import libreswan-4.9-4.el9_2
This commit is contained in:
parent
9165e963c0
commit
6a0a5ce8d4
129
SOURCES/libreswan-4.9-cve-2023-30570.patch
Normal file
129
SOURCES/libreswan-4.9-cve-2023-30570.patch
Normal file
@ -0,0 +1,129 @@
|
||||
diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
|
||||
index e0615323ed..401618b6dd 100644
|
||||
--- a/programs/pluto/ikev1.c
|
||||
+++ b/programs/pluto/ikev1.c
|
||||
@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
|
||||
struct state *st = NULL;
|
||||
enum state_kind from_state = STATE_UNDEFINED; /* state we started in */
|
||||
|
||||
+ /*
|
||||
+ * For the initial responses, don't leak the responder's SPI.
|
||||
+ * Hence the use of send_v1_notification_from_md().
|
||||
+ *
|
||||
+ * AGGR mode is a mess in that the R0->R1 transition happens
|
||||
+ * well before the transition succeeds.
|
||||
+ */
|
||||
#define SEND_NOTIFICATION(t) \
|
||||
{ \
|
||||
pstats(ikev1_sent_notifies_e, t); \
|
||||
- if (st != NULL) \
|
||||
+ if (st != NULL && \
|
||||
+ st->st_state->kind != STATE_AGGR_R0 && \
|
||||
+ st->st_state->kind != STATE_AGGR_R1 && \
|
||||
+ st->st_state->kind != STATE_MAIN_R0) \
|
||||
send_v1_notification_from_state(st, from_state, t); \
|
||||
else \
|
||||
send_v1_notification_from_md(md, t); \
|
||||
@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md)
|
||||
from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
|
||||
STATE_MAIN_R0 : STATE_AGGR_R0);
|
||||
} else {
|
||||
- /* not an initial message */
|
||||
+ /*
|
||||
+ * Possibly not an initial message. Possibly
|
||||
+ * from initiator. Possibly from responder.
|
||||
+ *
|
||||
+ * Possibly. Which is probably hopeless.
|
||||
+ */
|
||||
|
||||
st = find_state_ikev1(&md->hdr.isa_ike_spis,
|
||||
md->hdr.isa_msgid);
|
||||
|
||||
if (st == NULL) {
|
||||
/*
|
||||
- * perhaps this is a first message
|
||||
+ * Perhaps this is a first message
|
||||
* from the responder and contains a
|
||||
* responder cookie that we've not yet
|
||||
* seen.
|
||||
+ *
|
||||
+ * Perhaps this is a random message
|
||||
+ * with a bogus non-zero responder IKE
|
||||
+ * SPI.
|
||||
*/
|
||||
st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi,
|
||||
md->hdr.isa_msgid);
|
||||
@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md)
|
||||
/* XXX Could send notification back */
|
||||
return;
|
||||
}
|
||||
+ if (st->st_state->kind == STATE_AGGR_R0) {
|
||||
+ /*
|
||||
+ * The only way for this to
|
||||
+ * happen is for the attacker
|
||||
+ * to guess the responder's
|
||||
+ * IKE SPI that hasn't been
|
||||
+ * sent over the wire?
|
||||
+ *
|
||||
+ * Well that or played 1/2^32
|
||||
+ * odds.
|
||||
+ */
|
||||
+ llog_pexpect(md->md_logger, HERE,
|
||||
+ "phase 1 message matching AGGR_R0 state");
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
from_state = st->st_state->kind;
|
||||
}
|
||||
@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s
|
||||
delete_state(st);
|
||||
/* wipe out dangling pointer to st */
|
||||
md->v1_st = NULL;
|
||||
+ } else if (st->st_state->kind == STATE_AGGR_R0 ||
|
||||
+ st->st_state->kind == STATE_AGGR_R1 ||
|
||||
+ st->st_state->kind == STATE_MAIN_R0) {
|
||||
+ /*
|
||||
+ *
|
||||
+ * Wipe out the incomplete larval state.
|
||||
+ *
|
||||
+ * ARGH! In <=v4.10, the aggr code flipped the
|
||||
+ * larval state to R1 right at the start of
|
||||
+ * the transition and not the end, so using
|
||||
+ * state to figure things out is close to
|
||||
+ * useless.
|
||||
+ *
|
||||
+ * Deleting the state means that pluto has no
|
||||
+ * way to detect and ignore amplification
|
||||
+ * attacks.
|
||||
+ */
|
||||
+ delete_state(st);
|
||||
+ /* wipe out dangling pointer to st */
|
||||
+ md->v1_st = NULL;
|
||||
}
|
||||
+
|
||||
break;
|
||||
}
|
||||
}
|
||||
diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c
|
||||
index 2732951beb..87be80cb6c 100644
|
||||
--- a/programs/pluto/ikev1_aggr.c
|
||||
+++ b/programs/pluto/ikev1_aggr.c
|
||||
@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
|
||||
/* Set up state */
|
||||
struct ike_sa *ike = new_v1_rstate(c, md);
|
||||
md->v1_st = &ike->sa; /* (caller will reset cur_state) */
|
||||
- change_v1_state(&ike->sa, STATE_AGGR_R1);
|
||||
+ change_v1_state(&ike->sa, STATE_AGGR_R0);
|
||||
|
||||
/*
|
||||
* Warn when peer is expected to use especially dangerous
|
||||
@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
|
||||
|
||||
if (!v1_decode_certs(md)) {
|
||||
llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked");
|
||||
- return false;
|
||||
+ /* XXX notification is in order! */
|
||||
+ return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION;
|
||||
}
|
||||
|
||||
/*
|
@ -31,7 +31,7 @@ Name: libreswan
|
||||
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
|
||||
# version is generated in the release script
|
||||
Version: 4.9
|
||||
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
|
||||
Release: %{?prever:0.}4%{?prever:.%{prever}}%{?dist}
|
||||
License: GPLv2
|
||||
Url: https://libreswan.org/
|
||||
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
|
||||
@ -42,6 +42,7 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
|
||||
%endif
|
||||
Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
|
||||
Patch: libreswan-4.9-cve-2023-23009.patch
|
||||
Patch: libreswan-4.9-cve-2023-30570.patch
|
||||
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: bison
|
||||
@ -197,6 +198,15 @@ certutil -N -d sql:$tmpdir --empty-password
|
||||
%doc %{_mandir}/*/*
|
||||
|
||||
%changelog
|
||||
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-4
|
||||
- Just bumping up the version as an incorrect 9.3 build was created.
|
||||
- Related: rhbz#2187171
|
||||
|
||||
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-3
|
||||
- Fix CVE-2023-30570:Malicious IKEv1 Aggressive Mode packets can crash
|
||||
libreswan
|
||||
- Resolves: rhbz#2187171
|
||||
|
||||
* Tue Apr 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
|
||||
- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
|
||||
incorrect selector length (rhbz#2173674)
|
||||
|
Loading…
Reference in New Issue
Block a user