Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libres...@packages.debian.org, d...@fifthhorseman.net
Control: affects -1 + src:libreswan

[ Reason ]

Uploading libreswan 4.19-1+deb12u1 should address #1035542 (aka
CVE-2023-30570), which addresses a potential DoS against libreswan
instances that use a certain IKEv1 configuration.

Discussion with Salvatore Bonaccorso over in #1035542 concluded that
using point releases for this should be sufficient.

[ Impact ]

Users on bookworm with a specific libreswan configuration (IKEv1 in
aggressive mode) risk a DDoS on their libreswan IKE daemon if a
malicious attacker on the network emits a certain stream of packets.

[ Tests ]

Sadly, most libreswan test suites involve running virtual machines,
interacting with the linux kernel over open network policies, and this
isn't possible on debian testing architecture.

[ Risks ]

The risks of including these patches are minimal.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

The changes deal solely with how the pluto IKE daemon handles error
cases on incoming IKEv1 packets in aggressive mode.

[ Other info ]

All of the above information has been agregated and adapted from
https://libreswan.org/security/CVE-2023-30570/ Upstream released
version 4.11, which is just 4.10 with comparable patches applied.
4.11 is in unstable now.

I've already uploaded an update to 4.3 for the next bullseye point
release as well.
diff -Nru libreswan-4.10/debian/changelog libreswan-4.10/debian/changelog
--- libreswan-4.10/debian/changelog     2023-03-10 16:34:25.000000000 -0500
+++ libreswan-4.10/debian/changelog     2023-06-02 18:15:28.000000000 -0400
@@ -1,3 +1,9 @@
+libreswan (4.10-2+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-30570 (Closes: #1035542)
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net>  Fri, 02 Jun 2023 18:15:28 
-0400
+
 libreswan (4.10-2) unstable; urgency=medium
 
   * Reach NSPR mipsel workaround for #854472
diff -Nru libreswan-4.10/debian/control libreswan-4.10/debian/control
--- libreswan-4.10/debian/control       2023-03-03 09:54:30.000000000 -0500
+++ libreswan-4.10/debian/control       2023-06-02 18:15:28.000000000 -0400
@@ -6,7 +6,7 @@
  Paul Wouters <p...@libreswan.org>,
  Ondřej Surý <ond...@debian.org>,
 Vcs-Browser: https://salsa.debian.org/debian/libreswan
-Vcs-Git: https://salsa.debian.org/debian/libreswan.git
+Vcs-Git: https://salsa.debian.org/debian/libreswan.git -b debian/bookworm
 Standards-Version: 4.6.2
 Rules-Requires-Root: no
 Build-Depends:
diff -Nru libreswan-4.10/debian/gbp.conf libreswan-4.10/debian/gbp.conf
--- libreswan-4.10/debian/gbp.conf      2023-03-03 09:54:30.000000000 -0500
+++ libreswan-4.10/debian/gbp.conf      2023-06-02 18:15:28.000000000 -0400
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
 upstream-tag = v%(version)s
-debian-branch = debian/unstable
+debian-branch = debian/bookworm
diff -Nru libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 
libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch
--- libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 1969-12-31 
19:00:00.000000000 -0500
+++ libreswan-4.10/debian/patches/0005-Fix-CVE-2023-30570.patch 2023-06-02 
18:14:32.000000000 -0400
@@ -0,0 +1,138 @@
+From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
+Date: Fri, 2 Jun 2023 18:14:24 -0400
+Subject: Fix CVE-2023-30570
+
+---
+ programs/pluto/ikev1.c      | 61 ++++++++++++++++++++++++++++++++++++++++++---
+ programs/pluto/ikev1_aggr.c |  5 ++--
+ 2 files changed, 61 insertions(+), 5 deletions(-)
+
+diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c
+index e061532..401618b 100644
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md)
+       struct state *st = NULL;
+       enum state_kind from_state = STATE_UNDEFINED;   /* state we started in 
*/
+ 
++      /*
++       * For the initial responses, don't leak the responder's SPI.
++       * Hence the use of send_v1_notification_from_md().
++       *
++       * AGGR mode is a mess in that the R0->R1 transition happens
++       * well before the transition succeeds.
++       */
+ #define SEND_NOTIFICATION(t)                                          \
+       {                                                               \
+               pstats(ikev1_sent_notifies_e, t);                       \
+-              if (st != NULL)                                         \
++              if (st != NULL &&                                       \
++                  st->st_state->kind != STATE_AGGR_R0 &&              \
++                  st->st_state->kind != STATE_AGGR_R1 &&              \
++                  st->st_state->kind != STATE_MAIN_R0)                \
+                       send_v1_notification_from_state(st, from_state, t); \
+               else                                                    \
+                       send_v1_notification_from_md(md, t);            \
+@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md)
+                       from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ?
+                                     STATE_MAIN_R0 : STATE_AGGR_R0);
+               } else {
+-                      /* not an initial message */
++                      /*
++                       * Possibly not an initial message.  Possibly
++                       * from initiator.  Possibly from responder.
++                       *
++                       * Possibly.  Which is probably hopeless.
++                       */
+ 
+                       st = find_state_ikev1(&md->hdr.isa_ike_spis,
+                                             md->hdr.isa_msgid);
+ 
+                       if (st == NULL) {
+                               /*
+-                               * perhaps this is a first message
++                               * Perhaps this is a first message
+                                * from the responder and contains a
+                                * responder cookie that we've not yet
+                                * seen.
++                               *
++                               * Perhaps this is a random message
++                               * with a bogus non-zero responder IKE
++                               * SPI.
+                                */
+                               st = 
find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi,
+                                                          md->hdr.isa_msgid);
+@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md)
+                                       /* XXX Could send notification back */
+                                       return;
+                               }
++                              if (st->st_state->kind == STATE_AGGR_R0) {
++                                      /*
++                                       * The only way for this to
++                                       * happen is for the attacker
++                                       * to guess the responder's
++                                       * IKE SPI that hasn't been
++                                       * sent over the wire?
++                                       *
++                                       * Well that or played 1/2^32
++                                       * odds.
++                                       */
++                                      llog_pexpect(md->md_logger, HERE,
++                                                   "phase 1 message matching 
AGGR_R0 state");
++                                      return;
++                              }
+                       }
+                       from_state = st->st_state->kind;
+               }
+@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, 
struct msg_digest *md, stf_s
+                       delete_state(st);
+                       /* wipe out dangling pointer to st */
+                       md->v1_st = NULL;
++              } else if  (st->st_state->kind == STATE_AGGR_R0 ||
++                          st->st_state->kind == STATE_AGGR_R1 ||
++                          st->st_state->kind == STATE_MAIN_R0) {
++                      /*
++                       *
++                       * Wipe out the incomplete larval state.
++                       *
++                       * ARGH! In <=v4.10, the aggr code flipped the
++                       * larval state to R1 right at the start of
++                       * the transition and not the end, so using
++                       * state to figure things out is close to
++                       * useless.
++                       *
++                       * Deleting the state means that pluto has no
++                       * way to detect and ignore amplification
++                       * attacks.
++                       */
++                      delete_state(st);
++                      /* wipe out dangling pointer to st */
++                      md->v1_st = NULL;
+               }
++
+               break;
+       }
+       }
+diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c
+index 2732951..87be80c 100644
+--- a/programs/pluto/ikev1_aggr.c
++++ b/programs/pluto/ikev1_aggr.c
+@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
+       /* Set up state */
+       struct ike_sa *ike = new_v1_rstate(c, md);
+       md->v1_st = &ike->sa;  /* (caller will reset cur_state) */
+-      change_v1_state(&ike->sa, STATE_AGGR_R1);
++      change_v1_state(&ike->sa, STATE_AGGR_R0);
+ 
+       /*
+        * Warn when peer is expected to use especially dangerous
+@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED,
+ 
+       if (!v1_decode_certs(md)) {
+               llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked");
+-              return false;
++              /* XXX notification is in order! */
++              return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION;
+       }
+ 
+       /*
diff -Nru libreswan-4.10/debian/patches/series 
libreswan-4.10/debian/patches/series
--- libreswan-4.10/debian/patches/series        2023-03-10 16:33:43.000000000 
-0500
+++ libreswan-4.10/debian/patches/series        2023-06-02 18:14:32.000000000 
-0400
@@ -2,3 +2,4 @@
 0002-debian-pam.d-pluto.patch
 0004-ikev1-policy-defaults-to-drop.patch
 0004-Include-features.h-to-enable-NSPR-workaround-for-854.patch
+0005-Fix-CVE-2023-30570.patch

Reply via email to