Bug#1031821: libreswan: remote crash, CVE-2023-23009

Wed, 01 Mar 2023 20:06:16 -0800 

Daniel,

On Wed, Mar 01, 2023 at 08:35:22PM +0100, Salvatore Bonaccorso wrote:
> Daniel,
> 
> On Wed, Mar 01, 2023 at 01:18:11PM -0500, Daniel Kahn Gillmor wrote:
> > On Wed 2023-03-01 12:52:58 +0100, Salvatore Bonaccorso wrote:
> > > Yes it does thank you. So even tough that's a bit a borderline case
> > > (mean with it as with the vpn service case, where you have
> > > authennticated users, but you might not entirely trust the entities)
> > > let's release a DSA for it. Can you prepare a final debdiff for a
> > > quick review for bullseye-security?
> > 
> > Sure, a proposed final debdiff is attached.  The code is also in the
> > debian/bullseye branch on https://salsa.debian.org/debian/libreswan.
> > 
> > Please let me know if you think anything else should be done
> > differently.
> > 
> > Thanks for keeping an eye on this, Salvatore!
> 
> Thanks to you actually. Looks good to me, please do upload.

Were you able to test the change? I think there is still a problem in
fact, not noticing earlier, as debdiff looked fine changewise: The
package FTBFS everywhere:

cc -DTimeZoneOffset=timezone -Dlinux -D_GNU_SOURCE -pthread -std=gnu99 -g 
-Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef 
-Wmissing-declarations -Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE 
-D_FORT
IFY_SOURCE=2 -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE 
-DNSS_IPSEC_PROFILE -DXFRM_LIFETIME_DEFAULT=30 -DUSE_IKEv1 -DXFRM_SUPPORT 
-DUSE_XFRM_INTERFACE -DUSE_DNSSEC 
-DDEFAULT_DNSSEC_ROOTKEY_FILE=\"/usr/share/dns/root.key\" -DHA
VE_LABELED_IPSEC -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_SYSTEMD_WATCHDOG -DLIBLDAP 
-DHAVE_NM -DAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA 
-DUSE_DH31 -DUSE_MD5 -DUSE_SHA1 -DUSE_SHA2 -DUSE_PRF_AES_XCBC -DUSE_NSS_KDF 
-DDEFAULT
_RUNDIR=\"/run/pluto\" -DIPSEC_CONF=\"/etc/ipsec.conf\" 
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" 
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" 
-DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\
"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1 
-DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT 
-DHAVE_LIBCAP_NG \
        -I. -I../../OBJ.linux.amd64/programs/pluto -I../../include 
-I/usr/include/nss -I/usr/include/nspr 
-I/<<PKGBUILDDIR>>/programs/pluto/linux-copy \
        -DHERE_BASENAME=\"ikev2_ts.c\" -g -O2 
-ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security \
        -MF ../../OBJ.linux.amd64/programs/pluto/ikev2_ts.d \
        -MP -MMD -MT ikev2_ts.o \
        -o ../../OBJ.linux.amd64/programs/pluto/ikev2_ts.o \
        -c /<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c
cc -DTimeZoneOffset=timezone -Dlinux -D_GNU_SOURCE -pthread -std=gnu99 -g 
-Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef 
-Wmissing-declarations -Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE 
-D_FORT
IFY_SOURCE=2 -fstack-protector-all -fno-strict-aliasing -fPIE -DPIE 
-DNSS_IPSEC_PROFILE -DXFRM_LIFETIME_DEFAULT=30 -DUSE_IKEv1 -DXFRM_SUPPORT 
-DUSE_XFRM_INTERFACE -DUSE_DNSSEC 
-DDEFAULT_DNSSEC_ROOTKEY_FILE=\"/usr/share/dns/root.key\" -DHA
VE_LABELED_IPSEC -DLIBCURL -DUSE_LINUX_AUDIT -DUSE_SYSTEMD_WATCHDOG -DLIBLDAP 
-DHAVE_NM -DAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA 
-DUSE_DH31 -DUSE_MD5 -DUSE_SHA1 -DUSE_SHA2 -DUSE_PRF_AES_XCBC -DUSE_NSS_KDF 
-DDEFAULT
_RUNDIR=\"/run/pluto\" -DIPSEC_CONF=\"/etc/ipsec.conf\" 
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/var/lib/ipsec/nss\" 
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" 
-DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\
"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1 
-DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT 
-DHAVE_LIBCAP_NG \
        -I. -I../../OBJ.linux.amd64/programs/pluto -I../../include 
-I/usr/include/nss -I/usr/include/nspr 
-I/<<PKGBUILDDIR>>/programs/pluto/linux-copy \
        -DHERE_BASENAME=\"ikev2_msgid.c\" -g -O2 
-ffile-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat 
-Werror=format-security \
        -MF ../../OBJ.linux.amd64/programs/pluto/ikev2_msgid.d \
        -MP -MMD -MT ikev2_msgid.o \
        -o ../../OBJ.linux.amd64/programs/pluto/ikev2_msgid.o \
        -c /<<PKGBUILDDIR>>/programs/pluto/ikev2_msgid.c
/<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c: In function ‘v2_parse_ts’:
/<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c:425:4: error: implicit declaration 
of function ‘llog_diag’; did you mean ‘log_diag’? 
[-Werror=implicit-function-declaration]
  425 |    llog_diag(RC_LOG, logger, &d, "%s", "");
      |    ^~~~~~~~~
      |    log_diag
/<<PKGBUILDDIR>>/programs/pluto/ikev2_ts.c:425:4: error: nested extern 
declaration of ‘llog_diag’ [-Werror=nested-externs]

I have rejected the current package so we can re-use the version later
one, when this is fixed.

Regards,
Salvatore

Reply via email to