import libreswan-4.9-2.el9_2

c9 imports/c9/libreswan-4.9-2.el9_2
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 849bca6008
commit 65544b298a

@ -0,0 +1,84 @@
From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 28 Feb 2023 11:24:22 -0500
Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
CVE-2023-23009
Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
---
programs/pluto/ikev2_ts.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
index 3f7519ca38..f06c40ba46 100644
--- a/programs/pluto/ikev2_ts.c
+++ b/programs/pluto/ikev2_ts.c
@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
&ts_h, sizeof(ts_h), &ts_body_pbs);
+ if (d != NULL) {
+ llog_diag(RC_LOG, logger, &d, "%s", "");
+ return false;
+ }
+
switch (ts_h.isath_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
case IKEv2_TS_IPV6_ADDR_RANGE:
--
2.39.2
From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
From: Andrew Cagney <cagney@gnu.org>
Date: Tue, 28 Feb 2023 14:10:44 -0500
Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
fix #1018 reported by Wolfgang.
see also ecb9c88910df1fb070488835bf3180096f3ccba3:
IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
---
programs/pluto/ikev1_main.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
index a616c5ccf3..21765d4002 100644
--- a/programs/pluto/ikev1_main.c
+++ b/programs/pluto/ikev1_main.c
@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
ntohl(spi));
}
- struct connection *rc = dst->st_connection;
+ /* save for post delete_state() code */
+ co_serial_t rc_serialno = dst->st_connection->serialno;
if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
nat_traversal_change_port_lookup(md, dst);
v1_maybe_natify_initiator_endpoints(st, HERE);
}
- if (rc->newest_ipsec_sa == dst->st_serialno &&
- (rc->policy & POLICY_UP)) {
+ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
+ (dst->st_connection->policy & POLICY_UP)) {
/*
* Last IPsec SA for a permanent
* connection that we have initiated.
@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
md->v1_st = NULL;
}
- if (rc->newest_ipsec_sa == SOS_NOBODY) {
+ /*
+ * Either .newest_ipsec_sa matches DST
+ * and is cleared, or was never set.
+ */
+ struct connection *rc = connection_by_serialno(rc_serialno);
+ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
rc->policy &= ~POLICY_UP;
if (!shared_phase1_connection(rc)) {
--
2.39.2

@ -31,7 +31,7 @@ Name: libreswan
Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
# version is generated in the release script
Version: 4.9
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
License: GPLv2
Url: https://libreswan.org/
Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
%endif
Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch
Patch: libreswan-4.9-cve-2023-23009.patch
BuildRequires: audit-libs-devel
BuildRequires: bison
@ -196,6 +197,10 @@ certutil -N -d sql:$tmpdir --empty-password
%doc %{_mandir}/*/*
%changelog
* Tue Apr 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
incorrect selector length (rhbz#2173674)
* Wed Jan 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
- Update to 4.9. Resolves: rhbz#2128669
- Switch to using %%autopatch as in Fedora

Loading…
Cancel
Save