Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Feb 2014 23:19:22 -0500
From: Paul Wouters <pwouters@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request for unfixed CVE-2013-6466 in openswan-2.6.40


openswan-2.6.40 (released Feb 14) was supposed to address CVE-2013-6466 (which also affected libreswan as per CVE-2013-6467) but the fix is incomplete and
openswan can still crashed using mangled or missing IKEv2 payloads.

libreswan-3.8 that properly addressed this issue was released on January 15. Exploit code has been available as part of the libreswan test suite at
https://github.com/libreswan/libreswan/tree/master/testing/pluto/ikev2-15-fuzzer


Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>)
    at /root/openswan-2.6.40/programs/pluto/ikev2.c:541
#2  0x00007f6f17ba5c6f in process_packet (mdp=<optimized out>) at /root/openswan-2.6.40/programs/pluto/demux.c:175
#3  0x00007f6f17ba5dbc in comm_handle (ifp=ifp@...ry=0x7f6f182abb30) at /root/openswan-2.6.40/programs/pluto/demux.c:220
#4  0x00007f6f17b73bc8 in call_server () at /root/openswan-2.6.40/programs/pluto/server.c:764
#5  0x00007f6f17b5b46d in main (argc=29, argv=0x7fffc5817a18) at /root/openswan-2.6.40/programs/pluto/plutomain.c:1110
(gdb) f 1
#1  0x00007f6f17b89477 in process_v2_packet (mdp=0x7f6f17e504a0 <md.16140>)
    at /root/openswan-2.6.40/programs/pluto/ikev2.c:541
541		stf = (svm->processor)(md);
(gdb) p svm->processor
$2 = (state_transition_fn *) 0x0


I would like a new CVE number to track the openswan-2.6.40 vulnerability.

Regards,

Paul

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ