Bug 456660 (CVE-2008-3651) - CVE-2008-3651 ipsec-tools: racoon memory leak caused by invalid proposals
Summary: CVE-2008-3651 ipsec-tools: racoon memory leak caused by invalid proposals
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-3651
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 458629 458853 458854 458855 458856 458857 465472 465473
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-25 12:36 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-07 08:11:17 UTC
Embargoed:

Attachments (Terms of Use)
Patch from upstream CVS (2.42 KB, patch)
2008-08-12 17:16 UTC, Josh Bressers 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0849 0 normal SHIPPED_LIVE Important: ipsec-tools security update 2008-08-26 19:24:13 UTC

Description Tomas Hoger 2008-07-25 12:36:29 UTC 
ipsec-tools upstream released 0.7.1 including a fix for a memory leak in racoon
daemon triggered by the invalid proposals, possibly resulting in a denial of
service once daemon runs out of memory.

References:
http://marc.info/?l=ipsec-tools-devel&m=121688914101709&w=2
http://bugs.gentoo.org/show_bug.cgi?id=232831

Upstream patch:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/src/racoon/proposal.c.diff?r1=1.15&r2=1.16&f=h
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/ipsec-tools/ChangeLog.diff?r1=1.169&r2=1.170&f=h
Comment 2 Tomas Mraz 2008-07-31 08:47:49 UTC 
The leaks patched in the mentioned patch can happen only when phase 1 is
completed. That means the attacker would have to be authenticated to be able to
make the leaks happen.
Comment 3 Josh Bressers 2008-08-11 17:05:43 UTC 
Any guess on what "some configurations" could mean from the upstream announcement?
Comment 4 Tomas Mraz 2008-08-12 09:12:07 UTC 
I am not sure about that - it seems to me that in almost any configuration the responder of the IKE negotiation is vulnerable. But as I said in the comment #2 this problem is in the Phase 2 exchange so that means the attacker has to be already authenticated.
Comment 6 Josh Bressers 2008-08-12 17:16:14 UTC 
Created attachment 314117 [details]
Patch from upstream CVS
Comment 8 Tomas Hoger 2008-08-13 07:16:30 UTC 
CVE id CVE-2008-3651 was assigned to this issue:

Memory leak in racoon/proposal.c in the racoon daemon in ipsec-tools
before 0.7.1 allows remote authenticated users to cause a denial of
service (memory consumption) via invalid proposals.
Comment 10 Fedora Update System 2008-10-18 12:07:14 UTC 
ipsec-tools-0.7.1-5.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc8
Comment 11 Fedora Update System 2008-10-18 12:08:23 UTC 
ipsec-tools-0.7.1-5.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/ipsec-tools-0.7.1-5.fc9
Comment 12 Fedora Update System 2008-11-07 02:53:03 UTC 
ipsec-tools-0.7.1-5.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-11-07 02:58:07 UTC 
ipsec-tools-0.7.1-5.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Red Hat Product Security 2008-11-07 08:11:17 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0849.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9016
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9007
Note You need to log in before you can comment on or make changes to this bug.