Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net Control: affects -1 + src:libreswan
[ Reason ] Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka CVE-2023-30570), which addresses a potential DoS against libreswan instances that use a certain IKEv1 configuration. Discussion with Salvatore Bonaccorso over in #1035542 concluded that using point releases for this should be sufficient. [ Impact ] Users on bookworm with a specific libreswan configuration (IKEv1 in aggressive mode) risk a DDoS on their libreswan IKE daemon if a malicious attacker on the network emits a certain stream of packets. [ Tests ] Sadly, most libreswan test suites involve running virtual machines, interacting with the linux kernel over open network policies, and this isn't possible on debian testing architecture. [ Risks ] The risks of including these patches are minimal. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The changes deal solely with how the pluto IKE daemon handles error cases on incoming IKEv1 packets in aggressive mode. [ Other info ] All of the above information has been agregated and adapted from https://libreswan.org/security/CVE-2023-30570/ Upstream released version 4.11, which is just 4.10 with comparable patches applied. 4.11 is in unstable now. I've already uploaded an update to 4.3 for the next bullseye point release as well.
diff -Nru libreswan-4.10/debian/changelog libreswan-4.10/debian/changelog --- libreswan-4.10/debian/changelog 2023-03-10 16:34:25.000000000 -0500 +++ libreswan-4.10/debian/changelog 2023-06-02 18:15:28.000000000 -0400 @@ -1,3 +1,9 @@ +libreswan (4.10-2+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-30570 (Closes: #1035542) + + -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Fri, 02 Jun 2023 18:15:28 -0400 + libreswan (4.10-2) unstable; urgency=medium * Reach NSPR mipsel workaround for #854472 diff -Nru libreswan-4.10/debian/control libreswan-4.10/debian/control --- libreswan-4.10/debian/control 2023-03-03 09:54:30.000000000 -0500 +++ libreswan-4.10/debian/control 2023-06-02 18:15:28.000000000 -0400 @@ -6,7 +6,7 @@ Paul Wouters <p...@libreswan.org>, Ondřej Surý <ond...@debian.org>, Vcs-Browser: https://salsa.debian.org/debian/libreswan -Vcs-Git: https://salsa.debian.org/debian/libreswan.git +Vcs-Git: https://salsa.debian.org/debian/libreswan.git -b debian/bookworm Standards-Version: 4.6.2 Rules-Requires-Root: no Build-Depends: diff -Nru libreswan-4.10/debian/gbp.conf libreswan-4.10/debian/gbp.conf --- libreswan-4.10/debian/gbp.conf 2023-03-03 09:54:30.000000000 -0500 +++ libreswan-4.10/debian/gbp.conf 2023-06-02 18:15:28.000000000 -0400 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True upstream-tag = v%(version)s -debian-branch = debian/unstable +debian-branch = debian/bookworm diff -Nru libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch --- libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 1969-12-31 19:00:00.000000000 -0500 +++ libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 2023-06-02 18:14:32.000000000 -0400 @@ -0,0 +1,138 @@ +From: Daniel Kahn Gillmor <d...@fifthhorseman.net> +Date: Fri, 2 Jun 2023 18:14:24 -0400 +Subject: Fix CVE-2023-30570 + +--- + programs/pluto/ikev1.c | 61 ++++++++++++++++++++++++++++++++++++++++++--- + programs/pluto/ikev1_aggr.c | 5 ++-- + 2 files changed, 61 insertions(+), 5 deletions(-) + +diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c +index e061532..401618b 100644 +--- a/programs/pluto/ikev1.c ++++ b/programs/pluto/ikev1.c +@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md) + struct state *st = NULL; + enum state_kind from_state = STATE_UNDEFINED; /* state we started in */ + ++ /* ++ * For the initial responses, don't leak the responder's SPI. ++ * Hence the use of send_v1_notification_from_md(). ++ * ++ * AGGR mode is a mess in that the R0->R1 transition happens ++ * well before the transition succeeds. ++ */ + #define SEND_NOTIFICATION(t) \ + { \ + pstats(ikev1_sent_notifies_e, t); \ +- if (st != NULL) \ ++ if (st != NULL && \ ++ st->st_state->kind != STATE_AGGR_R0 && \ ++ st->st_state->kind != STATE_AGGR_R1 && \ ++ st->st_state->kind != STATE_MAIN_R0) \ + send_v1_notification_from_state(st, from_state, t); \ + else \ + send_v1_notification_from_md(md, t); \ +@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md) + from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ? + STATE_MAIN_R0 : STATE_AGGR_R0); + } else { +- /* not an initial message */ ++ /* ++ * Possibly not an initial message. Possibly ++ * from initiator. Possibly from responder. ++ * ++ * Possibly. Which is probably hopeless. ++ */ + + st = find_state_ikev1(&md->hdr.isa_ike_spis, + md->hdr.isa_msgid); + + if (st == NULL) { + /* +- * perhaps this is a first message ++ * Perhaps this is a first message + * from the responder and contains a + * responder cookie that we've not yet + * seen. ++ * ++ * Perhaps this is a random message ++ * with a bogus non-zero responder IKE ++ * SPI. + */ + st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi, + md->hdr.isa_msgid); +@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md) + /* XXX Could send notification back */ + return; + } ++ if (st->st_state->kind == STATE_AGGR_R0) { ++ /* ++ * The only way for this to ++ * happen is for the attacker ++ * to guess the responder's ++ * IKE SPI that hasn't been ++ * sent over the wire? ++ * ++ * Well that or played 1/2^32 ++ * odds. ++ */ ++ llog_pexpect(md->md_logger, HERE, ++ "phase 1 message matching AGGR_R0 state"); ++ return; ++ } + } + from_state = st->st_state->kind; + } +@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s + delete_state(st); + /* wipe out dangling pointer to st */ + md->v1_st = NULL; ++ } else if (st->st_state->kind == STATE_AGGR_R0 || ++ st->st_state->kind == STATE_AGGR_R1 || ++ st->st_state->kind == STATE_MAIN_R0) { ++ /* ++ * ++ * Wipe out the incomplete larval state. ++ * ++ * ARGH! In <=v4.10, the aggr code flipped the ++ * larval state to R1 right at the start of ++ * the transition and not the end, so using ++ * state to figure things out is close to ++ * useless. ++ * ++ * Deleting the state means that pluto has no ++ * way to detect and ignore amplification ++ * attacks. ++ */ ++ delete_state(st); ++ /* wipe out dangling pointer to st */ ++ md->v1_st = NULL; + } ++ + break; + } + } +diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c +index 2732951..87be80c 100644 +--- a/programs/pluto/ikev1_aggr.c ++++ b/programs/pluto/ikev1_aggr.c +@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, + /* Set up state */ + struct ike_sa *ike = new_v1_rstate(c, md); + md->v1_st = &ike->sa; /* (caller will reset cur_state) */ +- change_v1_state(&ike->sa, STATE_AGGR_R1); ++ change_v1_state(&ike->sa, STATE_AGGR_R0); + + /* + * Warn when peer is expected to use especially dangerous +@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, + + if (!v1_decode_certs(md)) { + llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked"); +- return false; ++ /* XXX notification is in order! */ ++ return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION; + } + + /* diff -Nru libreswan-4.10/debian/patches/series libreswan-4.10/debian/patches/series --- libreswan-4.10/debian/patches/series 2023-03-10 16:33:43.000000000 -0500 +++ libreswan-4.10/debian/patches/series 2023-06-02 18:14:32.000000000 -0400 @@ -2,3 +2,4 @@ 0002-debian-pam.d-pluto.patch 0004-ikev1-policy-defaults-to-drop.patch 0004-Include-features.h-to-enable-NSPR-workaround-for-854.patch +0005-Fix-CVE-2023-30570.patch