[packages] openswan: add 2 security fixes in 8.09 branch (closes: #5484), bump releas...
authorNicolas Thill <nico@openwrt.org>
Thu, 9 Jul 2009 11:49:29 +0000 (11:49 +0000)
committerNicolas Thill <nico@openwrt.org>
Thu, 9 Jul 2009 11:49:29 +0000 (11:49 +0000)
SVN-Revision: 16749

net/openswan/Makefile
net/openswan/patches/901-cve-2009-0790.patch [new file with mode: 0644]
net/openswan/patches/902-cve-2009-2185.patch [new file with mode: 0644]

index 3901c36..f0135db 100644 (file)
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2008 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=openswan
 PKG_VERSION:=2.6.18
-PKG_RELEASE:=1
+PKG_RELEASE:=1.1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openswan.org/download
diff --git a/net/openswan/patches/901-cve-2009-0790.patch b/net/openswan/patches/901-cve-2009-0790.patch
new file mode 100644 (file)
index 0000000..db98012
--- /dev/null
@@ -0,0 +1,22 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0790
+
+--- a/programs/pluto/ikev1.c
++++ b/programs/pluto/ikev1.c
+@@ -657,9 +657,17 @@ informational(struct msg_digest *md)
+         switch (n->isan_type)
+         {
+         case R_U_THERE:
++          if(st==NULL) {
++              loglog(RC_LOG_SERIOUS, "received bogus  R_U_THERE informational message");
++              return STF_IGNORE;
++          }
+             return dpd_inI_outR(st, n, n_pbs);
+         case R_U_THERE_ACK:
++          if(st==NULL) {
++              loglog(RC_LOG_SERIOUS, "received bogus R_U_THERE_ACK informational message");
++              return STF_IGNORE;
++          }
+             return dpd_inR(st, n, n_pbs);
+       case PAYLOAD_MALFORMED:
diff --git a/net/openswan/patches/902-cve-2009-2185.patch b/net/openswan/patches/902-cve-2009-2185.patch
new file mode 100644 (file)
index 0000000..b966a2a
--- /dev/null
@@ -0,0 +1,89 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185
+
+--- a/lib/libopenswan/asn1.c
++++ b/lib/libopenswan/asn1.c
+@@ -11,7 +11,6 @@
+  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+  * for more details.
+  *
+- * RCSID $Id: asn1.c,v 1.10 2005/08/05 17:33:27 mcr Exp $
+  */
+ #include <stdlib.h>
+@@ -107,6 +106,14 @@ asn1_length(chunk_t *blob)
+       len = 256*len + *blob->ptr++;
+       blob->len--;
+     }
++    if (len > blob->len)
++    {
++      DBG(DBG_PARSING,
++          DBG_log("length is larger than remaining blob size")
++      )
++      return ASN1_INVALID_LENGTH;
++    }
++
+     return len;
+ }
+@@ -237,13 +244,21 @@ asn1totime(const chunk_t *utctime, asn1_
+       int tz_hour, tz_min;
+       sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
++      if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
++      {
++          return 0; /* error in positive timezone offset format */
++      }
++
+       tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
+     }
+     else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
+     {
+       int tz_hour, tz_min;
+-      sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
++      if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
++      {
++           return 0; /* error in negative timezone offset format */
++      }
+       tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
+     }
+     else
+@@ -255,14 +270,22 @@ asn1totime(const chunk_t *utctime, asn1_
+       const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
+                                                    "%4d%2d%2d%2d%2d";
+-      sscanf((char *)utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
+-                                   &t.tm_hour, &t.tm_min);
++      if (sscanf(utctime->ptr, format, &t.tm_year, &t.tm_mon, &t.tm_mday,
++                                       &t.tm_hour, &t.tm_min) != 5)
++      {
++          return 0; /* error in time st [yy]yymmddhhmm time format */
++      }
++
+     }
+     /* is there a seconds field? */
+     if ((eot - (char *)utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
+     {
+-      sscanf(eot-2, "%2d", &t.tm_sec);
++      if (sscanf(eot-2, "%2d", &t.tm_sec) != 1)
++      {
++          return 0; /* error in ss seconds field format */
++      }
++
+     }
+     else
+     {
+@@ -283,7 +306,11 @@ asn1totime(const chunk_t *utctime, asn1_
+       t.tm_year += 100;
+     }
+-    /* representation of month 0..11*/
++    if (t.tm_mon < 1 || t.tm_mon > 12)
++    {
++      return 0; /* error in month format */
++    }
++    /* representation of month 0..11 in struct tm */
+     t.tm_mon--;
+     /* set daylight saving time to off */