/diffie_hellman.c
+@@ -38,8 +38,9 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
+ 	"MODP_2048_256",
+ 	"ECP_192",
+ 	"ECP_224");
+-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT,
+-	"MODP_NULL",
++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
++	"MODP_NULL");
++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, MODP_NULL,
+ 	"MODP_CUSTOM");
+ ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+ 
+diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
+index 9ae7723639ae..1bb1452894b7 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.h
++++ b/src/libstrongswan/crypto/diffie_hellman.h
+@@ -57,8 +57,9 @@ enum diffie_hellman_group_t {
+ 	ECP_224_BIT   = 26,
+ 	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
+ 	MODP_NULL = 1024,
+-	/** MODP group with custon generator, prime */
+-	MODP_CUSTOM = 1025,
++	/** internally used DH group with additional parameters g and p, outside
++	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
++	MODP_CUSTOM = 65536,
+ };
+ 
+ /**
+-- 
+1.9.1
diff --git a/debian/patches/series b/debian/patches/series
index d9ba358..5f00836 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@ debian-changes-4.5.2-1.1
 CVE-2013-6075.patch
 CVE-2014-2338-4.x.patch
 CVE-2014-2891.patch
+CVE-2014-9221_modp_custom.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git

