rpms/openswan/F-10 openswan-2.6.21-CVE-2009-2185.patch, NONE, 1.1 openswan.spec, 1.72, 1.73

avesh agarwal avesh at fedoraproject.org
Mon Jul 6 15:14:57 UTC 2009 

Author: avesh

Update of /cvs/pkgs/rpms/openswan/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6316

Modified Files:
	openswan.spec 
Added Files:
	openswan-2.6.21-CVE-2009-2185.patch 
Log Message:
* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
- Openswan ASN.1 parser vulnerability (CVE-2009-2185)


openswan-2.6.21-CVE-2009-2185.patch:

--- NEW FILE openswan-2.6.21-CVE-2009-2185.patch ---
--- ../openswan-2.6.21-orig/lib/libopenswan/asn1.c	2009-03-30 09:11:28.000000000 -0400
+++ openswan-2/lib/libopenswan/asn1.c	2009-06-26 10:14:54.000000000 -0400
@@ -11,7 +11,6 @@
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  *
- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
  */
 
 #include <stdlib.h>
@@ -77,8 +76,15 @@ asn1_length(chunk_t *blob)
     n = *blob->ptr++;
     blob->len--;
 
-    if ((n & 0x80) == 0) /* single length octet */
+    if ((n & 0x80) == 0) { /* single length octet */
+	if (n > blob->len) {
+	    DBG(DBG_PARSING,
+		DBG_log("number of length octets is larger than ASN.1 object")
+	    )
+	    return ASN1_INVALID_LENGTH;
+	}
 	return n;
+    }
 
     /* composite length, determine number of length octets */
     n &= 0x7f;
@@ -107,6 +113,14 @@ asn1_length(chunk_t *blob)
 	len = 256*len + *blob->ptr++;
 	blob->len--;
     }
+    if (len > blob->len)
+    {
+	DBG(DBG_PARSING,
+	    DBG_log("length is larger than remaining blob size")
+	)
+	return ASN1_INVALID_LENGTH;
+    }
+
     return len;
 }
 
@@ -236,14 +250,21 @@ asn1totime(const chunk_t *utctime, asn1_
     {
 	int tz_hour, tz_min;
 
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	    return 0; /* error in positive timezone offset format */
+	}
+
 	tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
     }
     else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
     {
 	int tz_hour, tz_min;
 
-	sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+	if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+	{
+	     return 0; /* error in negative timezone offset format */
+	}
 	tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
     }
     else
@@ -255,14 +276,22 @@ asn1totime(const chunk_t *utctime, asn1_
 	const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 						     "%4d%2d%2d%2d%2d";
 
-	sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
-				     &t.tm_hour, &t.tm_min);
+	if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+					 &t.tm_hour, &t.tm_min) != 5)
+	{
+	    return 0; /* error in time st [yy]yymmddhhmm time format */
+	}
+
     }
 
     /* is there a seconds field? */
     if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
     {
-	sscanf(eot-2, "%2d", &t.tm_sec);
+	if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
+	{
+	    return 0; /* error in ss seconds field format */
+	}
+
     }
     else
     {
@@ -283,7 +312,11 @@ asn1totime(const chunk_t *utctime, asn1_
 	t.tm_year += 100;
     }
 
-    /* representation of month 0..11*/
+    if (t.tm_mon < 1 || t.tm_mon > 12)
+    {
+	return 0; /* error in month format */
+    }
+    /* representation of month 0..11 in struct tm */
     t.tm_mon--;
 
     /* set daylight saving time to off */
@@ -384,7 +417,7 @@ extract_object(asn1Object_t const *objec
 
     blob1->len = asn1_length(blob);
 
-    if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+    if (blob1->len == ASN1_INVALID_LENGTH)
     {
 	DBG(DBG_PARSING,
 	    DBG_log("L%d - %s:  length of ASN1 object invalid or too large",


Index: openswan.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openswan/F-10/openswan.spec,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -p -r1.72 -r1.73
--- openswan.spec	30 Mar 2009 19:02:50 -0000	1.72
+++ openswan.spec	6 Jul 2009 15:14:57 -0000	1.73
@@ -2,7 +2,7 @@ Summary: Openswan IPSEC implementation
 Name: openswan
 Version: 2.6.21
 
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Url: http://www.openswan.org/
 Source: openswan-%{version}.tar.gz
@@ -13,6 +13,7 @@ Patch1: openswan-2.6.16-examples.patch
 Patch2: openswan-2.6-relpath.patch
 Patch3: openswan-2.6-selinux.patch
 Patch4: openswan-2.6.16-initscript-correction.patch
+Patch5: openswan-2.6.21-CVE-2009-2185.patch
 
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -60,6 +61,7 @@ find doc -name .gitignore -print0 | xarg
 %patch2 -p1 -b .relpath
 %patch3 -p1 -b .selinux
 %patch4 -p1
+%patch5 -p1
 
 %build
 
@@ -149,6 +151,9 @@ fi
 chkconfig --add ipsec || :
 
 %changelog
+* Mon Jul 06 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-2
+- Openswan ASN.1 parser vulnerability (CVE-2009-2185)
+
 * Mon Mar 30 2009 Avesh Agarwal <avagarwa at redhat.com> - 2.6.21-1
 - new upstream release
 - Fix for CVE-2009-0790 DPD crasher

More information about the fedora-extras-commits mailing list