Hi, given the long history of NMUs for this package... ... attached is a patch for a 0-day NMU fixing this vulnerability.
Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ipsec-tools-0.7.1/debian/changelog ipsec-tools-0.7.1/debian/changelog --- ipsec-tools-0.7.1/debian/changelog +++ ipsec-tools-0.7.1/debian/changelog @@ -1,3 +1,11 @@ +ipsec-tools (1:0.7.1-1.5) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix multiple memory leaks in NAT traversal and RSA authentication + code of racoon leading to DoS because (CVE-2009-1632; Closes: #528933). + + -- Nico Golde <[email protected]> Tue, 19 May 2009 13:26:14 +0200 + ipsec-tools (1:0.7.1-1.4) unstable; urgency=high * Non-maintainer upload by the Security Team. only in patch2: unchanged: --- ipsec-tools-0.7.1.orig/src/racoon/nattraversal.c +++ ipsec-tools-0.7.1/src/racoon/nattraversal.c @@ -319,6 +319,15 @@ iph1->natt_flags |= NAT_ANNOUNCED; } +static void +natt_keepalive_delete (struct natt_ka_addrs *ka) +{ + TAILQ_REMOVE (&ka_tree, ka, chain); + racoon_free (ka->src); + racoon_free (ka->dst); + racoon_free (ka); +} + /* NAT keepalive functions */ static void natt_keepalive_send (void *param) @@ -333,8 +342,7 @@ s = getsockmyaddr(ka->src); if (s == -1) { - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); + natt_keepalive_delete(ka); continue; } plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n", @@ -435,8 +443,7 @@ plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n"); - TAILQ_REMOVE (&ka_tree, ka, chain); - racoon_free (ka); + natt_keepalive_delete (ka); /* Should we break here? Every pair of addresses should be inserted only once, but who knows :-) Lets traverse the whole list... */ only in patch2: unchanged: --- ipsec-tools-0.7.1.orig/src/racoon/crypto_openssl.c +++ ipsec-tools-0.7.1/src/racoon/crypto_openssl.c @@ -901,12 +901,14 @@ evp = X509_get_pubkey(x509); if (! evp) { plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror()); + X509_free(x509); return -1; } res = eay_rsa_verify(source, sig, evp->pkey.rsa); EVP_PKEY_free(evp); + X509_free(x509); return res; }
pgpA669hzxdfw.pgp
Description: PGP signature

