rpms/openswan/F-10 openswan-2.6.21-CVE-2009-2185.patch, NONE, 1.1 openswan.spec, 1.72, 1.73
avesh agarwal
avesh at fedoraproject.org
Mon Jul 6 15:14:57 UTC 2009
Author: avesh
Update of /cvs/pkgs/rpms/openswan/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6316
Modified Files:
openswan.spec
Added Files:
openswan-2.6.21-CVE-2009-2185.patch
Log Message:
* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
openswan-2.6.21-CVE-2009-2185.patch:
--- NEW FILE openswan-2.6.21-CVE-2009-2185.patch ---
--- ../openswan-2.6.21-orig/lib/libopenswan/asn1.c 2009-03-30 09:11:28.000000000 -0400
+++ openswan-2/lib/libopenswan/asn1.c 2009-06-26 10:14:54.000000000 -0400
@@ -11,7 +11,6 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
*/
#include <stdlib.h>
@@ -77,8 +76,15 @@ asn1_length(chunk_t *blob)
n = *blob->ptr++;
blob->len--;
- if ((n & 0x80) == 0) /* single length octet */
+ if ((n & 0x80) == 0) { /* single length octet */
+ if (n > blob->len) {
+ DBG(DBG_PARSING,
+ DBG_log("number of length octets is larger than ASN.1 object")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
return n;
+ }
/* composite length, determine number of length octets */
n &= 0x7f;
@@ -107,6 +113,14 @@ asn1_length(chunk_t *blob)
len = 256*len + *blob->ptr++;
blob->len--;
}
+ if (len > blob->len)
+ {
+ DBG(DBG_PARSING,
+ DBG_log("length is larger than remaining blob size")
+ )
+ return ASN1_INVALID_LENGTH;
+ }
+
return len;
}
@@ -236,14 +250,21 @@ asn1totime(const chunk_t *utctime, asn1_
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in positive timezone offset format */
+ }
+
tz_offset = 3600*tz_hour + 60*tz_min; /* positive time zone offset */
}
else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
{
int tz_hour, tz_min;
- sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+ if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+ {
+ return 0; /* error in negative timezone offset format */
+ }
tz_offset = -3600*tz_hour - 60*tz_min; /* negative time zone offset */
}
else
@@ -255,14 +276,22 @@ asn1totime(const chunk_t *utctime, asn1_
const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
"%4d%2d%2d%2d%2d";
- sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
- &t.tm_hour, &t.tm_min);
+ if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+ &t.tm_hour, &t.tm_min) != 5)
+ {
+ return 0; /* error in time st [yy]yymmddhhmm time format */
+ }
+
}
/* is there a seconds field? */
if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
{
- sscanf(eot-2, "%2d", &t.tm_sec);
+ if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+ {
+ return 0; /* error in ss seconds field format */
+ }
+
}
else
{
@@ -283,7 +312,11 @@ asn1totime(const chunk_t *utctime, asn1_
t.tm_year += 100;
}
- /* representation of month 0..11*/
+ if (t.tm_mon < 1 || t.tm_mon > 12)
+ {
+ return 0; /* error in month format */
+ }
+ /* representation of month 0..11 in struct tm */
t.tm_mon--;
/* set daylight saving time to off */
@@ -384,7 +417,7 @@ extract_object(asn1Object_t const *objec
blob1->len = asn1_length(blob);
- if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+ if (blob1->len == ASN1_INVALID_LENGTH)
{
DBG(DBG_PARSING,
DBG_log("L%d - %s: length of ASN1 object invalid or too large",
Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-10/openswan.spec,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -p -r1.72 -r1.73
--- openswan.spec 30 Mar 2009 19:02:50 -0000 1.72
+++ openswan.spec 6 Jul 2009 15:14:57 -0000 1.73
@@ -2,7 +2,7 @@ Summary: Openswan IPSEC implementation
Name: openswan
Version: 2.6.21
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Url: http://www.openswan.org/
Source: openswan-%{version}.tar.gz
@@ -13,6 +13,7 @@ Patch1: openswan-2.6.16-examples.patch
Patch2: openswan-2.6-relpath.patch
Patch3: openswan-2.6-selinux.patch
Patch4: openswan-2.6.16-initscript-correction.patch
+Patch5: openswan-2.6.21-CVE-2009-2185.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -60,6 +61,7 @@ find doc -name .gitignore -print0 | xarg
%patch2 -p1 -b .relpath
%patch3 -p1 -b .selinux
%patch4 -p1
+%patch5 -p1
%build
@@ -149,6 +151,9 @@ fi
chkconfig --add ipsec || :
%changelog
+* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
+- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
+
* Mon Mar 30 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-1
- new upstream release
- Fix for CVE-2009-0790 DPD crasher
More information about the fedora-extras-commits
mailing list