Bug 507362 (CVE-2009-2185)
| Summary: | CVE-2009-2185 Openswan ASN.1 parser vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avesh Agarwal <avagarwa> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jlieskov, kreilly, mjc, sgrubb, thoger, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.vupen.com/english/advisories/2009/1639 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-03-29 09:15:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 507872, 507873 | ||
| Bug Blocks: | |||
|
Comment 8
Tomas Hoger
2009-06-23 21:52:20 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2185 to the following vulnerability: Name: CVE-2009-2185 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2185 Assigned: 20090624 Reference: CONFIRM: http://download.strongswan.org/CHANGES2.txt Reference: CONFIRM: http://download.strongswan.org/CHANGES4.txt Reference: CONFIRM: http://download.strongswan.org/CHANGES42.txt Reference: BID:35452 Reference: URL: http://www.securityfocus.com/bid/35452 Reference: SECTRACK:1022428 Reference: URL: http://www.securitytracker.com/id?1022428 Reference: SECUNIA:35522 Reference: URL: http://secunia.com/advisories/35522 Reference: VUPEN:ADV-2009-1639 Reference: URL: http://www.vupen.com/english/advisories/2009/1639 The ASN.1 parser (pluto/asn1.c, libstrongswan/asn1/asn1.c, libstrongswan/asn1/asn1_parser.c) in (a) strongSwan 2.8 before 2.8.10, 4.2 before 4.2.16, and 4.3 before 4.3.2; and (b) openSwan 2.6 before 2.6.22 and 2.4 before 2.4.15 allows remote attackers to cause a denial of service (pluto IKE daemon crash) via an X.509 certificate with (1) crafted Relative Distinguished Names (RDNs), (2) a crafted UTCTIME string, or (3) a crafted GENERALIZEDTIME string. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1138 https://rhn.redhat.com/errata/RHSA-2009-1138.html openswan-2.6.21-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. openswan-2.6.21-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. Strongswan is claiming the initial fix for this was incomplete: https://lists.strongswan.org/pipermail/announce/2009-July/000056.html Avesh, can you please advise what you find out? Paul indicates the fixes were committed to openswan git a few days after CVE-2009-2185 was fixed: commit 483f6bfd4a1b9e900cb352bb4214ec1ce20016b7 Author: David McCullough <david_mccullough> Date: Thu Jun 25 15:57:18 2009 +1000 Check the length at all exits from asn1_length. If we are going to check the blob length everywhere to be safe, then we should also check the simple case IMO. commit 56400548fa2575d1cc010635f5b6cca660ce0e9e Author: David McCullough <david_mccullough> Date: Wed Jun 24 11:34:30 2009 +1000 Some missed fixups from the Orange Labs patches. The scanf fix is not a problem, as we redo it and check the result. The extra blob length patch is required though The subsequent fixes noted above do not affect Red Hat Enterprise Linux 5, Fedora 10, and Fedora 11 as the patch to correct the initial issue was pulled from git after these changes were made, and so already has the above-noted fix included. |